41

There are lots of guidelines, sample codes that show how to secure REST API with Spring Security, but most of them assume a web client and talk about login page, redirection, using cookie, etc. May be even a simple filter that checks for the custom token in HTTP header might be enough. How do I implement security for below requirements? Is there any gist/github project doing the same? My knowledge in spring security is limited, so if there is a simpler way to implement this with spring security, please let me know.

  • REST API served by stateless backend over HTTPS
  • client could be web app, mobile app, any SPA style app, third-party APIs
  • no Basic Auth, no cookies, no UI (no JSP/HTML/static-resources), no redirections, no OAuth provider.
  • custom token set on HTTPS headers
  • The token validation done against external store (like MemCached/Redis/ or even any RDBMS)
  • All APIs need to be authenticated except for selected paths (like /login, /signup, /public, etc..)

I use Springboot, spring security, etc.. prefer a solution with Java config (no XML)

Karthik Karuppannan
  • 839
  • 1
  • 8
  • 9
  • Well it looks ok. You just need a custom filter for spring security, a custom provider to deal with the token, a `UserDetailService` with added support for the token and a token manager. As currently written your question is too broad, but IMHO you can safely go on with this project and come back here as soon as you stuck somewhere. – Serge Ballesta Aug 14 '14 at 21:04
  • I don't think a UserDetailService is needed – Chris DaMour Aug 14 '14 at 22:21

5 Answers5

34

My sample app does exactly this - securing REST endpoints using Spring Security in a stateless scenario. Individual REST calls are authenticated using an HTTP header. Authentication information is stored on the server side in an in-memory cache and provides the same semantics as those offered by the HTTP session in a typical web application. The app uses the full Spring Security infrastructure with very minimum custom code. No bare filters, no code outside of the Spring Security infrastructure.

The basic idea is to implement the following four Spring Security components:

  1. org.springframework.security.web.AuthenticationEntryPoint to trap REST calls requiring authentication but missing the required authentication token and thereby deny the requests.
  2. org.springframework.security.core.Authentication to hold the authentication information required for the REST API.
  3. org.springframework.security.authentication.AuthenticationProvider to perform the actual authentication (against a database, an LDAP server, a web service, etc.).
  4. org.springframework.security.web.context.SecurityContextRepository to hold the authentication token in between HTTP requests. In the sample, the implementation saves the token in an EHCACHE instance.

The sample uses XML configuration but you can easily come up with the equivalent Java config.

manish
  • 19,695
  • 5
  • 67
  • 91
  • 1
    Very clean solution, pointed me into the right direction! I would upvote you more than once if I could :) – Thomas Eizinger Nov 07 '14 at 13:57
  • Fantastic answer... think I'll review your impl for one of my own uses... ;) – Edward J Beckett Mar 14 '15 at 23:01
  • For some reason i'm not able to run your sample application. If i leave the "api" module in the pom it won't compile at all saying it can't find classes from other packages. If i remove it it will compile but when running it on the server (trying to go inside the web part, without api) i'll get an exception java.lang.NoClassDefFoundError: org/example/service/UserService . I am using maven 3.3.1 and Java 8 – valepu Mar 20 '15 at 13:42
  • Works fine for me with exactly those versions - `mvn clean tomcat7:run -am -pl api`. How are you trying to run the app? – manish Mar 20 '15 at 15:05
  • As written in your github documentation i run "mvn clean package tomcat7:run -pl api,common,data,domain,service,transfer". If i run "mvn clean tomcat7:run -am -pl api" it works fine – valepu Mar 20 '15 at 16:14
  • Both run fine; on Windows, anything with commas sometimes has to be enclosed in double-quotes so `mvn clean package tomcat7:run -pl "api,common,data,domain,service,transfer"` should also work. `mvn -am` (`--also-make`) simply acts as a shortcut to this (longish) command by making the dependencies for the `api` module implicit. – manish Mar 20 '15 at 17:30
  • Very nice. Shed a lot of light on what I needed. Thank you! – Lorin S. Apr 07 '15 at 22:05
  • 6
    The question seems to be about Java, and the sample app is in an area called manish-in-java. But the downloaded project contains 2 Java files and 23 Scala files. Is there a Java version? – Chris May 13 '15 at 13:50
  • No there is no pure Java solution since I posted the sample from my actual production app which is mostly in Scala. Personally, I have not faced any problems reading Scala code, even when I had just started learning the language but I agree that the same can't be said for all Java programmers in general. I would suggest that you give it a try; after all there are just four classes of interest. – manish May 13 '15 at 16:13
9

You're right, it isn't easy and there aren't many good examples out there. Examples i saw made it so you couldn't use other spring security stuff side by side. I did something similar recently, here's what i did.

