Menu
I need to create a SpringBoot RESTful API to be consumed either by a web project or a mobile app.
My question is how to secure it without the typically basic authorization that returns you a "jsessionid" to the web browser and mantains the session with it. It's not a problem for the web project, because it could store that jsessionid. But how about to secure the mobile app request to the API?
Sorry for my english. Thanks.
573
Always use TLS Every web API should use TLS (Transport Layer Security). TLS protects the information your API sends (and the information that users send to your API) by encrypting your messages while they're in transit. You might know TLS by its predecessor's name, SSL.
Prevent Using URL Parameters for Session Tracking Starting with Spring 3.0, the URL rewriting logic that would append the jsessionid to the URL can now be disabled by setting the disable-url-rewriting=”true” in the <http> namespace.
One of the architectural constraints of REST is that it must be stateless.
Your REST API must not have sessions that authenticate the client. Instead, the client should pass some sort of token, commonly placed in the Authentication HTTP Header.
JWT and OAuth 2.0 are both very popular ways of doing this, and you can absolutely use HTTP Basic Authentication with OAuth 2.0 if you wish.
Here's an article called Stateless Authenticaiton with Spring Security and JWT. Hopefully that will help!
110
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
