{"id":45203,"date":"2017-01-24T19:01:07","date_gmt":"2017-01-24T13:31:07","guid":{"rendered":"http:\/\/www.tothenew.com\/blog\/?p=45203"},"modified":"2022-01-10T18:40:41","modified_gmt":"2022-01-10T13:10:41","slug":"fortifying-your-rest-api-using-spring-security","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/fortifying-your-rest-api-using-spring-security\/","title":{"rendered":"Fortifying your REST API using Spring security"},"content":{"rendered":"

Spring Security<\/b><\/a> is a lightweight security framework that provides authentication and authorization support in order to secure Spring-based<\/a> applications. It comes bundled with popular security algorithm implementations.<\/span><\/p>\n

I would cover a series of different topic related to spring security<\/a>\u00a0in my upcoming blogs. We will go through the setup process first, then analyze when and where to apply, explore different authentication methods and securing password with encoding schemes.<\/p>\n

User and Role Management<\/b>\u00a0\u00a0<\/span><\/p>\n

Suppose you want\u00a0to create a REST application,\u00a0<\/span>User and Role management system to\u00a0<\/b>give each user a set of roles that grants access to the different functions. Also give users privileges as per the role and capability to apply the\u00a0role to specific assets, networks, or other objects.<\/span><\/p>\n

In this scenario, you can view the existing users, their roles and privileges from the Administration section. And only\u00a0the user of Administration privilege would be allowed\u00a0to create\/update other users.<\/p>\n

\"\"<\/p>\n

If you are a <\/span>Spring user and new to Spring security<\/a>, basic authentication would be best option to start with and for demonstration, we\u2019ll be creating a sample application using the following tech stack:<\/span><\/p>\n\n\n\n\n\n\n\n\n
Build Tool \u00a0\u00a0<\/span><\/td>\nGradle 2.3 or higher<\/span><\/a><\/td>\n<\/tr>\n
Web framework<\/span><\/td>\nSpring Boot 1.4.3.RELEASE<\/span><\/a><\/td>\n<\/tr>\n
Security Tool<\/span><\/td>\nSpring security<\/span><\/a><\/td>\n<\/tr>\n
Repository<\/span><\/td>\nMySQL<\/span><\/a><\/td>\n<\/tr>\n
ORM Tool<\/span><\/td>\nSpring Data Jpa<\/span><\/a><\/td>\n<\/tr>\n
Version Control<\/span><\/td>\nGIT<\/span><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

For simplicity there will be 3 types of users in this application:<\/p>\n\n\n\n\n\n\n
Role<\/b><\/td>\nPermission<\/b><\/td>\n<\/tr>\n
ADMIN<\/span><\/td>\nCreate user, View users<\/span><\/td>\n<\/tr>\n
USER<\/span><\/td>\nCan view\/update own details<\/span><\/td>\n<\/tr>\n
ANONYMOUS<\/span><\/td>\nCan only view total no of users in the system<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Step 1: Application Setup<\/b><\/p>\n

Let\u2019s start with a very basic application (in terms of setup needed) that boots a Spring application context. Two tools that will help us with that are\u00a0Gradle<\/a> and Spring Boot<\/a>.<\/p>\n

I skip lines that aren\u2019t particularly interesting like the maven repository configuration. You can find the complete code at <\/span>GitHub<\/span><\/a>.<\/span><\/p>\n

[sourcecode language=”java”]<\/p>\n

apply plugin: ‘org.springframework.boot’<\/p>\n

dependencies {
\n\tcompile(‘org.springframework.boot:spring-boot-starter-data-jpa’)
\n\tcompile(‘org.springframework.boot:spring-boot-starter-web’)
\n\truntime(‘mysql:mysql-connector-java:5.1.13’)
\n}<\/p>\n

[\/sourcecode]<\/p>\n

Here we are using<\/span>: spring-boot-starter-data-jpa<\/span>\u00a0as the<\/span>\u00a0ORM tool.<\/span><\/p>\n

Step 2 : CRUD for User entity<\/b><\/p>\n

[sourcecode language=”java”]
\n@Entity
\npublic class UserDetail {
\n @Id
\n @GeneratedValue(strategy = GenerationType.AUTO)
\n private long id;<\/p>\n

