0

Can some one please let me know what are all the ways to secure restful web service written in spring boot project using spring rest(there is no user credentials check as this service is invoked by remote application sitting on different server)

Problem Statement:

I have a rest class and a method, which should be accessed by another remote application. Remote application will not send anything except body content and content-type. In this scenario how can I secure this rest service so that service can be accessible by only that particular remote application.

@RequestMapping("/rest")
@RestController 
public class WorkflowController {

    @RequestMapping(value = "ticket/create", method = RequestMethod.POST, consumes = MediaType.APPLICATION_JSON_VALUE)
    @ResponseStatus(HttpStatus.CREATED)
    @ResponseBody
    public Long startWorkflow(@RequestBody TicketInfo ticketInfo) {
        ...//DO SOMETHING

        Long id = 1L;

        return id; // return some long value
    }

}

Please suggest what is the way to achieve this. Thanks in advance

Pratap A.K
  • 4,337
  • 11
  • 42
  • 79

2 Answers2

1

Ok so i dont know if i completely understand your question, but ill asume different scenarios. Say your client application sits on a static ip you could create a filter and a whitelist of ip addresses, that would be really simple, and probably not good enough.

If thats not the case you can use a parameter either GET or POST and again create a filter, you'll have to send the authentication string in your first call to get authentication. you'll also have to implement the authentication manager.

        if(hsr.getParameter("ex_code") != null){ 
            String exCode= hsr.getParameter("ex_code");


            String userToken = new String( Base64.getDecoder().decode(hsr.getParameter("ex_code")));

            PreAuthenticatedAuthenticationToken token = new PreAuthenticatedAuthenticationToken(serviceThatReturnsAUserDetailsFacade.loadUserByUsername(userToken),
                    exCode);

            token.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request));

            try {


                authentication = authenticationManager.authenticate(token);
             ....
jstuartmilne
  • 4,398
  • 1
  • 20
  • 30
  • I can't secure my web service by authentication mechanism because my app will not have user details of other application. I would like to know how can I share my web service between my application and other application securely? Could you please tell me best possible way? – Pratap A.K Sep 24 '15 at 14:44
  • If no authentication is required, You can use SSL. If you are using spring-boot you can easily achieve this by editing the properties file. The clients can get a hold of the key. – jstuartmilne Sep 25 '15 at 11:27
0

If you do not want to implement any security & just would like to validate the host & port (only one app can run on a particular host & port) and assuming you using Spring then you can simply fetch following from incoming HttpServletRequest :-

a) RemoteAddr -> IP address of machine from which request originated.
b) RemoteHost -> Host name of machine from which request originated.
c) RemotePort -> Port of machine from which request originated.

Have one interfacing method in place which will validate this & if valid then allow it to go through while if invalid then return respective error msg to client.

Apart from this there is one other option also known as "Anonymous Authorization" with details here.

Community
  • 1
  • 1
Avis
  • 2,197
  • 18
  • 28
  • I want to implement security, but user will not pass username and password. Note: My application will not have user details of other application, so I can't secure my web service based on authentication So how can I secure my web service in this scenario??? Could you please let me know industry standard ways? – Pratap A.K Sep 24 '15 at 14:38
  • Pls check last lines of my answer above for your usecase. – Avis Sep 24 '15 at 16:28