RESTful Authentication via Spring

by

We managed to get this working exactly as described in the OP, and hopefully someone else can make use of the solution. Here’s what we did:

Set up the security context like so:

<security:http realm="Protected API" use-expressions="true" auto-config="false" create-session="stateless" entry-point-ref="CustomAuthenticationEntryPoint">
    <security:custom-filter ref="authenticationTokenProcessingFilter" position="FORM_LOGIN_FILTER" />
    <security:intercept-url pattern="/authenticate" access="permitAll"/>
    <security:intercept-url pattern="/**" access="isAuthenticated()" />
</security:http>

<bean id="CustomAuthenticationEntryPoint"
    class="com.demo.api.support.spring.CustomAuthenticationEntryPoint" />

<bean id="authenticationTokenProcessingFilter"
    class="com.demo.api.support.spring.AuthenticationTokenProcessingFilter" >
    <constructor-arg ref="authenticationManager" />
</bean>

As you can see, we’ve created a custom AuthenticationEntryPoint, which basically just returns a 401 Unauthorized if the request wasn’t authenticated in the filter chain by our AuthenticationTokenProcessingFilter.

CustomAuthenticationEntryPoint:

public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException authException) throws IOException, ServletException {
        response.sendError( HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized: Authentication token was either missing or invalid." );
    }
}

AuthenticationTokenProcessingFilter:

public class AuthenticationTokenProcessingFilter extends GenericFilterBean {

    @Autowired UserService userService;
    @Autowired TokenUtils tokenUtils;
    AuthenticationManager authManager;
    
    public AuthenticationTokenProcessingFilter(AuthenticationManager authManager) {
        this.authManager = authManager;
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        @SuppressWarnings("unchecked")
        Map<String, String[]> parms = request.getParameterMap();

        if(parms.containsKey("token")) {
            String token = parms.get("token")[0]; // grab the first "token" parameter
            
            // validate the token
            if (tokenUtils.validate(token)) {
                // determine the user based on the (already validated) token
                UserDetails userDetails = tokenUtils.getUserFromToken(token);
                // build an Authentication object with the user's info
                UsernamePasswordAuthenticationToken authentication = 
                        new UsernamePasswordAuthenticationToken(userDetails.getUsername(), userDetails.getPassword());
                authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails((HttpServletRequest) request));
                // set the authentication into the SecurityContext
                SecurityContextHolder.getContext().setAuthentication(authManager.authenticate(authentication));         
            }
        }
        // continue thru the filter chain
        chain.doFilter(request, response);
    }
}

Obviously, TokenUtils contains some privy (and very case-specific) code and can’t be readily shared. Here’s its interface:

public interface TokenUtils {
    String getToken(UserDetails userDetails);
    String getToken(UserDetails userDetails, Long expiration);
    boolean validate(String token);
    UserDetails getUserFromToken(String token);
}

That ought to get you off to a good start.

More Related Contents:

  1. Spring REST security – Secure different URLs differently
  2. Spring Security : Multiple HTTP Config not working
  3. Filter invoke twice when register as Spring bean
  4. How to get active user’s UserDetails
  5. Spring MVC @PathVariable getting truncated
  6. When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?
  7. Using GZIP compression with Spring Boot/MVC/JavaConfig with RESTful
  8. Spring MVC – How to return simple String as JSON in Rest Controller
  9. How to disable spring security for particular url
  10. How to manage REST API versioning with spring?
  11. Difference between Role and GrantedAuthority in Spring Security
  12. How does the Spring @ResponseBody annotation work?
  13. Disable Spring Security for OPTIONS Http Method
  14. How to set base url for rest in spring boot?
  15. Http Post request with content type application/x-www-form-urlencoded not working in Spring
  16. How to enable HTTP response caching in Spring Boot
  17. HttpSecurity, WebSecurity and AuthenticationManagerBuilder
  18. How to get the current logged in user object from spring security?
  19. Spring webSecurity.ignoring() doesn’t ignore custom filter
  20. Spring security does not allow CSS or JS resources to be loaded
  21. Spring MVC – @Valid on list of beans in REST service
  22. how to display custom error message in jsp for spring security auth exception
  23. Expose all IDs when using Spring Data Rest
  24. spring web, security + web.xml + mvc dispatcher + Bean is created twice
  25. Spring Security HTTP Basic for RESTFul and FormLogin (Cookies) for web – Annotations
  26. Spring security added prefix “ROLE_” to all roles name?
  27. Why this Spring application with java-based configuration don’t work properly
  28. Unable to get a generic ResponseEntity where T is a generic class “SomeClass”
  29. How to secure REST API with Spring Boot and Spring Security?
  30. Spring MVC PATCH method: partial updates

Leave a Comment