You need a custom token to hold your header value

public class CustomToken extends AbstractAuthenticationToken {
  private final String value;

  //Getters and Constructor.  Make sure getAutheticated returns false at first.
  //I made mine "immutable" via:

      @Override
public void setAuthenticated(boolean isAuthenticated) {
    //It doesn't make sense to let just anyone set this token to authenticated, so we block it
    //Similar precautions are taken in other spring framework tokens, EG: UsernamePasswordAuthenticationToken
    if (isAuthenticated) {

        throw new IllegalArgumentException(MESSAGE_CANNOT_SET_AUTHENTICATED);
    }

    super.setAuthenticated(false);
}
}

You need a spring security filter to extract the header and ask the manager to authenticate it, something like thisemphasized text

public class CustomFilter extends AbstractAuthenticationProcessingFilter {


    public CustomFilter(RequestMatcher requestMatcher) {
        super(requestMatcher);

        this.setAuthenticationSuccessHandler((request, response, authentication) -> {
        /*
         * On success the desired action is to chain through the remaining filters.
         * Chaining is not possible through the success handlers, because the chain is not accessible in this method.
         * As such, this success handler implementation does nothing, and chaining is accomplished by overriding the successfulAuthentication method as per:
         * http://docs.spring.io/autorepo/docs/spring-security/3.2.4.RELEASE/apidocs/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.html#successfulAuthentication(javax.servlet.http.HttpServletRequest,%20javax.servlet.http.HttpServletResponse,%20javax.servlet.FilterChain,%20org.springframework.security.core.Authentication)
         * "Subclasses can override this method to continue the FilterChain after successful authentication."
         */
        });

    }



    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
            throws AuthenticationException, IOException, ServletException {


        String tokenValue = request.getHeader("SOMEHEADER");

        if(StringUtils.isEmpty(tokenValue)) {
            //Doing this check is kinda dumb because we check for it up above in doFilter
            //..but this is a public method and we can't do much if we don't have the header
            //also we can't do the check only here because we don't have the chain available
           return null;
        }


        CustomToken token = new CustomToken(tokenValue);
        token.setDetails(authenticationDetailsSource.buildDetails(request));

        return this.getAuthenticationManager().authenticate(token);
    }



    /*
     * Overriding this method to maintain the chaining on authentication success.
     * http://docs.spring.io/autorepo/docs/spring-security/3.2.4.RELEASE/apidocs/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.html#successfulAuthentication(javax.servlet.http.HttpServletRequest,%20javax.servlet.http.HttpServletResponse,%20javax.servlet.FilterChain,%20org.springframework.security.core.Authentication)
     * "Subclasses can override this method to continue the FilterChain after successful authentication."
     */
    @Override
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {


        //if this isn't called, then no auth is set in the security context holder
        //and subsequent security filters can still execute.  
        //so in SOME cases you might want to conditionally call this
        super.successfulAuthentication(request, response, chain, authResult);

        //Continue the chain
        chain.doFilter(request, response);

    }


}

Register your custom filter in spring security chain

 @Configuration
 public static class ResourceEndpointsSecurityConfig extends WebSecurityConfigurerAdapter {        

      //Note, we don't register this as a bean as we don't want it to be added to the main Filter chain, just the spring security filter chain
      protected AbstractAuthenticationProcessingFilter createCustomFilter() throws Exception {
        CustomFilter filter = new CustomFilter( new RegexRequestMatcher("^/.*", null));
        filter.setAuthenticationManager(this.authenticationManagerBean());
        return filter;
      }

       @Override
       protected void configure(HttpSecurity http) throws Exception {                  

            http
            //fyi: This adds it to the spring security proxy filter chain
            .addFilterBefore(createCustomFilter(), AnonymousAuthenticationFilter.class)
       }
}

A custom auth provider to validate that token extracted with the filter.

public class CustomAuthenticationProvider implements AuthenticationProvider {


    @Override
    public Authentication authenticate(Authentication auth)
            throws AuthenticationException {

        CustomToken token = (CustomToken)auth;

        try{
           //Authenticate token against redis or whatever you want

            //This i found weird, you need a Principal in your Token...I use User
            //I found this to be very redundant in spring security, but Controller param resolving will break if you don't do this...anoying
            org.springframework.security.core.userdetails.User principal = new User(...); 

            //Our token resolved to a username so i went with this token...you could make your CustomToken take the principal.  getCredentials returns "NO_PASSWORD"..it gets cleared out anyways.  also the getAuthenticated for the thing you return should return true now
            return new UsernamePasswordAuthenticationToken(principal, auth.getCredentials(), principal.getAuthorities());
        } catch(Expection e){
            //TODO throw appropriate AuthenticationException types
            throw new BadCredentialsException(MESSAGE_AUTHENTICATION_FAILURE, e);
        }


    }

    @Override
    public boolean supports(Class<?> authentication) {
        return CustomToken.class.isAssignableFrom(authentication);
    }


}

Finally, register your provider as a bean so the authentication manager finds it in some @Configuration class. You probably could just @Component it too, i prefer this method

