Spring Security Token Authentication - RESTful JSON Service

greyfox picture greyfox · Jun 10, 2014 · Viewed 48k times · Source

I'm looking to use Spring Security for a Spring MVC application which will strictly be a JSON web service. I've done some research and read a few articles but haven't really found anything complete. I want the application to be completely stateless and use token based authentication. I don't want the Spring MVC application to have any forms, or used forms to authenticate. It should strictly take requests and data in JSON, and return JSON responses.

There will be an Angular JS client application which will need to send the username and password and get the token from the application to be used in sequential requests. At some point there may be Android clients that access this web service as well.

I'm assuming Spring Security has its way internally to mapping a token to a user session, meaning it knows token XXXXXXXXXXXX is admin user Bob and token AAAAAAAAAA is standard user Joe. However I don't have much experience with Spring Security so I don't know how this all comes together. I still want to be able to use secured annotations on controller and service methods.

Is there a way to accomplish this in Spring Security?

This question seems to be a good place to start but I'm not sure this will work as I envisioned it RESTful Authentication via Spring.

Answer

M4ver1k picture M4ver1k · Jun 11, 2014

This will be a good place to start with Spring-Rest-Boilerplate.

  1. For the first time you have to use http basic authentication and then login (send username/password) and this will return the token.
  2. In subsequent request you will use this token for authentication.
  3. You will have to add a filter to the chain that will do that authentication based on a token.

You have to come up with a token format and encryption for same. You ideally need to keep an expiry for the token too, expiry along with username could be a part of the token.Use an encryption algorithm a cryptographic hash function like MD5 and get hash of the whole Token.

Edit : As pointed out by Maciej Stępyra MD5 seems to be broken and its advised to use a Stronger hash functions like SHA-256.

Spring security by default will redirect you to a login page, but this does not make sense in case of REST so use a custom AuthenticationEntryPoint in config(Ref sample github code).

I was using this format for my Token: token:username:hash:expiry

hash=MD5(username+magickey)

expiry=current_timestamp+mins_to_expiry

 <security:http realm="Protected API" use-expressions="true" auto-config="false" create-session="always" entry-point-ref="**CustomAuthenticationEntryPoint**">
        <security:custom-filter ref="**authenticationTokenProcessingFilter**" position="PRE_AUTH_FILTER" />
        <security:intercept-url pattern="/**" access="isAuthenticated()" />
 </security:http>

NB:Thanks dhavaln for the code. I have used this as a reference and developed similar thing.