32

I am implementing a Spring Data REST based app and I would like to know if there is an elegant way to implement authentication and authorization rules using this framework or related frameworks.

All HTTP requests to the REST server must carry authentication headers, I need to check them and decide to authorize or not based on the HTTP method and the association of the authenticated user with the resource being requested. For example, (the app is the REST server of an e-learning system), the instructors can access only their own course sections, students can access only the courses sections they are subscribed, etc.

I would like to know if there is a default way to implement authorization in Spring Data REST. If the answer is no, could you make a suggestion for my issue? I am thinking about:

  • Servlet Filters
  • Spring Security
  • Spring Data REST Handlers (how to access the HTTP headers?)
Rodrigo Guerra
  • 378
  • 1
  • 3
  • 8
  • 1
    Spring security is rather handy and relatively simple to use for autentication. You might want to take a look at this: http://www.mkyong.com/spring-security/spring-security-form-login-example/ – Niklas Sep 25 '13 at 11:58
  • You can use servlet filters to achieve fine-grained authorization. Here is an example: http://www.webfarmr.eu/2011/05/when-openid-meets-xacml-externalize-authentication-and-authorization-from-your-business-apps/ – David Brossard Sep 25 '13 at 13:53
  • One question is how do you have your CrudRepository respond to the SecurityContext (for retrieving data relevant/restricted to the "current user" for example)? – Nick Spacek Dec 11 '13 at 18:39
  • 1
    The problem in using Servlet Filters and other solutions is that the deserialized entity is encapsulated into the Spring Data Rest code, so I can't acess it from the filter. I need to compare the entity against the user data present in authentication headers. I am thinking in forking Spring Data Rest code to create an authorization layer, providing an AuthorizationLister interface, in my application I could implement a method: boolean authorize(HttpRequest request, Object persistentEntity) – Rodrigo Guerra Dec 13 '13 at 12:39
  • Rodrigo, did you implement this? How easy was it to code, and do you need to make changes every time you update your Spring Data Rest version? – Adam Jan 20 '17 at 16:05
  • I hope this one will help you: https://github.com/srinivas1918/spring-rest-security – Nalla Srinivas Feb 21 '17 at 08:06

1 Answers1

12

The best bet for you is Spring Security. That would help you achieve authorization is much simpler manner.

Spring Security would require you an implementation that looks at request headers and performs the log-in operation programmatically.

Refer the accepted answer here.. I had followed the same and implemented the security layer in front of my rest services ( which were build using RestEasy )

RESTful Authentication via Spring

There is an alternate method as well.. Refer http://www.baeldung.com/spring-security-authentication-provider

In both cases you can disable the session creation by declaring the stateless authentication in spring security, this would help you improve the performance considerably when large volume of hits are made to the state-less REST services..

Community
  • 1
  • 1
Rakesh Waghela
  • 2,227
  • 2
  • 26
  • 46
  • 14
    -1. The question is about "Spring Data REST" and Entity level authorization, so general solutions such as those provided by you do not apply here. – Seweryn Niemiec Apr 28 '17 at 15:56