Spring Security: External authentication and internal authentication

Question

I have a REST service which relies on an external system for authenticating the token but needs to do authorization(API level access using like @Secured) by itself.

Requirement:

UI generates the token using an external system.
UI makes REST calls with the token to my service.
My service validates the token using the external system but authentication for API calls is done by my service

One possible solution was to do this using a filter:

UI generates the token using an external system.
UI makes REST calls with the token to my service.
My service has a filter that invokes the external system with the token.
The external system for valid token sends back the user details.
My service on successful call set's the SecurityContextHolder like

SecurityContextHolder.getContext().setAuthentication(new AuthorizedUser("test", Arrays.asList(new SimpleGrantedAuthority("test_role")), "test",null));

Is there any other way this can be achieved?

Are you trying to use something like facebook or google auth? — uğur taş, Dec 10 '18 at 18:30

score 0 · Answer 1 · answered Dec 10 '18 at 19:55

If you are looking for proposals on your architecture then you may save an extra call to an "external system" by changing step one and other steps:

UI generates the token using an external system.

1.1. The external system saves user details inside some in-memory key-value database (like Redis).

...

My service has a filter that fetches user details from Redis using token.

It makes sense if you want to protect the "external system" from being spammed by multiple calls from your filter.

If you are looking for implementation hints, then calling SecurityContextHolder.getContext().setAuthentication() when your code verified authentication and completed authorization seems fine for me.

Maybe it is a better idea to use @javax.annotation.security.RolesAllowed instead of @Secured (works the same way but the name is more obvious).

And sometimes you may like to use org.springframework.http.client.ClientHttpRequestInterceptor instead of a filter, see this for example: Difference between Interceptor and Filter in Spring MVC

@JDev Was my answer useful to you? – Nikita Tukkel Jan 30 '19 at 18:12 — Nikita Tukkel, Jan 30 '19 at 18:12

Spring Security: External authentication and internal authentication

1 Answers1