Securing mobile REST Api with spring Security enough?

Question

I'm planing to make a little mobile app that will rely on a java (spring-spring mvc) rest API. The API will have paths that look like this for example:

/rest/account POST (will create a new account (account is composed of a username+pass+email)

/rest/photo/like for example that modify behaviour and add things to the DB...

I'm also planing to use Spring Security to handle the authentication/authorisation. So the mobile app before to make any authorise call (for example to /rest/photo/like) it will have to login (so the basically to /security_check?j_username=username&password

And from now on every request will have to include the JSESSIONID in the cookie.

My question is, is this secure enough? Do I have to use OAUTH2? Or is it overkill?

Bonus question: As you don't need to be authenticated to make the /rest/account call to create an account, what is the best way to avoid that a user create 1000000 accounts ?? Apache/ip-filter? Or should I handle this in some interceptor in spring-mvc ?

Answer 1

1) Yes, from your requirements description I will say Spring Security will do fine. (REST services are usually stateless instead of using sessions, but Spring Security can handle both.)

2) You don't need to use OAuth2 unless you want to pull information from user's Google or Facebook account or something like that.

3) The bonus question is not trivial. A common way is to use a CAPTCHA . You could use OAuth to for example limit the user to one account for every Google/Facebook/X account they have.