How to Implement Rest Full Web Service with Auth Token with Spring Security 4.0.1.RELEASE

I am trying to create an API manager with a RESTful web service. In the new version of Spring, we can combine everything in Java code without using web.xml

and securityconfig.xml

. According to the concept of Authtoken, the API manager must have authentication and token renewal to authenticate users. Please can you give me the source code or guidance on how to implement a RESTfull webservice with Spring Security.

  • I need to know how all configurations are implemented in Java code.
  • it must also have the concept of Authtoken.

In this tutorial, tell me the correct way to do it.

http://www.beingjavaguys.com/2014/10/spring-security-oauth2-integration.html

But Spring Config is in Spring.xml file.

I also need to add them to the Java layer.

+3


source to share


1 answer


The folks at Stormpath have a pretty simple solution to achieve Oauth. Please take a look at Using Stormpath for API Authentication .

As a result, your solution will look like this:

  • You will be using the Stormpath Java SDK to easily delegate all of your user management needs.
  • When the user clicks the login button, your frontend will securely send credentials to your backend via its REST API.

    2.1. By the way, Stormpath greatly expands all the possibilities here. Instead of your own login page, you can completely delegate the login / registration function to Stormpath via IDSite, or you can also delegate it to the Servlet plugin . Stormpath also supports Google, Facebook, LinkedIn and Github login.

  • Then your backend will try to authenticate the user with the Stormpath Backend and return access token

    as a result:

    /** This code will throw an Exception if the authentication fails */
    public void postOAuthToken(HttpServletRequest request, HttpServletResponse response) {
        Application application = client.getResource(applicationRestUrl, Application.class);
    
        //Getting the authentication result
        AccessTokenResult result = (AccessTokenResult) application.authenticateApiRequest(request);
    
        //Here you can get all the user data stored in Stormpath
        Account account = accessTokenResult.getAccount();
    
        response.setStatus(HttpServletResponse.SC_OK);
        response.setContentType("application/json");
    
        //Return the Access Token
        response.getWriter().print(token.toJson());
        response.getWriter().flush();
    }
    
          

  • Then, for each authenticated request, your backend will do:

    /** This is your protected API */
    public void sayHello(HttpServletRequest request, HttpServletResponse response) {
        Application application = client.getResource(applicationRestUrl, Application.class);
    
        OauthAuthenticationResult result = (OauthAuthenticationResult) application.authenticateOauthRequest(request).execute();
    
        System.out.println(result.getApiKey());
        System.out.println(result.getAccount());
    
        //At this point the authorization was successful, you can now allow the actual operation to be executed
        doSayHello();
    }
    
          

All this does not require any special Spring Security configuration, it is simple Java code that can be run in any environment.



Please take a look here for more information.

Hope it helps!

Disclaimer, I am an active member of Stormpath.

+2


source







All Articles