Geek Answers Handbook

Spring Boot: RESTful secure API using Spring Social and Spring Security

I am trying to define and protect a RESTful API using Spring Boot. Ideally, I would like to use Spring Social and allow clients (web and mobile) to register via Facebook.

What works

So far, I have managed to create a working API using @RestController and provide its basic Spring security configuration as follows:

 @Configuration @EnableGlobalMethodSecurity(prePostEnabled = true) @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeRequests() .antMatchers(HttpMethod.POST, "/api/**").authenticated() .antMatchers(HttpMethod.PUT, "/api/**").authenticated() .antMatchers(HttpMethod.DELETE, "/api/**").authenticated() .anyRequest().permitAll() .and().httpBasic() .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); } }

It is possible that antMatchers could be improved, but I did just that for my own clarity at the moment, and it works great. GET requests are allowed, and everyone else needs to send the standard user:password specified by Spring Security at run time. Example using httpie :

 http POST user: a70fd629-1e29-475d-aa47-6861feb6900f@localhost :8080/api/ideas/ title="My first idea"

Which correct credentials sends 200 OK back, otherwise 401 Unauthorized .

Spring Social

Now I'm stuck and can't lower my head using Spring-Social-Facebook to work with my current setup and keep RESTful controllers fully. Using standard forms and redirects seems trivial, but I could not find a solution for a REST-based approach that easily supports web and mobile clients, for example.

As I understand it, the client will have to process the stream, since it will not send redirects to URL /connect/facebook .

  • I followed the tutorial Accessing Facebook Data , and it works on its own. However, I would like to avoid the need to have the facebookConnect.html and facebookConnected.html templates, as in the tutorial. Therefore, I do not know how to change this.

  • Another Spring Download Tutorial for OAuth is also good and works, but I would like to stick with Spring Social if possible because of its simplicity.

  • This post helped solve the Method not allowed redirect /connect/facebook problem when using the above views.

  • Publish Social Configuration . I guess I'm missing something there.

Any tips, solutions or links to the best tutorial will be really helpful.

Thanks!

UPDATE 1

Now I have a working website with the traditional forms of User SignUp and Login over. I have a Facebook Login button that sends me to OAuth Dance. So, the next problem is that I have to somehow create a User manually after the Facebook login has been successful, because at the moment both β€œlogins” are not connected to each other, therefore, despite the fact that the user has logged in into a system with Facebook, it does not yet have a connected user object with the correct permissions.

+7
spring spring-boot spring-security spring-social spring-restcontroller
source share
1 answer

SocialAuthenticationFilter by default redirects to '/signup' in case you have described, the user has logged in from a social application, however, a local account does not exist. You can provide a handler to create a local account. This is also seen in spring-socal .

 @RequestMapping(value = { "/signup" }, method = RequestMethod.GET) public String newRegistrationSocial(WebRequest request, Model model) throws Exception { String view = "redirect:/home"; try { Connection<?> connection = providerSignInUtils.getConnectionFromSession(request); if (connection != null) { UserProfile up = connection.fetchUserProfile(); registerUser(up.getFirstName(), up.getLastName(), up.getEmail(), "DummyPassword"); providerSignInUtils.doPostSignUp(up.getEmail(), request); //SignInUtils.signin(up.getEmail()); ... ... } } return view; }
0
source share

More articles:


All Articles