08-02-2023, 06:41 AM
I know that securing REST API is widely commented topic but I'm not able to create a small prototype that meets my criteria (and I need to confirm that these criteria are realistic). There are so many options how to secure resources and how work with Spring security, I need to clarify if my needs are realistic.
**My requirements**
- Token based authenticator - users will provide its credentials and get unique and time limited access token. I would like to manage token creation, checking validity, expiration in my own implementation.
- Some REST resources will be public - no need to authenticate at all,
- Some resources will be accessible only for users with administrator rights,
- Other resource will be accessible after authorization for all users.
- I don't want to use Basic authentication
- Java code configuration (not XML)
**Current status**
My REST API works very well, but now I need to secure it. When I was looking for a solution I created a `javax.servlet.Filter` filter:
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
String accessToken = request.getHeader(AUTHORIZATION_TOKEN);
Account account = accountDao.find(accessToken);
if (account == null) {
throw new UnauthorizedException();
}
chain.doFilter(req, res);
}
But this solution with `javax.servlet.filters` doesn't work as I need because there is an issue with exception handling via `@ControllerAdvice` with Spring `servlet dispatcher`.
**What I need**
I would like to know if these criteria are realistic and get any help, how to start securing REST API with Spring Security. I read many tutorials (e.g. [Spring Data REST + Spring Security] [1]) but all work in very basic configuration - users with **their credentials are stored in memory** in configuration and I need to work with DBMS and create own authenticator.
**Please give me some ideas how to start.**
[1]:
**My requirements**
- Token based authenticator - users will provide its credentials and get unique and time limited access token. I would like to manage token creation, checking validity, expiration in my own implementation.
- Some REST resources will be public - no need to authenticate at all,
- Some resources will be accessible only for users with administrator rights,
- Other resource will be accessible after authorization for all users.
- I don't want to use Basic authentication
- Java code configuration (not XML)
**Current status**
My REST API works very well, but now I need to secure it. When I was looking for a solution I created a `javax.servlet.Filter` filter:
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
String accessToken = request.getHeader(AUTHORIZATION_TOKEN);
Account account = accountDao.find(accessToken);
if (account == null) {
throw new UnauthorizedException();
}
chain.doFilter(req, res);
}
But this solution with `javax.servlet.filters` doesn't work as I need because there is an issue with exception handling via `@ControllerAdvice` with Spring `servlet dispatcher`.
**What I need**
I would like to know if these criteria are realistic and get any help, how to start securing REST API with Spring Security. I read many tutorials (e.g. [Spring Data REST + Spring Security] [1]) but all work in very basic configuration - users with **their credentials are stored in memory** in configuration and I need to work with DBMS and create own authenticator.
**Please give me some ideas how to start.**
[1]:
[To see links please register here]