Spring Security & Stateless Restful services

Question

My project is divided into micro services. My front-end project is AngularJS on top of Spring Boot.

my services are completely Restful, and I want to keep them like that.

Because that my services are Restful I use HTTP Basic security as authentication process on my front-end.

At first, everything seemed to be fine, after the end-user passed the login page.

But afterward, I realized that because of my Restful style, I don't maintain an HTTP state, which means in upcoming requests to the server I'll have to keep sending HTTP Basic credentials to the server. And I can't authenticate the user each request I want to make to the server.

Is there any workaround of this HTTP stateless style and maintaining credentials to the server?

Where is it considered best to save the credentials?

a Cookie? but that will bring back the state to the HTTP requests.

On my search online I came across Redis and/or Spring session, it that the answer?

Answer 1

Spring Session

Spring Session is a great, lesser known project in the Spring portfolio. It easily enables your applications to use a external session store (e.g. Redis) instead of a localized session (e.g. Tomcat). This allows you to leverage load balancers that distribute traffic across multiple servers without losing application state (e.g. logged in/logged out). It also allows you to reboot individual servers without destroying the Users session as well.

Restful?

Yes, you can use a modified Spring Session configuration to more appropriately use it with Rest endpoints. You'll use HttpBasic to perform the initial authentication, but you'll receive an authorization token which you'll pass in subsequent requests as a Http Header in lieu of the username & password. See the link to the docs for more detail

Spring Security OAuth

This is a much more complicated setup but there are advantages such as leveraging external Identity Providers (e.g. Google, Facebook). You can also faciliate SSO across multiple applications. I would recommend starting with Spring Session as it is much simpler for a beginner.