Skip navigation

Why Restful?

 

  • Restful is popular alternative to SOAP web service and It is easy to use.

    

How do you secure your restful web service?

 

  • How do you protect server side resources to allow only certain authenticated users to access? Because each restful request is a stateless request, so you can’t use standard login page to authenticate a user anymore.
  • The solution is to use Http Authentication header and spring security framework.
  • There are many ways to use Spring Security to authenticate user request. In this paper I am going to show you how to use FilterSecurityInterceptor to authenticate user requests

    

Sequence Diagram

 

seq.png

 

  • This diagram show Spring Security can protect your Java server side resource.
  • The Client makes a request to the server side service.
  • Spring FilterSecurityInterceptor intercepts the request and extract the Authentication header.
  • Spring FilterSecurityInterceptor calls AuthercationManger to authticate the user.
  • Spring FilterSecurityInterceptor use AccessManager to decide if the system is going to allow the user to access the protected resource. 

 

Spring Configuration

 

  1. Web.xml:

 

    <context-param>

        <param-name>contextConfigLocation</param-name>

        <param-value>/WEB-INF/mvc-dispatcher-servlet.xml</param-value>

    </context-param>

 

    <listener>

        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>

    </listener>

   

    <listener>

                <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>

        </listener>

 

    <filter>

        <filter-name>springSecurityFilterChain</filter-name>

        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

    </filter>

 

    <filter-mapping>

        <filter-name>springSecurityFilterChain</filter-name>

        <url-pattern>/*</url-pattern>

    </filter-mapping>

 

    <servlet>

        <servlet-name>mvc-dispatcher</servlet-name>

        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>

      

        <load-on-startup>1</load-on-startup>

    </servlet>

   

    <servlet-mapping>

        <servlet-name>mvc-dispatcher</servlet-name>

        <url-pattern>/rest/*</url-pattern>

    </servlet-mapping>

 

 

 

 

Mvc-dispatcher-servlet.xml

<context:component-scan base-package="com.johnnyweb.stockWatcher.controller" />

    <mvc:annotation-driven />

 

    <security:authentication-manager>

                <security:authentication-provider>

                        <security:user-service id="userService">

                                <security:user name="gwtrest" password="gwtrest" authorities="customer" />

                        </security:user-service>

                </security:authentication-provider>

        </security:authentication-manager>

 

        <security:http create-session="stateless" use-expressions="true">

               

                <security:intercept-url pattern="/**"

                        access="hasAnyRole('customer')" />

                <security:http-basic />

        </security:http>

 

 

Spring controller

 

 

@RequestMapping(method = RequestMethod.GET)

        public @ResponseBody List<StockPrice> getStocks( @RequestParam(value = "q", required = false) final String q ) {

                       

                String[] stockSymbols = q.split(" ");

                ArrayList<StockPrice> stockPriceList= new ArrayList<StockPrice>();

                    for (String stockSymbol : stockSymbols) {

                     Random rnd = new Random();

                      double price = rnd.nextDouble() * MAX_PRICE;

                      double change = price * MAX_PRICE_CHANGE * (rnd.nextDouble() * 2f - 1f);

                      StockPrice stockPrice = new StockPrice();

                          stockPrice.setSymbol(stockSymbol);           

                          stockPrice.setPrice(price);

                          stockPrice.setChange(change);

                          stockPriceList.add(stockPrice);                 

                    }

               

               

                return stockPriceList;

}

 

       

 

Test your restful service using FIrefox RestClient

 

 

http://localhost:8080/SpringMVC/rest/stockWatcher?q=NN