private String name;<\/p>\n

\tprivate int age;
\n}
\n[\/sourcecode]<\/p>\n

Create the following api\u2019s for UserDetail<\/span><\/strong> Entity:<\/p>\n\n\n\n\n\n\n\n\n\n
URL<\/b><\/td>\nMethod<\/b><\/td>\nDescription<\/b><\/td>\n<\/tr>\n
{host}\/user\/<\/span><\/td>\nGET<\/span><\/td>\nList all user details<\/span><\/td>\n<\/tr>\n
{host}\/user\/{id}<\/span><\/td>\nGET<\/span><\/td>\nFetch specific user detail<\/span><\/td>\n<\/tr>\n
{host}\/user\/<\/span><\/td>\nPOST<\/span><\/td>\nAdd new user<\/span><\/td>\n<\/tr>\n
{host}\/user\/{id}<\/span><\/td>\nPUT<\/span><\/td>\nUpdate detail for a user<\/span><\/td>\n<\/tr>\n
{host}\/user\/{id}<\/span><\/td>\nDELETE<\/span><\/td>\nDelete a specific user<\/span><\/td>\n<\/tr>\n
{host}\/user\/<\/span><\/td>\nDELETE<\/span><\/td>\nDelete all user<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

You can find the complete code for CRUD and Api\u2019s at <\/span>GitHub<\/span><\/a>.<\/span><\/p>\n

Step 3: User Authentication<\/b><\/p>\n

Now we need an authentication mechanism to allow only authenticated users\u00a0to access the system.<\/p>\n

Add a domain for user credentials:<\/p>\n

[sourcecode language=”java”]
\n@Entity
\npublic class Authentication {<\/p>\n

\t@Id
\n\tprivate String username;
\n\tprivate String password;
\n}
\n[\/sourcecode]<\/p>\n

Associate it with the UserDetail<\/span><\/strong> domain:<\/span><\/p>\n

[sourcecode language=”java”]
\n@Entity
\npublic class UserDetail {
\n …………………….<\/p>\n

\t@OneToOne(cascade= CascadeType.ALL)
\n\t@JoinColumn(name = ‘user_authentication_id’)
\n\tprivate Authentication authentication;<\/p>\n

\t…………………….
\n}
\n[\/sourcecode]<\/p>\n

Add spring security dependency in <\/span>build.gradle<\/span><\/strong><\/p>\n

[sourcecode language=”java”]<\/p>\n

dependencies {
\n …………………….<\/p>\n

compile(‘org.springframework.boot:spring-boot-starter-security’)<\/p>\n

…………………….
\n}<\/p>\n

[\/sourcecode]<\/p>\n

And\u00a0configure your application to enable basic authentication using below code: \u00a0org.springframework.security.core.userdetails.UserDetailsService<\/span><\/strong><\/p>\n

[sourcecode language=”java”]
\n@EnableWebSecurity
\npublic class ApiSecurityConfig extends WebSecurityConfigurerAdapter{<\/p>\n

…………………….
\n …………………….<\/p>\n

@Autowired
\n public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
\n auth.userDetailsService(userDetailsService);
\n }<\/p>\n

@Override
\n protected void configure(HttpSecurity http) throws Exception {<\/p>\n

http
\n .authorizeRequests()
\n .anyRequest().authenticated()
\n .and()
\n .httpBasic().authenticationEntryPoint(entryPoint)
\n .and()
\n .exceptionHandling().accessDeniedHandler(handler);
\n }
\n}
\n[\/sourcecode]<\/p>\n

Here we are configuring Spring security by overriding individual methods of\u00a0org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter<\/span><\/strong>. \u00a0@EnableWebSecurity<\/span><\/strong>\u00a0 that helps to auto-configure this.<\/span><\/strong><\/p>\n

To enable Spring Security integration with Spring MVC add the @EnableWebSecurity<\/span><\/strong><\/span><\/strong><\/strong>\u00a0annotation to your configuration.<\/p>\n

configureGlobalSecurity<\/span><\/strong><\/span><\/strong><\/strong>\u00a0method is pretty straightforward, we are just providing the implementation for <\/span>UserDetailService <\/span>as<\/span>\u00a0the \u00a0AuthenticationProvider\u00a0<\/span><\/strong><\/span><\/strong><\/strong><\/span><\/span><\/p>\n

In <\/span>configure\u00a0<\/span><\/strong><\/span><\/strong><\/strong>method we are using \u00a0HTTP Basic Authentication<\/span><\/strong><\/span><\/strong><\/strong><\/span>, \u00a0also providing the \u00a0Implementation of AuthenticationEntryPoint\u00a0<\/span><\/strong><\/span><\/strong><\/strong>and\u00a0AccessDeniedHandler\u00a0<\/span><\/strong><\/span><\/strong><\/strong>\u00a0for \u00a0handling\u00a0Authentication<\/span><\/strong><\/span><\/strong><\/strong><\/span>\u00a0 exception and\u00a0Access denied<\/span><\/strong><\/span><\/strong><\/strong><\/span>\u00a0exception.<\/span><\/p>\n

