Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Calling a REST web service secured with Spring Security from Android

Tags:

java

rest

spring

web-services

spring-security

I'm hosting a REST web service in a Grails application, using Spring Security, i.e.:

@Secured(['IS_AUTHENTICATED_REMEMBERED'])
def save = {
    println "Save Ride REST WebMethod called"
}

I'm calling it from an Android app. (Calling the unsecured service works just fine.)

To call the service, I'm manually building up a request (HttpUriRequest) and executing it with an HttpClient.

I'm wondering what the best practices are, and how to implement them... Specifically, should I:

  1. Perform a login once, to retrieve a JSESSION_ID, then add a header containing it into the HttpUriRequest for each subsequent request?
  2. Or (not sure how I would even do this) include the login and password directly on each request, foregoing the cookie/server-side session

I think I can get option 1 working, but am not sure if Spring Security permits (2), if that's the way to go... Thanks!

--also, there isn't any library I'm missing that would do all this for me is there? :)

like image 219
Bobby Avatar asked Jan 12 '11 00:01

Bobby

People also ask

How are REST services secured using Spring Security?

It uses the results of the login call to set the value of the token variable, and if the token is present, the protected call sends the token in the authorization header. The server will use that token to validate the user's auth when the user accesses the secure endpoint.

How does JWT work with Spring Security?

We expose a public POST API for the authentication, and upon passing the correct credentials, it will generate a JWT. If a user tries to access the protected API, it will allow access only if a request has a valid JWT. Validation will happen in the filter registered in the Spring Security filter chain.

2 Answers

Spring security does support both basic authentication and form based authentication (embedding the username/password in the URL).

A REST service is generally authenticated on each and every request, not normally by a session. The default spring security authentication (assuming you're on 3.x) should look for basic authentication parameters or form parameters (j_username and j_password) (in the form http://you.com/rest_service?j_username=xyz&j_password=abc).

Manually tacking the j_username/j_password onto the URL, adding them as post parameters (I believe), or setting the basic authentication username/password should all work to authenticate a REST service against the default Spring Security interceptors, right out of the box.

I will admit that I haven't tried this on REST services, though I do clearly recall reading exactly this in the docs as I did the same for basic page logins on spring security recently. Disclaimer over.

like image 189
David Parks Avatar answered Nov 06 '22 02:11

David Parks

I think you can use a login-once-and-get-a-token method that's similar to how oauth works.

sending username and password across the network outside of secured channel(https/ssl) is a terrible idea. anyone on the network can sniff your request package and see the clear text password.

on the other hand, if you use a token method, since the token string is randomly generated, even the token is compromised, the worst case is someone can use the token accessing your REST API.

another solution is going through ssl tunnel(HTTPS). i have actually done a comparison and result shows: 80 requests/min(https) vs 300 requests/min(http)

like image 45
ligerdave Avatar answered Nov 06 '22 03:11

ligerdave
Sign in to Comment

Related questions

Searching on date ranges with Lucene in Java?
CPU and profiling not supported for remote jvisualvm session
Does Java have the '@' character to escape string quotes?
Embed Firefox browser in Java Swing
What is the difference between Castor XML binding and JAXB binding
How to run a java program on a server?
How does the event dispatch thread work?
Change classloader
java.lang.NoClassDefFoundError while running JUnit test in Netbeans
Creating parameterized type object using anonymous class
What is an Enterprise Java Bean really?
Permission denied error in Java for chmod command
header and footer and freemarker
Why EnumMap constructor needs class argument?
Meaning and solution for Spring 3 error message? "Using getResponseBodyAsStream instead is recommended"
Covariant Typeparameter in scala needs to be invariant in java interface
Java equivalent of python's getattr?
Where to place security configuration file in WAR?
Distinguish between a single click and a double click in Java
Benchmarking Java programs

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!