Authentication with custom token in spring boot

Question

I need to secure my spring boot application and this is what I have:

1. A spring boot application which exposes some rest apis.
2. A frontend which communicates with the exposed apis.
3. A custom auth token which the frontend sends for authentication.
4. A database which stores the custom auth tokens.

So, essentially my frontend will send a rest request to my spring boot application along with the auth token and my spring boot application will query the database to see if the auth token is valid.

This authentication should be available for all the controllers in my spring boot application. Is there a way to do it by default for every rest request without explicitly putting the authentication in each and every controller?

I know about spring boot web security features but there isn't enough information on how to use these with custom tokens.

Answer 1

definetly spring-security is the way to go. With Spring Boot, use this starter:

  <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
   </dependency>

Then you will have to define your Security configuration in some configuration class, for instance:

@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

   private final BaseTokenService tokenService;

    @Bean
    public TokenAuthenticationService tokenAuthenticationService() {
        return new TokenAuthenticationServiceImpl(tokenService);
    }

    @Bean
    public TokenAuthenticationProvider tokenAuthenticationProvider() {
        return new TokenAuthenticationProvider(tokenAuthenticationService());
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(tokenAuthenticationProvider());
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {

        TokenAuthenticationFilter tokenAuthenticationFilter = new TokenAuthenticationFilter(super.authenticationManager(), false);

        //session management
        http
                .anonymous().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .csrf().disable();

        //filter
        http
                .antMatcher("/api/secured/**")
                .addFilterBefore(tokenAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
                .authorizeRequests()
                .anyRequest()
                .authenticated();
    }

}

As you can see in the above configuration, I use a custom authentication filter (tokenAuthenticationFilter). It could be the kind of security filter you can use to handle your third statement: A custom auth token which the frontend sends for authentication. It come along with an AuthenticationProvider, the spring security component which validates the user authentication according to the token extracted by the Security filter. You'll have to provide the correct implementation of all the Token* classes according to your needs.

"I know about spring boot web security features but there isn't enough information on how to use these with custom tokens."

The spring security documentation should be the way to go:

https://docs.spring.io/spring-security/site/docs/4.2.5.RELEASE/reference/htmlsingle/

If you want an example tutorial:

https://www.sylvainlemoine.com/2016/06/06/spring-saml2.0-websso-and-jwt-for-mobile-api/

skip the saml part, it's irrelevant here but give a look to the JWT (Json Web Token) part, it should answer to your use case.