Securing Spring RESTful webservice APIs from unautherized access?

Question

I have successfully created a Spring RESTful webservice with different APIs. Now I should protect them from unauthorized access. I followed http://www.beingjavaguys.com/2014/10/spring-security-oauth2-integration.html and the login logic is entirely different from mine. Can someone help me to move on?

Fetch user login request

 @RequestMapping(value = "/login", method = RequestMethod.POST)
    @ResponseBody
    @ResponseStatus(HttpStatus.OK)
    public UserResponse login(@RequestBody final UserLoginRequest userRequest) throws ServletException, IOException {
        UserResponse userResponse = new UserResponse();
        try {
            userResponse = accessService.login(userRequest);
        } catch (SQLException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
        }
        return userResponse;
    }

Process user login request

 @Transactional
    public UserResponse login(UserLoginRequest userRequest) throws SQLException,
            ClassNotFoundException, IOException {
        UserResponse userResponse = new UserResponse();

        int status = 0;

        //boolean isExist = loginDao.isUserExist(userRequest.getUsername(), userRequest.getPassword());
        User user = loginDao.getUser(userRequest.getEmailID());
        if (user != null) {
            if (userRequest.getPassword().equals(user.getPassword())) {//Case sensitive password and added to check status
                //User exist
                if (user.getStatus().equals("1")) {
                    //Device token check
                    loginDao.isDeviceTokenExists(userRequest, user.getProfileId());

                    status = 2;
                } else {
                    status = 3;
                }
            } else {
                status = 4;
            }
        } else {
            status = 1;
        }
        if (status == 1) {
            userResponse.setCode(WeekenterConstants.USER_EMAIL_EXIST_CODE);
            userResponse.setMessage("User does not exists.Please Register.");
        } else if (status == 2) {
            userResponse.setCode(WeekenterConstants.SUCCESS_CODE);
            userResponse.setMessage("User login success");
            userResponse.setId(user.getProfileId());
        } else if (status == 3) {
            userResponse.setCode(WeekenterConstants.FAILURE_CODE);
            userResponse.setMessage("Your Account is blocked. Please contact Weekenter administrator.");
            userResponse.setId(user.getProfileId());
        } else if (status == 4) {
            userResponse.setCode(WeekenterConstants.FAILURE_CODE);
            userResponse.setMessage("Password is wrong.");
            userResponse.setId(user.getProfileId());
        }
        return userResponse;
    }

I have API's for fetch countries, userlist etc. Those services should only give data to the Android client once the user is valid. I know the authentication will be processed by using access token. How could I do it in a standard way?

Answer 1

I think you need to have a separate process that will authorize a device for use in your application.

I have worked on an application in which tablets are registered for using an app. The tablet ID is saved in a simple text file that is accessible to the Apache server. Then all REST requests have a special header X_DEVICEID which contains the device ID, and a PHP script used by Apache checks for this ID in the file, and will only give a response if the ID is for a registered device.

The file of allowed device IDs acts as a sort of firewall to block unregistered devices.