1

Our project consists of Java back end(spring web application) and iOS and Android client applications. Now we need to add an authentication for client applications to Java back end. The idea is to register user for the first time using an external web service. At this step user provides full credentials(login and "big" password) and chooses some PIN for further authorization. After that primary step is complete successfully, user should be able to authenticate using his login and PIN(which he chose previously himself). Those login and pin should be stored in our DB. We should also be able to destroy that "session" and PIN whenever is necessary. We expect web application to have up to 10 000 registered users with up to 1000 users being online simultaneously.

We also don't plan to use any separate Authentication server, we plan to embed security into web application(back end) itself.

I've been investigating 2 different approaches. First is usual spring @EnableWebSecurity approach. This seems pretty straight forward, but some people say it will create "sessions", which are bad for the server. Session will consume lots of memory, and overall impact on performance will be bad. Is it true?

The other approach is to use Spring Oauth2 implementation. I didn't have time to study it properly, this seems to be a little bit of an overkill to me. Is it worth to study for our needs? (we are running out of time btw).

I also need to have some proper DB sctructure for the security needs.

So the question is, what is the best approach for our situation? Are there any open source projects, solving similar issue? I would appreciate any help.

Thank you.

Dmitry Avgustis
  • 854
  • 1
  • 9
  • 14
  • I know this is a very old post, but I'm curious what you decided to do. I'm developing an application in Spring Boot, with iPhone / Android front-end apps. Just as you, I need to register the user by email / password, and then give them the option to quickly sign in with a 4-digit pin code. – Tony Langworthy Feb 17 '21 at 20:20

2 Answers2

1

Whatever technology you use for authentication, you will require sessions to maintain the state of authenticated user. You can use Spring security alone or with Oauth2 .

I'll suggest for simplicity you can go with Spring Security with Token functionality.

However you can find an good blog over Spring Security and Oauth.

Securing REST Services with Spring Security and OAuth2

For more clarification you can also visit here

Anil Agrawal
  • 2,748
  • 1
  • 24
  • 31
1

Sessions should only take up allot of memory if you were to store large amounts of data in the session. So long as you don't do that there won't be any problem. You will need to make your own authentication decision based on your acceptable levels for security and user experience, there is no one 'right' answer. Spring security and sessions have already been talked about here How can I use Spring Security without sessions?.

Community
  • 1
  • 1
Derrops
  • 7,651
  • 5
  • 30
  • 60
  • As I discussed with my colleagues, it is true, sessions won't take much memory, since we don't want to store any data for the user. We only need to know, what user is authenticated and perhaps, from which device. In terms of security, we want our application to be generally secure, without an overkill. As far as I understand, spring basic security is secure enough for that. So we will probably stick with that approach. – Dmitry Avgustis Apr 19 '17 at 13:43