Geek Answers Handbook

How to secure Spring RESTful web service for Angular.js or Ember.js

I have a Spring MVC application that uses Spring Security to handle user authentication, which works fine.

Now I want to add some Ember.js and Angular.js HTML pages to HTML pages that access Spring RESTful web services (which simply return JSON data).

How to bind user authentication to authentication for RESTful web services? In other words, I want to make RESTful web services available only after user login. Thus, the Angular.js and Ember.js libraries can safely access these RESTful web services from my pages user only if someone else cannot directly call them.

I read another post that Spring Security was never intended to be used with the full Ajax framework, is that true? I hope this is not so. I would suggest that this type of thing should be fairly common, as there are so many third-party AJAX frameworks that work based on access to the JSON / RESTful API.

+6
source share
1 answer

Of course, it is not that Spring Security was never intended or cannot be used in AJAX applications. I have two production applications that use Spring Security, as well as AJAX and other development applications with the same mix.

If you intend to use EmberJS or AngularJS in an existing Spring Security web application, you won’t have to deal with too many problems if you simply add a JavaScript library to your project. This is due to the fact that as soon as your users are authenticated, any regular HTTP requests will be processed as authenticated, as the browser will provide the transfer of session information back and forth using cookies or URL parameters, if necessary. You can see one of my working examples on Github for integrating Spring Security and EmberJS.

The only thing you may need to worry about is CSRF tokens for submitting forms using AJAX. The latest Spring security documentation has a small section on this, so you should not run into too many problems to get them working. However, I would like to clarify that this particular issue does not apply to Spring Security. CSRF protection typically includes a secure, randomly generated token with every HTTP POST request. The problem arises because existing JavaScript libraries are aware of this token and how it should be included in POST HTTP requests. This would be a problem in any application, not just using Spring Security.

If, however, you work with idle clients, such as mobile devices, you cannot rely on Spring's default security mechanism to store user credentials in an HTTP session, because HTTP requests will not have information to link them to the session . This again does not apply to the Spring or Spring Security application, because the restriction is imposed by the nature of the client and client-server communication, and not by any server technology. In such circumstances, you will need to pass some authentication token in the HTTP headers so that the application maintains the server-side security state. I have a working example. If you need more information, there are articles on the Internet that explain how to do something like this using Spring Security.

+11
source

More articles:


All Articles