I have written a custom strong authorization server and libraries for integration called PowerAuth 2.0.
Currently, the developer who tries to secure the API call with it can use it as such:
@Controller
@RequestMapping(value = "/session")
public class AuthenticationController {
@Autowired
private PowerAuthAuthenticationProvider authenticationProvider;
@RequestMapping(value = "/login", method = RequestMethod.POST)
public @ResponseBody String login(
@RequestHeader(value = "X-PowerAuth-Authorization", required = true) String signatureHeader,
HttpServletRequest servletRequest) throws Exception {
PowerAuthApiAuthentication apiAuthentication = authenticationProvider.validateRequestSignature(
servletRequest,
"/session/login",
signatureHeader
);
if (apiAuthentication != null && apiAuthentication.getUserId() != null) {
return "OK";
} else {
return "NOT OK";
}
}
}
I would like to simplify the work for the developer though, so that the code can look like this:
@Controller
@RequestMapping(value = "/session")
public class AuthenticationController {
@RequestMapping(value = "/login", method = RequestMethod.POST)
@PowerAuth(value = "/session/login")
public @ResponseBody String login(PowerAuthApiAuthentication apiAuthentication) throws Exception {
if (apiAuthentication != null && apiAuthentication.getUserId() != null) {
return "OK";
} else {
return "NOT OK";
}
}
}
Principle (probably?):
- Remove the need for autowired authentication provider
- Replace the signature verification call with a custom request filter
- Bind the request filter to a custom annotation with parameters
- Inject the resulting authentication object in a method parameter
Since I am not strong in Spring, could you please provide me a guidance on how to do this?
