How to secure the RESTful webservices created using Springs's REST Api?

Question

We have a Spring web application created using Spring MVC 3.0 In the same application, we have created RESTful web services using Springs's REST API.

Now we need to secure those web services. How do we do this in spring? Can we use spring security for this? If not what are the other options?

Thanks.

Answer 1

It really depends on the level of security you want to impose. You could just use simple web.xml based access control with realms, usernames and passwords.

Security of your webservices is another matter. From the Spring Security FAQ:

Web applications are vulnerable to all kinds of attacks which you should be familiar with, preferably before you start development so you can design and code with them in mind from the beginning. Check out the OWASP web site for information on the major issues facing web application developers and the countermeasures you can use against them.

Spring Security is certainly an option. It is for the most part, easy (nowadays) to integrate with Spring and has a flexible authentication module.

You should also consider Apache Shiro. A comparison to Spring Security question has already been answered - Shiro vs. SpringSecurity and Shiro also integrates nicely with Spring.

There are also some other questions already answered on this topic - How to secure a service REST with spring3? and Looking for a Simple Spring security example

I do not think there is a definitive answer to the question in it's current form, but I hope this helps all the same.