Geek asks and answers

Spring Security - Separate Configuration for REST APIs and Other URLs

I have two sets of URLs: one set of REST APIs, the other a pretty ordinary website. I want to apply various security rules for the REST API so that the user / script that sometimes called the REST API receives a response with either 401 code (basic auth would be accurate) or just 403.

So, I want to allow access to the REST API for:

  • the user who is logged in (for javascript on the site page that calls the REST API, thus has the same session).
  • some script that calls the REST API with basic authentication credentials in the WWW-Authenticate header.

I'm currently trying to figure out which configuration will make spring "understand" what I want. I came up with the following configuration:

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="
                http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    <http pattern="/" security="none" />
    <http pattern="/static/**" security="none" />

    <!-- REST API -->
    <http pattern="/rest/*" use-expressions="true">
        <http-basic />
        <intercept-url pattern="/*" access="isAuthenticated()" />
    </http>

    <!-- Site -->
    <http access-denied-page="/WEB-INF/views/errors/403.jsp" use-expressions="true">
        <intercept-url pattern="/index.html" access="hasRole('ROLE_USER') or hasRole('ROLE_ANONYMOUS')" />
        <intercept-url pattern="/login.html" access="hasRole('ROLE_USER') or hasRole('ROLE_ANONYMOUS')" />
        <intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
        <form-login login-page="/login.html"
                    default-target-url="/index.html"
                    authentication-failure-url="/login.html?error=1" />

        <logout logout-url="/logout.do" logout-success-url="/index.html" />

        <anonymous username="guest" granted-authority="ROLE_ANONYMOUS" />
        <remember-me />
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="admin" password="2" authorities="ROLE_ADMIN,ROLE_USER" />
                <user name="alex" password="1" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
</beans:beans>

, , 403 , - 302 , URL- REST API.

REST API:

<beans:bean id="ep403" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>


<!-- REST API -->
<http pattern="/rest/*" entry-point-ref="ep403" use-expressions="true">
    <intercept-url pattern="/*" access="hasRole('ROLE_USER')" />
    <http-basic />
</http>

.

, :

  • REST API ( cookie).
  • script REST API, cookie.

UPDATE

spring , , . " ", , , .

, , : ( ) ; , WWW-Authenticate, , .

+5
3

, @, :) , -.

. URL- auth spring:

<!-- Defines custom security policy for Stateful REST API -->
<beans:bean id="nonRedirectingAccessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl"/>
<beans:bean id="forbiddenEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>

<!-- Stateful REST API -->
<http pattern="/rest/stateful/**" use-expressions="true" entry-point-ref="forbiddenEntryPoint">
    <access-denied-handler ref="nonRedirectingAccessDeniedHandler"/>
    <intercept-url pattern="/rest/stateful/**" access="isAuthenticated()" />
</http>

<!-- Stateless REST API -->
<http pattern="/rest/stateless/**" use-expressions="true" create-session="stateless">
    <http-basic/>
    <intercept-url pattern="/rest/stateless/**" access="isAuthenticated()" />
</http>

, , API- "stateful" -user "stateless" - script REST URL-, script .

, UX REST API , , - script URL-, script -to- .

+3

URL- /rest/.

<mvc:interceptors>
        <mvc:interceptor>
            <mvc:mapping path="/rest/**"/>
            <bean class="com.your.class.name.Interceptor></bean>
        </mvc:interceptor>
</mvc:interceptors>

XML, ..

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:mvc="http://www.springframework.org/schema/mvc"

Interceptor , , Spring HandlerInterceptor.

public class Interceptor implements HandlerInterceptor{

    @Override  
    public boolean preHandle(HttpServletRequest request,  
                             HttpServletResponse response,  
                             Object handler) throws Exception {
       //do what you need to check when the request arrives
       //do authentications here
       //return true if success
       //else false
    }

    @Override
    public void postHandle(HttpServletRequest request,
                           HttpServletResponse response, 
                           Object handler,
                           ModelAndView modelAndView) throws Exception {

    }

    @Override
    public void afterCompletion(HttpServletRequest request,
                                HttpServletResponse response, 
                                Object handler, 
                                Exception ex) throws Exception {    
    }

}

this. this

+2

pattern="/rest/*" pattern="/rest/**" pattern="/*" pattern="/**" REST API:

<http pattern="/rest/**" use-expressions="true">
    <intercept-url pattern="/**" access="isAuthenticated()" />
    <http-basic />
</http>
0

More articles:


All Articles