95

I know that securing REST API is widely commented topic but I'm not able to create a small prototype that meets my criteria (and I need to confirm that these criteria are realistic). There are so many options how to secure resources and how work with Spring security, I need to clarify if my needs are realistic.

My requirements

  • Token based authenticator - users will provide its credentials and get unique and time limited access token. I would like to manage token creation, checking validity, expiration in my own implementation.
  • Some REST resources will be public - no need to authenticate at all,
  • Some resources will be accessible only for users with administrator rights,
  • Other resource will be accessible after authorization for all users.
  • I don't want to use Basic authentication
  • Java code configuration (not XML)

Current status

My REST API works very well, but now I need to secure it. When I was looking for a solution I created a javax.servlet.Filter filter:

  @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest) req;

        String accessToken = request.getHeader(AUTHORIZATION_TOKEN);
        Account account = accountDao.find(accessToken);

        if (account == null) {    
            throw new UnauthorizedException();    
        }

        chain.doFilter(req, res);

    }

But this solution with javax.servlet.filters doesn't work as I need because there is an issue with exception handling via @ControllerAdvice with Spring servlet dispatcher.

What I need

I would like to know if these criteria are realistic and get any help, how to start securing REST API with Spring Security. I read many tutorials (e.g. Spring Data REST + Spring Security) but all work in very basic configuration - users with their credentials are stored in memory in configuration and I need to work with DBMS and create own authenticator.

Please give me some ideas how to start.

jatin_ghataliya
  • 144
  • 1
  • 1
  • 16
jnemecz
  • 3,171
  • 8
  • 41
  • 77

5 Answers5

73

Token based authentication - users will provide its credentials and get unique and time limited access token. I would like to manage token creation, checking validity, expiration in my own implementation.

Actually, use Filter for token Auth - best way in this case

Eventually, you can create CRUD via Spring Data for managing Token's properties like to expire, etc.

Here is my token filter: http://pastebin.com/13WWpLq2

And Token Service Implementation

http://pastebin.com/dUYM555E

Some REST resources will be public - no need to authenticate at all

It's not a problem, you can manage your resources via Spring security config like this: .antMatchers("/rest/blabla/**").permitAll()

Some resources will be accessible only for users with administrator rights,

Take a look at @Secured annotation to class. Example:

@Controller
@RequestMapping(value = "/adminservice")
@Secured("ROLE_ADMIN")
public class AdminServiceController {

The other resource will be accessible after authorization for all users.

Back to Spring Security configure, you can configure your url like this:

    http
            .authorizeRequests()
            .antMatchers("/openforall/**").permitAll()
            .antMatchers("/alsoopen/**").permitAll()
            .anyRequest().authenticated()

I don't want to use Basic authentication

Yep, via token filter, your users will be authenticated.

Java code configuration (not XML)

Back to the words above, look at @EnableWebSecurity. Your class will be:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {}

You have to override the configure method. Code below, just for example, how to configure matchers. It's from another project.

    @Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/assets/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin()
                .usernameParameter("j_username")
                .passwordParameter("j_password")
                .loginPage("/login")
                .defaultSuccessUrl("/", true)
                .successHandler(customAuthenticationSuccessHandler)
                .permitAll()
            .and()
                .logout()
                .logoutUrl("/logout")
                .invalidateHttpSession(true)
                .logoutSuccessUrl("/")
                .deleteCookies("JSESSIONID")
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
            .and()
                .csrf();
}
lealceldeiro
  • 14,342
  • 6
  • 49
  • 80
Oleksandr Loushkin
  • 1,479
  • 12
  • 21
  • @Oleksandr: Thats a long shot, but can you tell me why you have started a thread in RESTAuthenticationTokenProcessingFilter class's updateLastLogin(...) method? – Oliver Apr 30 '19 at 20:57
  • 1
    @z3d4s, actually it's an old example (4 years), for now i will suggest to use OffsetDateTime, another approaches, etc :) new thread i proposed to use to decrease processing time for user requests, because it can take additional time during saving into the database. – Oleksandr Loushkin May 01 '19 at 21:07
4

Spring security also very useful for providing authentication and authorization to the REST URLs. We no need to specify any custom implementations.

First, you need to specify the entry-point-ref to restAuthenticationEntryPoint in your security configuration as below. 

 <security:http pattern="/api/**" entry-point-ref="restAuthenticationEntryPoint" use-expressions="true" auto-config="true" create-session="stateless" >

    <security:intercept-url pattern="/api/userList" access="hasRole('ROLE_USER')"/>
    <security:intercept-url pattern="/api/managerList" access="hasRole('ROLE_ADMIN')"/>
    <security:custom-filter ref="preAuthFilter" position="PRE_AUTH_FILTER"/>
</security:http>

Implementation for the restAuthenticationEntryPoint might be as below.

 @Component
public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {

   public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException ) throws IOException {
      response.sendError( HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized" );
   }
}

After this you need to specify RequestHeaderAuthenticationFilter. It contains the RequestHeader key. This is basically used for identifying the user`s authentication. Generally RequestHeader carries this information while making the REST calls. For example consider below code

   <bean id="preAuthFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
    <property name="principalRequestHeader" value="Authorization"/>
    <property name="authenticationManager" ref="authenticationManager" />
  </bean>

Here, 

<property name="principalRequestHeader" value="Authorization"/>

"Authorization" is the the key presented the incoming request. It holds the required user`s authentication information. Also you need to configure the PreAuthenticatedAuthenticationProvider to fulfill our requirement.

   <bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
  <bean id="userDetailsServiceWrapper"
      class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
    <property name="userDetailsService" ref="authenticationService"/>
  </bean>
</property>
</bean>

This code will work for securing the REST urls by means of Authentication and authorization without any custom implementations.

