All geek questions in one place

How to protect REST API in Spring boot web application?

I have two Spring Boot web applications. Both applications have different databases and different sets of users. In addition, both applications use Spring Security for authentication and authorization, which works correctly.

At any given point, I will have one instance of the first launch of the application and several instances of the 2nd web application.

I want to set the REST API from the 1st web application (one instance works) and be able to use these REST-APIs from the second web application (multiple instances work).

How can I make sure that the REST API can be safely obtained using proper authentication and instances for only 2 applications.

+5
source share
3 answers

If you can change your security, I would recommend that you use OAUTH2. It basically generates the token that is used in your APP2 instances to call the API. Here you can see more.

https://spring.io/guides/tutorials/spring-boot-oauth2/

http://websystique.com/spring-security/secure-spring-rest-api-using-oauth2/

But if you cannot change your APP security, you can continue to use your current scheme. In APP1, you can create a user for API calls, this user has access only to API services. In APP2, you need to save credentials to access APP1. Finally, you go into APP1 and call the API using the HTTP client, you can use the Spring RestTemplate or the Apache HttpComponents Client.

+3
source

SSL authentication can be an option if you are serious about security considerations.

Suppose you use the REST api opened by application 1 through HTTP, then you can configure application 1 to ask the client to provide their SSL / TLS certificate when they try to access this REST API (displayed in application 1).

This will help us determine that the client is indeed a client from application 2.

Two more points:
In case the REST API application 1 API requires load balancing, NGINX should be your choice. SSL SSL authentication can be uploaded to NGINX, and your Spring boot application no longer worries about SSL related configurations.

0
source

The solution we worked with was to provide security using both the OAuth2 client_credentials workflow. This is an OAuth2 stream where clients request a token on their behalf and not on the calling user.

Check out Spring Cloud Security

1) Protect your services using @EnableResourceServer

 @SpringBootApplication @EnableResourceServer public class Application ...

2) Make calls from one service to another using OAuth2RestTemplate

Check the Resource server token relay in http://cloud.spring.io/spring-cloud-security/spring-cloud-security.html , which will OAuth2RestTemplate you how to configure OAuth2RestTemplate forward detailed security information (token) from one service to another one.

3) Service A and Service B should be able to exchange data using these methods if they are configured using the same Oauth2 Client and Secret. This will be configured in the application.properties file of the application, which I hope will be introduced into the environment. Oauth2 Scopes can be used as role identifiers. Therefore, you can say that only the Client with Scopes (api-read, api-write) should have access to Endpoint A in Service A. This can be configured using Spring Security Authorization Configuration, as well as @EnableGlobalMethodSecurity

0
source

Source: https://habr.com/ru/post/1265630/

More articles:


All Articles