1

I build a Rest Api using SpringBoot and the authentication I implemented using Firebase.

My problem right now is that I want to have control of the client applications that will access my application. The problem of using SpringSecurity is that as far as I know I have to do the authentication for it and I just want to "allow the client application."

Does anyone have any idea how to do?

Danilo Andrade
  • 57
  • 6
  • Do you mean that you do not want to perform the authentication for a certain set of clients? – Yasin Nov 03 '16 at 18:14
  • Do not. All clients must be authenticated, but this task will be the Firebase. On my server I just will check whether the application is authorized to access the server. My problem is precisely verify the application. – Danilo Andrade Nov 03 '16 at 20:53

3 Answers3

0

Provide a unique key to your client. Which your microservice recognises and authenticates any request based on that key. This can be also given as a request parameter.

let say you add your key into a parameter called my-key, now before working on your logic inside you spring-boot app validate your key. like this -

your Rest Controller would look like this- 

@RestController
class MyRest{

    private static final String KEY = "someValue";

    @RequestMapping("/some-mapping")
    public @ResponseBody myMethod(@RequestParam(value="my-key", required=true) String key){
        if(!validateRequest(key)){
            //return error as response
        }
        System.out.println("Key Validation Successful!");
        //here goes your logic
    }

    private boolean validateRequest(String key){
        return key.equals(KEY);
    }
}

in order to access this rest use - http://your-host:port/some-mapping?my-key=someValue

Abbas Kararawala
  • 1,254
  • 12
  • 19
0

If you want to allow some of the clients to bypass the authentication, have a list of whitelisted IP addresses and check the IP of each incoming request. if the IP is in the list of whitelisted APIs, no need to authenticate.

Use HttpServletRequest.getRemoteAddr() to get the IP address.

Yasin
  • 1,906
  • 1
  • 21
  • 37
0

Solution 1

Custom interceptor MyHandlerInterceptor.java:

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;

public class MyHandlerInterceptor implements HandlerInterceptor {
    private static final String YOUR_KEY = "KEY_VALUE";

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws IOException {
        String key = request.getHeader("X-Key");
        boolean isValid = YOUR_KEY.equals(key);
        if (!isValid) {
            //invalid key
            response.setStatus(401);
            PrintWriter writer = response.getWriter();
            writer.write("invalid key");
        }
        return isValid;
    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) {
    }
}

Configure interceptor WebConfig.java:

import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@Configuration
public class WebConfig implements WebMvcConfigurer {
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new MyHandlerInterceptor());
    }
}
Alan
  • 169
  • 1
  • 3