How to secure REST API with Spring Boot and Spring Security?

by

Token based authentication – users will provide its credentials and get
unique and time limited access token. I would like to manage token
creation, checking validity, expiration in my own implementation.

Actually, use Filter for token Auth – best way in this case

Eventually, you can create CRUD via Spring Data for managing Token’s properties like to expire, etc.

Here is my token filter:
http://pastebin.com/13WWpLq2

And Token Service Implementation

http://pastebin.com/dUYM555E

Some REST resources will be public – no need to authenticate at all

It’s not a problem, you can manage your resources via Spring security config like this: .antMatchers("/rest/blabla/**").permitAll()

Some resources will be accessible only for users with administrator rights,

Take a look at @Secured annotation to class. Example:

@Controller
@RequestMapping(value = "/adminservice")
@Secured("ROLE_ADMIN")
public class AdminServiceController {

The other resource will be accessible after authorization for all users.

Back to Spring Security configure, you can configure your url like this:

    http
            .authorizeRequests()
            .antMatchers("/openforall/**").permitAll()
            .antMatchers("/alsoopen/**").permitAll()
            .anyRequest().authenticated()

I don’t want to use Basic authentication

Yep, via token filter, your users will be authenticated.

Java code configuration (not XML)

Back to the words above, look at @EnableWebSecurity.
Your class will be:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {}

You have to override the configure method. Code below, just for example, how to configure matchers. It’s from another project.

    @Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/assets/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin()
                .usernameParameter("j_username")
                .passwordParameter("j_password")
                .loginPage("/login")
                .defaultSuccessUrl("https://stackoverflow.com/", true)
                .successHandler(customAuthenticationSuccessHandler)
                .permitAll()
            .and()
                .logout()
                .logoutUrl("/logout")
                .invalidateHttpSession(true)
                .logoutSuccessUrl("https://stackoverflow.com/")
                .deleteCookies("JSESSIONID")
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
            .and()
                .csrf();
}

More Related Contents:

  1. RESTful Authentication via Spring
  2. Spring REST security – Secure different URLs differently
  3. Spring Security : Multiple HTTP Config not working
  4. How to fix role in Spring Security?
  5. Spring Boot REST service exception handling
  6. Is RestTemplate thread safe?
  7. Configuring Spring Security 3.x to have multiple entry points
  8. Spring MVC – How to return simple String as JSON in Rest Controller
  9. Spring RestTemplate GET with parameters
  10. How to manage REST API versioning with spring?
  11. How to manage exceptions thrown in filters in Spring?
  12. Disable Spring Security for OPTIONS Http Method
  13. How to set base url for rest in spring boot?
  14. How to POST form data with Spring RestTemplate?
  15. HttpSecurity, WebSecurity and AuthenticationManagerBuilder
  16. JPA Transient Annotation and JSON
  17. Spring security does not allow CSS or JS resources to be loaded
  18. Spring MVC – @Valid on list of beans in REST service
  19. how to display custom error message in jsp for spring security auth exception
  20. Spring Security 5 : There is no PasswordEncoder mapped for the id “null”
  21. Securing Spring Boot API with API key and secret
  22. Spring Security multiple url ruleset not working together
  23. Spring Security HTTP Basic for RESTFul and FormLogin (Cookies) for web – Annotations
  24. Spring security added prefix “ROLE_” to all roles name?
  25. How do I return a video with Spring MVC so that it can be navigated using the html5 tag?
  26. Why this Spring application with java-based configuration don’t work properly
  27. Trying to create REST-ful URLs with multiple dots in the “filename” part – Spring 3.0 MVC
  28. What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?
  29. disabling spring security in spring boot app [duplicate]
  30. Disabling a filter for only a few paths

Leave a Comment