Scribd
Upload
20 views

02 Securing Rest Api

Uploaded by

Kavi Arasan
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
20 views

02 Securing Rest Api

Uploaded by

Kavi Arasan
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

Customer Self Care Web Portal (CSWP)

Securing RESTful API Using Spring Security

Security is the process of protecting resources from unauthenticated and


unauthorized users and allowing specific (authenticated and authorized) users to
access these protected resources. Security is different from firewalls, intrusion
detection, JVM security, or anything else. Spring Security is primarily targeted
toward Spring-based applications.
The Spring Security framework initially started as the Acegi Security framework
and was later adopted by Spring as a subproject. It has become the de facto
standard for securing applications developed using the Spring Framework. Spring
Security supports authentication and authorization at the HTTP request method’s
invocation level.
Authentication: is the process of verifying that the user is the person the user is
claiming to be. Authentication takes place through identification and
verification.
Authorization is the process of granting access to a resource for the authenticated
user. In other words, it provides access control to an authenticated user. Let’s take
an example in the UserRegistrationSystem application: the user USER can perform
user registration, update user details, and get a list of users, whereas only the user
ADMIN has the extra privileges to delete users. The access rights given to the client
will determine the access rule for that application.
Spring Security supports URL-based security and is implemented using filters.
Spring Security also supports method-level security where only authorized users
are allowed to invoke specific methods granted to them
Introducing Basic Authentication
The traditional approaches for authentication, such as using the login page and
session identification, are bound to a web-based client requiring human interaction.
When it comes to communicating with the REST client, which may not even be a
web-based application, we need to think about the solution provided by Basic
Authentication.
Basic Authentication is a standard HTTP header (Authorization) that sends Base64-
encoded credentials with each request. Base64 is not encrypted or hashed in any
way; in other words, the username and password are encoded in clear-text format.
The credential string contains the username and password in the format
username:password.
String plain_Client_Credentials="user:password";
String base64_ClientCredentials = new
String(Base64.encodeBase64(plain_Client_Credentials.getBytes()));
HttpHeaders headers = getHeaders();
headers.add("Authorization", "Basic " + base64_ClientCredentials);
The above code produces the header Authorization : Basic
dXNlcjpwYXNzd29yZA==, which will be sent with each HTTP request. Basic
Authentication is one of the simplest techniques for protecting a RESTful API
because it does not require cookies, a session identifier, or even a login page.
BasicAuthenticationFilter
The BasicAuthenticationFilter object is responsible for processing any HTTP
request that contains an HTTP request header of Authorization with an
authentication schema of Basic Authentication and a Base64-encoded
username:password token.
If the authentication is successful, BasicAuthenticationFilter in Spring is
Customer Self Care Web Portal (CSWP)

Securing RESTful API Using Spring Security

responsible for putting the result (the Authentication object) into the
SecurityContextHolder.
Spring Boot Security Starter
The goal of Spring Boot is to ease application development. Just like with every
other feature of Spring Boot, by adding the matching starter POM, the Spring Boot
starter called Security creates the basic configuration setup for the developer,
including HTTP Basic Authentication and an AuthenticationManager bean with an
in-memory default user when building an application on top of Spring Boot.
We will now configure Spring Security in our UserRegistrationSystem application.
To add Spring Security to our Spring Boot application, we need to add the Spring
Security dependency in the Maven pom.xml file.

Once we add the Spring Security dependency to the Maven pom.xml file, our entire
application is protected via HTTP Basic Authentication for all resources except
common static resources (CSS files, JavaScript files, and so on), and an
AuthenticationManager bean with an in-memory default user is created for your
application.
The default username is user, and the password is generated in the STS IDE
console log when we run the UserRegistrationSystem application as a Spring Boot
application. Once we start our Spring Boot application, we will see the generated
default user’s password in the logs, as follows:
Using default security password: 72baa813-dab9-47bf-8329-78987485785b

The password generated here is random and will change every time we start our
Spring Boot application, whereas the username will be always same (here it’s user).
When we start our Spring Boot application after adding a Spring Security
dependency, the log is printed in the Postman as shown below:
Customer Self Care Web Portal (CSWP)

Securing RESTful API Using Spring Security

Let’s understand the magic going on behind the scenes because of


autoconfiguration. The Mapping filter: 'springSecurityFilterChain' to: [/*] part
shows that by default Spring Security is turned on for all URLs in the application.
Let’s test our application by launching Postman and trying to call one of the REST
APIs by visiting http://localhost:8080/api/user/ to get a list of users in
UserRegistrationSystem. Once we hit this URL, we get a response with status 401
and the error Unauthorized stating there’s been an authentication failure, as shown
below
Customer Self Care Web Portal (CSWP)

Securing RESTful API Using Spring Security

When we hit the same above url in the browser, we will get the input challenge
thrown by spring as shown below:

We must supply a username and password along with a request to authorize. So, we
will supply the username user and a password after copying the generated user’s
default password from the STS console to authenticate the user while accessing the
RESTful API.
Launch Postman, click the Authorization tab, and then set Type as Basic Auth.
Provide a username and password and click Update Request so that the request
header will get a value for authorization. Finally, visit
http://localhost:8080/api/user/, as shown in below. Since the user list is empty in the
UserRegistrationSystem application, the response will show an empty list.
Customer Self Care Web Portal (CSWP)

Securing RESTful API Using Spring Security

It is hardly practical to copy a password from a log every time we restart the
application. We can customize this default credential by setting some properties in
the application.properties file.
Overriding the Spring Security Defaults
Spring Boot allows developers to easily override the security defaults (username,
password, and role) by specifying security properties in the application.properties
file located in the src\main\resources\ folder of the UserRegistrationSystem
application, as shown below:

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy