Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Calling a REST web service secured with Spring Security from Android

I'm hosting a REST web service in a Grails application, using Spring Security, i.e.:

@Secured(['IS_AUTHENTICATED_REMEMBERED'])
def save = {
    println "Save Ride REST WebMethod called"
}

I'm calling it from an Android app. (Calling the unsecured service works just fine.)

To call the service, I'm manually building up a request (HttpUriRequest) and executing it with an HttpClient.

I'm wondering what the best practices are, and how to implement them... Specifically, should I:

  1. Perform a login once, to retrieve a JSESSION_ID, then add a header containing it into the HttpUriRequest for each subsequent request?
  2. Or (not sure how I would even do this) include the login and password directly on each request, foregoing the cookie/server-side session

I think I can get option 1 working, but am not sure if Spring Security permits (2), if that's the way to go... Thanks!

--also, there isn't any library I'm missing that would do all this for me is there? :)

like image 219
Bobby Avatar asked Jan 12 '11 00:01

Bobby


People also ask

How are REST services secured using Spring Security?

It uses the results of the login call to set the value of the token variable, and if the token is present, the protected call sends the token in the authorization header. The server will use that token to validate the user's auth when the user accesses the secure endpoint.

How does JWT work with Spring Security?

We expose a public POST API for the authentication, and upon passing the correct credentials, it will generate a JWT. If a user tries to access the protected API, it will allow access only if a request has a valid JWT. Validation will happen in the filter registered in the Spring Security filter chain.


2 Answers

Spring security does support both basic authentication and form based authentication (embedding the username/password in the URL).

A REST service is generally authenticated on each and every request, not normally by a session. The default spring security authentication (assuming you're on 3.x) should look for basic authentication parameters or form parameters (j_username and j_password) (in the form http://you.com/rest_service?j_username=xyz&j_password=abc).

Manually tacking the j_username/j_password onto the URL, adding them as post parameters (I believe), or setting the basic authentication username/password should all work to authenticate a REST service against the default Spring Security interceptors, right out of the box.

I will admit that I haven't tried this on REST services, though I do clearly recall reading exactly this in the docs as I did the same for basic page logins on spring security recently. Disclaimer over.

like image 189
David Parks Avatar answered Nov 06 '22 02:11

David Parks


I think you can use a login-once-and-get-a-token method that's similar to how oauth works.

sending username and password across the network outside of secured channel(https/ssl) is a terrible idea. anyone on the network can sniff your request package and see the clear text password.

on the other hand, if you use a token method, since the token string is randomly generated, even the token is compromised, the worst case is someone can use the token accessing your REST API.

another solution is going through ssl tunnel(HTTPS). i have actually done a comparison and result shows: 80 requests/min(https) vs 300 requests/min(http)

like image 45
ligerdave Avatar answered Nov 06 '22 03:11

ligerdave