@Bean
public AuthenticationProvider createCustomAuthenticationProvider(injectedDependencies)  {
    return new CustomAuthenticationProvider(injectedDependencies);
}
Chris DaMour
  • 3,650
  • 28
  • 37
  • 1
    As manish showed in the other answer, there is no need for a custom filter if you make use of the `SecurityContextRepository` interface which results in cleaner code and is most likely the way you should use the framework. – Thomas Eizinger Nov 07 '14 at 14:00
  • isn't that more for when you can turn a user/pw into a token? – Chris DaMour Feb 12 '16 at 04:08
  • Hey. using your code Filter-> onAuthenticationSuccess -> chain.doFilter() call returns NullPointerExceptions once in a while. Stacktrace refers to ApplicationFilterChain class. Got any ideas? :) Thanks – Timson Mar 09 '17 at 14:10
  • you know we did run into that...let me update with our fix – Chris DaMour Mar 09 '17 at 21:36
  • updated..the issue was that the previous setAuthenticationSuccessHandler closure set a class member on every call...so you'd be continuing someone else's chain possibly..which was never good. That can never happen now – Chris DaMour Mar 09 '17 at 21:54
  • Thanks! Fixed the issue – Timson Mar 10 '17 at 04:06
4

The code secure all endpoints - but I'm sure that you can play with that :). The token is stored in Redis using Spring Boot Starter Security and you have to define our own UserDetailsService which you pass into AuthenticationManagerBuilder.

Long story short - copy paste EmbeddedRedisConfiguration and SecurityConfig and replace AuthenticationManagerBuilder to your logic.

HTTP:

Requesting token - sending basic HTTP auth content in a request header. A token is given back in a response header.

http --print=hH -a user:password localhost:8080/v1/users

GET /v1/users HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Authorization: Basic dXNlcjpwYXNzd29yZA==
Connection: keep-alive
Host: localhost:8080
User-Agent: HTTPie/0.9.3

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Length: 4
Content-Type: text/plain;charset=UTF-8
Date: Fri, 06 May 2016 09:44:23 GMT
Expires: 0
Pragma: no-cache
Server: Apache-Coyote/1.1
X-Application-Context: application
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
x-auth-token: cacf4a97-75fe-464d-b499-fcfacb31c8af

Same request but using token:

http --print=hH localhost:8080/v1/users 'x-auth-token: cacf4a97-75fe-464d-b499-fcfacb31c8af'

GET /v1/users HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: localhost:8080
User-Agent: HTTPie/0.9.3
x-auth-token:  cacf4a97-75fe-464d-b499-fcfacb31c8af

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Length: 4
Content-Type: text/plain;charset=UTF-8
Date: Fri, 06 May 2016 09:44:58 GMT
Expires: 0
Pragma: no-cache
Server: Apache-Coyote/1.1
X-Application-Context: application
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

If you pass wrong username/password or token you get 401.

JAVA

I added those dependencies into build.gradle

compile("org.springframework.session:spring-session-data-redis:1.0.1.RELEASE")
compile("org.springframework.boot:spring-boot-starter-security")
compile("org.springframework.boot:spring-boot-starter-web")
compile("com.github.kstyrc:embedded-redis:0.6")

Then Redis configration 

@Configuration
@EnableRedisHttpSession
public class EmbeddedRedisConfiguration {

    private static RedisServer redisServer;

    @Bean
    public JedisConnectionFactory connectionFactory() throws IOException {
        redisServer = new RedisServer(Protocol.DEFAULT_PORT);
        redisServer.start();
        return new JedisConnectionFactory();
    }

    @PreDestroy
    public void destroy() {
        redisServer.stop();
    }

}

Security config:

@Configuration
@EnableWebSecurity
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    UserService userService;

    @Override
    protected void configure(AuthenticationManagerBuilder builder) throws Exception {
        builder.userDetailsService(userService);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .requestCache()
                .requestCache(new NullRequestCache())
                .and()
                .httpBasic();
    }

    @Bean
    public HttpSessionStrategy httpSessionStrategy() {
        return new HeaderHttpSessionStrategy();
    }
}

Usually in tutorials you find AuthenticationManagerBuilder using inMemoryAuthentication but there is a lot more choices (LDAP, ...) Just take a look into class definition. I'm using userDetailsService which requires UserDetailsService object.

And finally my user service using CrudRepository.

@Service
public class UserService implements UserDetailsService {

    @Autowired
    UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        UserAccount userAccount = userRepository.findByEmail(username);
        if (userAccount == null) {
            return null;
        }
        return new User(username, userAccount.getPassword(), AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));
    }
}
radeklos
  • 2,168
  • 21
  • 19
0

Another Example Project which uses JWT - Jhipster

Try Generating a Microservice application using JHipster. It generates a template with out of the box integration between Spring Security and JWT.

https://jhipster.github.io/security/

Dhananjay
  • 642
  • 6
  • 15
-1

I recommend JSON Web Tokens http://jwt.io/ , it's stateless and scalable.

Here is an example project, https://github.com/brahalla/Cerberus

soulmachine
  • 3,917
  • 4
  • 46
  • 56