0

I have a rest api MyRestApi.war which is a spring boot and spring mvc project.

There is another web project A.war which is a normal spring project. Its front-end such as javascript and back-end such as java code need to call MyRestApi. User need to log in A.war to use it.

I don't need to do permission control for MyRestApi, only users login to A.war can access MyRestApi via front-end and back-end of A.war

There are some solutions, e.g. API key, jwt, OAuth.

I want to try these three approaches then pick one.

But when I search something like api key authentication, they all use spring security to do that.

So how can I secure MyRestApi with api key without spring security.

frank
  • 1,169
  • 18
  • 43
  • Please refer to this question: [How to secure REST API with Spring Boot and Spring Security?](https://stackoverflow.com/questions/32548372/how-to-secure-rest-api-with-spring-boot-and-spring-security) – srr7 Aug 02 '20 at 10:06

1 Answers1

2

You can write your own filter if you don't want to use spring security. This filter will interecept all the URLs. In this filter you can check for the API key in the headers and validate. If it's validate, let the chain continue else throw some meaningful error to the user/application.

Rahul Vedpathak
  • 1,346
  • 3
  • 16
  • 30
  • The `api key` is set in request header, e.g. header name is `API-Key` and header value is `123`, then in the filter get this header value and check via this header name, right? If it is right, what is difference between the `api key` and `http basic auth`? because `http basic auth` also set something in a header, just it set username and password. – frank Apr 12 '19 at 01:53
  • The above solution was to secure APIs without spring security. Is your both applications deployed on the same machine ? If yes, then you can configure your front facing web app to listen on 433/80 port. And backend app on a different port. Moreover, you can configure http connector for that backend app to listen to specific address only like "localhost". Check this link - https://serverfault.com/questions/218666/how-to-configure-tomcat-to-only-listen-to-127-0-0-1 – Rahul Vedpathak Apr 15 '19 at 06:46
  • Yes, they are deployed on the same machine, but sorry I don't understand what you said. My question is : what is the difference between `api key` and `http basic auth` when these two approaches are used to secure `restful api`? Because both `api key` and `http basic auth` set value in http header? Is `api key` is more secure than `http basic auth`? – frank Apr 15 '19 at 07:42