Geek Answers Handbook

RESTful webservice + Spring Authentication Authentication

I am not very familiar with Spring, but I read some articles and instructions.

Business Required:

  • typical client-server architecture: server-side mobile clients and RESTful services
  • Clients have different options for registering in a mobile application: logging in and logging in to facebook
  • must protect all server-side RESTful services from unauthorized users

My responsibility is to develop RESTful services. I am very good at application servers, Java EE, JMS, JDBC, distributed transactions (XA), but I am not very good at security: (

I have developed some STATELESS RESTful web services with Spring. These services are not protected, so anyone can use them.

For instance:

  • http://...../api/country/{**user_id**}
  • http://...../api/country/{**user_id**},{country_id}
  • ...

Each of my web services has an input parameter user_id , because I need to determine which user made the server call. The result of web services depends on the user. Of course, this is absolutely normal.

Now I need to develop some new things because I have to protect these web services from unauthorized users.

My idea:

(*) I will create two new web services as follows:

applicationLogin (String username, String password) [/ INDENT] as well as facebookLogin (String accessToken)

  • http://...../api/login/{username}, {password}
  • http://...../api/login/{facebook access token}

(*) I will protect my web services from unauthorized users

The user registration process may look like this: (1) the user will fill in the username and password fields on his mobile device (2) click on the login button (3) the mobile application makes a server call http://...../api/login/{username}, {password} (4) if the username and password are correct, I will create a token (a long line with information about the expiration date), and I will put the username and token string in the response of the HTTP header (5) after that, all clients must send these two parameters (username and token) to the server, to yes they do call a webservice.

On the server side, I can read the username from the HTTP request so that I can remove the user_id parameter from the signature of all web services.

I am trying to implement this process in Spring. I think I need to use PRE_AUTH_FILTER from Spring's security module. But I do not know if a good idea?

I have done this:

web xml

 <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/api/country/*</url-pattern> </filter-mapping> <context-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/applicationContext-security.xml, /WEB-INF/applicationContext.xml</param-value> </context-param>

ApplicationContext-security.xml

 <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <security:http use-expressions="true" create-session="stateless" auto-config="false" entry-point-ref="authenticationEntryPoint"> <security:intercept-url pattern="/api/login/*" access="permitAll"/> <security:intercept-url pattern="/api/country/*" access="isAuthenticated()" /> <security:custom-filter position="PRE_AUTH_FILTER" ref="authenticationTokenProcessingFilter" /> </security:http> <bean id="authenticationEntryPoint" class="com.samples.spring.auth.ForbiddenAuthenticationEntryPoint" /> <bean id="userDetailsServiceImpl" class="com.samples.spring.auth.UserDetailsServiceImpl" /> <bean id="preAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider"> <property name="preAuthenticatedUserDetailsService" ref="userDetailsServiceImpl" /> </bean> <bean id="authenticationTokenProcessingFilter" class="com.samples.spring.auth.AuthenticationFilter"> <property name="authenticationManager" ref="appControlAuthenticationManager" /> </bean> <security:authentication-manager alias="appControlAuthenticationManager"> <security:authentication-provider ref="preAuthenticationProvider" /> </security:authentication-manager> </beans>

What do you think of my login process? Is this a good way to start implementing a token processing method?

+4
source share
2 answers

You can use Security out of the box if you accept a small change.

Spring protection uses an http session to store user information. And https is normally tracked by a session cookie that contains the session key or jsessionId parameter.

And one more hint: use https instead of http.

0
source

Besides using Spring Security, Spring also has another module called Spring Social . I think this will definitely help you, as well as reduce development efforts. It also allows you to use other social networks, such as Twitter, linkedin to connect to your application. Also check out Spring Mobile

+1
source

More articles:


All Articles