For Complete code please find the below link:

https://github.com/srinivas1918/spring-rest-security

Nalla Srinivas
  • 913
  • 1
  • 9
  • 17
0

I searched this long time too.I am working on a similar project.I found out Spring has a module to implement session via redis. It looks easy and useful. I will add to my project too. Can be helpful:

http://docs.spring.io/spring-session/docs/1.2.1.BUILD-SNAPSHOT/reference/html5/guides/rest.html

serkan ersoy
  • 9
  • 2
0

Another way that uses http.addFilterBefore() with custom filters

This solution is more like a skeleton to help you set up the basics. I've created a working demo and added some necessary comments to help understand the process. It comes with with some simple role-based and permission-based authentication/authorization, a publically accessable endpoint settings that you can easily pick up and use.

So it's better to see the full code, and run the app in action: github repo

User class set up:

public class User implements UserDetails {

  private final String username;
  private final String password;
  private final List<? extends GrantedAuthority> grantedAuthorities;

  public User(
    String username,
    String password,
    List<? extends GrantedAuthority> grantedAuthorities
  ) {
    this.username = username;
    this.password = password;
    this.grantedAuthorities = grantedAuthorities;
  }

  // And other default method overrides
}

Adding custom filters through addFilterBefore() method:

http
    .authorizeRequests()
    .antMatchers("/") 
    .permitAll()
    .addFilterBefore( // Filter login request only
        new LoginFilter("login", authenticationManager()),
        UsernamePasswordAuthenticationFilter.class
    )
    .addFilterBefore( // Filter logout request only
        new LogoutFilter("logout"),
        UsernamePasswordAuthenticationFilter.class
    )
    .addFilterBefore( // Verify user on every request
        new AuthenticationFilter(),
        UsernamePasswordAuthenticationFilter.class
    );

Custom LoginFilter extends AbstractAuthenticationProcessingFilter, and override three methods, to deal with autentication:

public class LoginFilter extends AbstractAuthenticationProcessingFilter {

  public LoginFilter(String url, AuthenticationManager authManager) {
    super(url, authManager);
  }

  @Override
  public Authentication attemptAuthentication(
    HttpServletRequest req,
    HttpServletResponse res
  )
    throws AuthenticationException, IOException {
    LoginUserDto loginUserDto = new ObjectMapper() // this dto is a simple {username, password} object
    .readValue(req.getInputStream(), LoginUserDto.class);

    return getAuthenticationManager()
      .authenticate(
        new UsernamePasswordAuthenticationToken(
          loginUserDto.getUsername(),
          loginUserDto.getPassword()
        )
      );
  }

  @Override
  protected void successfulAuthentication(
    HttpServletRequest req,
    HttpServletResponse res,
    FilterChain chain,
    Authentication auth
  )
    throws IOException, ServletException {
    User user = (User) auth.getPrincipal();

    req.getSession().setAttribute(UserSessionKey, user); // Simply put it in session

    res.getOutputStream().print("You are logged in as " + user.getUsername());
  }

  @Override
  protected void unsuccessfulAuthentication(
    HttpServletRequest request,
    HttpServletResponse response,
    AuthenticationException failed
  )
    throws IOException, ServletException {
    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    response.setContentType("text/plain");
    response.getOutputStream().print(failed.getMessage());
  }
}

Custom AuthenticationFilter check for auth info stored in session and pass to SecurityContext:

public class AuthenticationFilter extends GenericFilterBean {

  @Override
  public void doFilter(
    ServletRequest request,
    ServletResponse response,
    FilterChain filterChain
  )
    throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) request;
    HttpSession session = req.getSession();

    User user = (User) session.getAttribute(UserSessionKey);

    if (user != null) {
      UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(
        user,
        user.getPassword(),
        user.getAuthorities()
      );

      SecurityContextHolder.getContext().setAuthentication(authToken);
    }

    // Either securityContext has authToken or not, we continue the filter chain
    filterChain.doFilter(request, response);
  }
}

Custom LogoutFilter is rather simple and straightforward, invalidate session and terminate authentication process:

public class LogoutFilter extends AbstractAuthenticationProcessingFilter {

  public LogoutFilter(String url) {
    super(url);
  }

  @Override
  public Authentication attemptAuthentication(
    HttpServletRequest req,
    HttpServletResponse res
  )
    throws AuthenticationException, IOException {
    req.getSession().invalidate();
    res.getWriter().println("You logged out!");

    return null;
  }
}

A bit of explanation:

What these three custom filters do is that, login and logout filter only listen to their repective endpoint.

In login filter, we get username and password sent from client and check it against a DB(in real world) for validation, if it's valid user, then put it in session and pass it onto SecurityContext.

In logout filter, we simply invalidate the session and return a string.

While the custom AuthenticationFilter will authenticate every incomming request in an attempt to get user info from session, and then pass it onto SecurityContext.

Enfield Li
  • 1,952
  • 1
  • 8
  • 23
-3

To validate REST API there are 2 ways

1 - Basic authentication using default username and password set up in application.properties file

Basic Authentication

2 - Authenticate using database (userDetailsService) with the actual username and password

Advanced Authentication

Jeet Singh Parmar
  • 707
  • 10
  • 5
  • Video is usefull.How to do the same advanced authentication for ReST API. Here only describing about Web. Is there any video tutorial for advanced authentication in REST API. – Mr.DevEng Apr 02 '18 at 14:25
  • If you saw the 2nd video(Advanced Authentication), then in that I am doing the same authentication using REST client(for REST API) as well. – Jeet Singh Parmar May 02 '18 at 09:50