Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Authentication and authorization in Spring Data REST

I am implementing a Spring Data REST based app and I would like to know if there is an elegant way to implement authentication and authorization rules using this framework or related frameworks.

All HTTP requests to the REST server must carry authentication headers, I need to check them and decide to authorize or not based on the HTTP method and the association of the authenticated user with the resource being requested. For example, (the app is the REST server of an e-learning system), the instructors can access only their own course sections, students can access only the courses sections they are subscribed, etc.

I would like to know if there is a default way to implement authorization in Spring Data REST. If the answer is no, could you make a suggestion for my issue? I am thinking about:

  • Servlet Filters
  • Spring Security
  • Spring Data REST Handlers (how to access the HTTP headers?)
like image 701
Rodrigo Guerra Avatar asked Sep 24 '13 18:09

Rodrigo Guerra


People also ask

What is authentication and authorization in Spring Security?

Authentication is the process of knowing and identifying the user that wants to access. ADVERTISEMENT. ADVERTISEMENT. Authorization is the process to allow authority to perform actions in the application. We can apply authorization to authorize web request, methods and access to individual domain.


1 Answers

The best bet for you is Spring Security. That would help you achieve authorization is much simpler manner.

Spring Security would require you an implementation that looks at request headers and performs the log-in operation programmatically.

Refer the accepted answer here.. I had followed the same and implemented the security layer in front of my rest services ( which were build using RestEasy )

RESTful Authentication via Spring

There is an alternate method as well.. Refer http://www.baeldung.com/spring-security-authentication-provider

In both cases you can disable the session creation by declaring the stateless authentication in spring security, this would help you improve the performance considerably when large volume of hits are made to the state-less REST services..

like image 102
Rakesh Waghela Avatar answered Oct 12 '22 22:10

Rakesh Waghela