All geek questions in one place

Spring upload authorization and authentication token recommendations REST

What is the best practice for authorization and user authentication in REST spring boot?

I am creating a web application with standard pages + REST API for mobile devices. I went through a lot of spring security articles, and most of them come with some kind of suitable method that will allow or block REST calls. In my case, however, I have some auth logic based on who the user is. For example, there is an API /update that updates information about a user, and the user can update himself, but cannot update another person. Initially, I thought of using the following authentication scheme:

  • User calls auth API and passes username / password or cookie
  • The system generates a short token, saves a database in it.
  • The user receives this token, updates his cookie (so JS in the web application can read and use it).
  • When a REST call is made, cookies are sent. In the controller, the token is retrieved, checked for expiration, the query is executed in the database to check the token and obtain the user ID.
  • Based on the user ID, REST will be allowed or blocked.

Is this the right implementation approach? I have a pretty big mess in my head after reading spring security articles. At least: session auth will not work for me (REST - stateless). I want to make auth for a mobile device without saving my username / password there.

Does it make sense to transfer this token in the REST body itself? What is the case of the GET method?

Thank you very much for sharing your knowledge.

+6
source share
2 answers

Have you found a solution to your problem?

I answered this problem elsewhere, if you are sure that in the future you will not want to open the API to other developers / clients (if you do, then you should take a look at OAuth), then a simple token-based solution will work.

Something mostly about this:

  • Set up a standard html login page that you can use to log in a user to the application
  • configure spring protection to return cookie on successful login with authentication token
  • in your mobile application, embed the WebView (or equivalent) and download this login form - let the user log in through this web view, in response, take the cookie and save the token (since the mobile is usually one user, you can save that for a long time to save mobile users who must continue to register).
  • Add a security filter to the REST API for authentication against the token (for example, pass the token in the header from a mobile application) - then you can use the usual spring authentication context for current users, etc.

This approach is proposed by Google here: (EDIT: Google seems to have modified the page that I originally read to use the Google+ sign and OAuth2.0. I don’t see a link to their common Mobile / API documents, so here it is in the web archive : )))

I also wrote my implementation here:

Spring Security Approach Overview

Code and Details

Although it was really just an experiment / proof of concept, it can be useful in your thinking.

+3
source

The cookie approach seems perfect for use. The token can be associated with a user ID. The filter can extract the cookie and pass in the user ID, for example, as a header for apis - which should take care of the GET ...

0
source

Source: https://habr.com/ru/post/980156/

More articles:


All Articles