Spring Boot Rest API安全性

Question

I looking for a way to create an annotation for Spring Boot that i can apply to my API methods or controller in my REST API that will secure the endpoint. But i am having issues finding a guide or documentation on how to do this.

Example:

@RestController
@RequestMapping("auth")
public class AuthenticationController {

    @RequestMapping(value = "login", method = RequestMethod.POST)
    public TokenResponse login(@RequestBody LogInRequest request) throws InvalidLogInException {}

    @Authorize
    @RequestMapping(value = "me", method = RequestMethod.GET)
    public UserResponse getMe() {}

}

or

@Authorize
@RestController
@RequestMapping("books")
public class AuthenticationController {

    @RequestMapping(value = "/", method = RequestMethod.GET)
    public BooksResponse getMyBooks() {}

    @RequestMapping(value = "/wish", method = RequestMethod.GET)
    public BooksResponse getWishList() {}
}

I have looked into the build in Spring Security, but it is way more in-deep then what i need. I simply just need a middle-ware that will validate a token provided in the header: If it is valid add the user id to the request context and let the request pass though. If not return a 401 Unauthorized Error and don't allow the API method to run.

Answer 1

If I understand what you mean correctly, then you can try this.

First, new a file called SecurityConfig.java , it is to enable the configuration of annotation configuration and handle "401".

import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

/*
    Enable annotation.
    "an annotation for Spring Boot that i can apply to my API methods".
    https://docs.spring.io/spring-security/site/docs/current/reference/html5/#jc-method
 */
@EnableGlobalMethodSecurity(securedEnabled = true)
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        /*
            Enable "401".
            "If not return a 401 Unauthorized Error and don't allow the API method to run".
        */
        http.exceptionHandling().accessDeniedPage("/401");

        // You can add more configuration, Please check the Source code of HttpSecurity.
    }

}

Next, The code example you provided could be modified like this:

// For specific use of annotations, you can check here:
// https://docs.spring.io/spring-security/site/docs/current/reference/html5/#jc-method
@Secured("ROLE_USER")
@RestController
@RequestMapping("auth")
public class AuthenticationController {

    @RequestMapping(value = "login", method = RequestMethod.POST)
    public TokenResponse login(@RequestBody LogInRequest request) throws InvalidLogInException {}

    @Authorize
    @RequestMapping(value = "me", method = RequestMethod.GET)
    public UserResponse getMe() {}

}

emmmm, you should also add this.

...
@RequestMapping("/401")
...

Answer 2

There is a pretty simple way to execute this. Below are the steps:

1. Create a JWT authentication controller to generate JWT token
2. Create a JWTRequestFilter to authenticate request
3. Configure Spring Security to enabling pre-authorisation in REST API calls
4. Define roles/privileges for the access control.

A detailed and excellent tutorial is available here

I have put that into practice and already using it. You might need some customization based on your needs. For the same, feel free to ask me your doubts. Will be happy to help.