The implementation for\u00a0UserDetailService<\/span><\/strong><\/span><\/strong><\/strong>\u00a0is pretty straightforward and self-descriptive,\u00a0<\/span>GitHub<\/span><\/a>.<\/span><\/p>\n

Let\u2019s test the functionality using postman<\/a>\u00a0. Or you can pick any other REST client.<\/p>\n

\u21d2 On accessing GET : <host>\/user\/\u00a0<\/span><\/strong><\/span><\/strong><\/strong><\/span>we\u2019ll get an\u00a0authentication error as below:<\/p>\n

HTTP Status 401 : Full authentication is required to access this resource<\/span><\/span><\/strong><\/span><\/strong><\/strong><\/span><\/p>\n

\"auth-error-get\"<\/p>\n

To resolve this we are adding a new user with sample credential\u00a0using the following script:<\/p>\n

[sourcecode language=”sql”]
\ninsert into authentication(username, password) values(‘username1’, ‘password1’);
\ninsert into user_detail(age, name,user_authentication_id) values(23, ‘User 1′,’username1’);
\n[\/sourcecode]<\/p>\n

Now add the same credential in postman with basic authentication<\/p>\n

\"auth-success\"<\/p>\n

In response, a token is automatically added into the header with key \u00a0Authorization<\/strong><\/strong><\/strong><\/strong><\/p>\n

\"10\"Basic dXNlcm5hbWUxOnBhc3N3b3JkMQ==\u00a0<\/span><\/strong><\/span><\/strong><\/strong><\/strong>is the encoded form of <\/span>username1:password1<\/span>\u00a0in <\/span>base64\u00a0<\/span><\/strong><\/span><\/strong><\/strong><\/strong><\/span>and prepended with <\/span>\u2018Basic \u00a0\u2018<\/span>. <\/span>Now you can access all the API’s using this entry into the header.<\/span><\/p>\n

Again\u00a0we\u2019ll get forbidden error in POST<\/strong><\/strong><\/strong><\/strong>\u00a0PUT<\/strong><\/strong><\/strong><\/strong>\u00a0DELETE<\/strong><\/strong><\/strong><\/strong> operation<\/p>\n

\"csrf-error\"To resolve this we can simply disable the CSRF configuration in\u00a0configure<\/span><\/strong><\/span><\/strong><\/strong>\u00a0method.<\/span><\/p>\n

[sourcecode language=”java”]
\n@Override
\nprotected void configure(HttpSecurity http) throws Exception {<\/p>\n

http.csrf().disable()
\n .authorizeRequests()
\n .anyRequest().authenticated()
\n .and()
\n .httpBasic().authenticationEntryPoint(entryPoint)
\n .and()
\n .exceptionHandling().accessDeniedHandler(handler);
\n}
\n[\/sourcecode]<\/p>\n

When should we use CSRF protection?<\/strong><\/p>\n

CSRF<\/strong> protection is a request that could be processed by a browser by normal users.
\nIf you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF<\/strong> protection.<\/p>\n

To know more about CSRF, read https:\/\/www.owasp.org\/index.php\/Cross-Site_Request_Forgery_(CSRF)<\/a><\/p>\n

As we discussed earlier\u00a0ANONYMOUS<\/span><\/strong><\/span><\/strong><\/strong><\/strong><\/strong>\u00a0user can only view the total no of users in the system i.e API with URL\u00a0<\/span><<\/strong>host>\/user\/count<\/strong><\/span><\/strong><\/span><\/strong><\/strong><\/strong><\/strong><\/span>. To do that change the <\/span>\u00a0chainRequestMatchers<\/span><\/strong><\/span><\/strong><\/strong><\/strong><\/strong><\/span>\u00a0in the\u00a0configure<\/span><\/strong><\/span><\/strong><\/strong><\/span>\u00a0method:<\/span><\/p>\n

[sourcecode language=”java”]
\n@Override
\nprotected void configure(HttpSecurity http) throws Exception {
\n http.csrf().disable()
\n .authorizeRequests()
\n .antMatchers(‘\/user\/count’).permitAll() \/\/ request matcher for anonymous user
\n .antMatchers(‘\/user\/**’).authenticated() \/\/ request matcher for authenticate user
\n .and()
\n .httpBasic().authenticationEntryPoint(entryPoint)
\n .and()
\n .exceptionHandling().accessDeniedHandler(handler);
\n}
\n[\/sourcecode]<\/p>\n

\"anonymous\"<\/p>\n

Find the complete code at <\/span>GitHub<\/span><\/a>.<\/span><\/p>\n

Step 4: User Authorization<\/b><\/p>\n

Now as per the use case non-administrator user will have access to the profile only. i.e<\/span>\u00a0\u00a0GET: <host>\/user\/profile<\/strong><\/span>\u00a0<\/span><\/strong><\/span><\/strong><\/strong><\/strong><\/strong><\/strong>\u00a0.<\/p>\n

