I am considering implementing a service as a series of REST endpoints on AWS Lambda and possibly AWS API Gateway. The front end would be a JS browser client that calls these endpoints directly, eliminating the need for a middle tier.
In my research, what I can't seem to find is, how do I secure access to the calls to people who are "logged in" so to speak? I see Lambda calls are stateless, so no session data. I don't need session data, other than to know they are authenticated and in same cases authorized to access a particular endpoint. There will be a database (DynamoDB or RDS) so if I need session data I could create it.
Is there a way to do this? I realize I could pass their username and password with each API call, but it seems there must be a better way.
Also, this would probably be implemented in Java. Could I use Spring Security?
You can protect your API using strategies like generating SSL certificates, configuring a web application firewall, setting throttling targets, and only allowing access to your API from a Virtual Private Cloud (VPC).
AWS API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. Lambda is function as a service(FAAS) product of AWS. The combination of these two services is amazing and it is slowly replacing the traditional backend.
Amazon API Gateway allows developers to create, publish, monitor and secure APIs at any scale. Using API Gateway, you can map HTTP endpoints to various backend services without developing and maintaining an infrastructure to handle authorization, access control, rate limiting and monitoring.
I don't think you want to use Spring Security in a Lambda function. I can't imagine that working very well, and I doubt it would work at all. Even if it could run on Lambda it would definitely add more to your function's cold startup time than you are going to want to deal with.
The recommended way to provide user authentication checking to stateless services is through the use of JWT (JSON Web Tokens). Auth0 provides a good general article about JWT here, as well as a tutorial on using Auth0 with API Gateway and Lambda here. Even if you don't use Auth0 I think the second tutorial is useful for understanding how to perform user authentication on API Gateway and Lambda.
You can also use API Gateway Custom Authorization functions, which allow you to encapsulate all your authentication code in one Lambda function that acts like a "gatekeeper" to your API endpoints. I would recommend using a Custom Authorization Lambda function to validate the JSON web tokens submitted to your API.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With