用户令牌认证Spring MVC RESTful API

Question

I would like to secure our REST API with user token.

1. User does an initial request to the API to obtain an access token (must provide own credentials - login and password)
2. Service find the user by provided credentials
3. If is a user found, service creates an unique token with time expiration and returns it back to the user (token expiration can be defined as now() + 15minutes - is it enough? What is a standard expiration time for such tokens?)
4. User must provide this token in all his requests OR asks for new token when is expiring and API process original request

I would like to ask you - is there in Spring framework native support for such authentication flow - I'll be happy with some simple example or URL to Spring doc? If so, what do I need to use? I have studied Spring docs and read many tutorials, and It seems there is a support for everything and I need to know what is the best for my issue.

Answer 1

For token-based authorisation to resources, one framework that will inevitably come-up will be oAuth

oAuth will help you achieve exactly the workflow that you desire eg that a user can authenticate and then be given a token to access a defined set of resources via an API. It is however fairly heavyweight and it is definitely worth taking the time to understand how it works and that it exactly fits the picture of your requirements.

The "official" site is here . There are two versions of oAuth, so again this will help you to understand which the the right one for you.

As for Spring Security integration, there is a Spring Security oAuth project . The documentation for this is pretty good both at the level of how the integration works with Spring Security, but also in terms of helping you understand that oAuth is the right solution for your project.