To manage this we need to introduce\u00a0Role\/Authority<\/span> based authentication system.<\/p>\n

[sourcecode language=”java”]
\n@Entity
\npublic class Role {<\/p>\n

@Id
\n @GeneratedValue(strategy = GenerationType.AUTO)
\n private Long id;<\/p>\n

@Column(unique = true)
\n private String authority;<\/p>\n

@ManyToMany(mappedBy = ‘roles’, fetch = FetchType.LAZY)
\n private Set<Authentication> users;
\n}
\n[\/sourcecode]<\/p>\n

And associate it with\u00a0<\/span>Authentication\u00a0<\/span><\/strong><\/span><\/strong><\/strong>entity:<\/p>\n

[sourcecode language=”java”]
\n@Entity
\npublic class Authentication {<\/p>\n

@Id
\n private String username;
\n private String password;
\n @ManyToMany(fetch = FetchType.EAGER, cascade = CascadeType.ALL)
\n @JoinTable(
\n joinColumns = @JoinColumn(name = ‘user_id’), inverseJoinColumns = @JoinColumn(name = ‘role_id’)
\n )
\n private Set<Role> roles;
\n}
\n[\/sourcecode]<\/p>\n

Add user credentials and their roles\u00a0using the following script:<\/span><\/p>\n

[sourcecode language=”sql”]
\ninsert into role(authority) values(‘ROLE_ADMIN’), (‘ROLE_USER’);
\ninsert into authentication(username, password) values(‘admin’, ‘password’),(‘user’, ‘password’);
\ninsert into user_detail(age, name, user_authentication_id) values(25, ‘Admin user’,’admin’),(23, ‘user’,’user’);
\ninsert into authentication_roles values(‘admin’,1),(‘admin’,2),(‘user’,2);
\n[\/sourcecode]<\/p>\n

Finally, modify the\u00a0UserDetailService<\/span><\/strong><\/span><\/strong><\/strong><\/span>\u00a0implementation by providing user authorities and\u00a0configure<\/span><\/strong><\/span><\/strong><\/strong>\u00a0method to get the desired result.<\/span><\/p>\n

[sourcecode language=”java”]
\n@Override
\nprotected void configure(HttpSecurity http) throws Exception {
\n http.csrf().disable()
\n .authorizeRequests()
\n .antMatchers(‘\/user\/count’).permitAll() \/\/ request matcher for anonymous user
\n .antMatchers(‘\/user\/profile’).hasRole(‘USER’) \/\/ check for authority with ROLE_USER in the database
\n .antMatchers(‘\/user\/**’).hasRole(‘ADMIN’) \/\/ check for authority with ROLE_ADMIN in the database
\n .and()
\n .httpBasic().authenticationEntryPoint(entryPoint)
\n .and()
\n .exceptionHandling().accessDeniedHandler(handler);
\n}
\n[\/sourcecode]<\/p>\n

\"Screen<\/p>\n

\"authenticate-user\"<\/p>\n

Hope this will help you to understand the flow for basic authentication using spring security.\u00a0Find the complete code at <\/span>GitHub<\/span><\/a>.<\/span><\/p>\n

You can\u00a0run the application by below steps,--\r\n<\/strong>\r\n1. git clone git@github.com<\/span><\/a>:bjpaul\/restful-spring-security.git\r\n2. cd restful-spring-security\r\n3. gradle bootRun\r\n<\/span><\/pre>\n
Stay tuned for more on:-<\/p>\n
    \n
  • Stateless token based authentication using Spring Security<\/li>\n
  • Domain object security (ACLs)<\/li>\n
  • CAS authentication using spring security<\/li>\n
  • Web socket security in spring<\/li>\n
  • OAuth2 authentication using Spring Security<\/span><\/li>\n
  • Single sign on with OAuth2<\/li>\n
  • Spring security with JWT<\/span><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
    Spring Security is a lightweight security framework that provides authentication and authorization support in order to secure Spring-based applications. It comes bundled with popular security algorithm implementations. I would cover a series of different topic related to spring security\u00a0in my upcoming blogs. We will go through the setup process first, then analyze when and where […]<\/p>\n","protected":false},"author":349,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":23},"categories":[446,1],"tags":[3133,4841,1202,672],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/45203"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/349"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=45203"}],"version-history":[{"count":2,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/45203\/revisions"}],"predecessor-version":[{"id":54490,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/45203\/revisions\/54490"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=45203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=45203"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=45203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}