How To Implement Rest Full Web Service with Auth Token using Spring Security 4.0.1.RELEASE

Question

I am trying to design an API Manager with RESTful webservice. In Spring's new release, we can combine everything in Java code without using web.xml nor securityconfig.xml . According to Authtoken concept, API manager should have authtoken and refresh token for user authentication. Please, can anyone give me sample source code or guidance how to implement RESTfull webservice with Spring Security.

1. I need to know how all configurations are implement in Java code.
2. it should have Authtoken concept also.

This Tutorial Say correct way to do this.

http://www.beingjavaguys.com/2014/10/spring-security-oauth2-integration.html

But Spring Configuration are in Spring.xml file.

I need to put them in to Java level also.

Answer 1

The people at Stormpath have a quite a straightforward solution for achieving Oauth. Please take a look at Using Stormpath for API Authentication .

As a summary, your solution will look like this:

1. You will use the Stormpath Java SDK to easily delegate all your user-management needs.

2. When the user presses the login button, your front end will send the credentials securely to your backend-end through its REST API.

   2.1. By the way, Stormpath greatly enhances all the possibilities here. Instead of having your own login page, you can completely delegate the login/register functionality to Stormpath via its IDSite , or you can also delegate it to the Servlet Plugin . Stormpath also supports Google, Facebook, LinkedIn and Github login.

3. Your backend will then try to authenticate the user against the Stormpath Backend and will return an access token as a result:

    /** This code will throw an Exception if the authentication fails */ public void postOAuthToken(HttpServletRequest request, HttpServletResponse response) { Application application = client.getResource(applicationRestUrl, Application.class); //Getting the authentication result AccessTokenResult result = (AccessTokenResult) application.authenticateApiRequest(request); //Here you can get all the user data stored in Stormpath Account account = accessTokenResult.getAccount(); response.setStatus(HttpServletResponse.SC_OK); response.setContentType("application/json"); //Return the Access Token response.getWriter().print(token.toJson()); response.getWriter().flush(); } 

4. Then, for every authenticated request, your backend will do:

    /** This is your protected API */ public void sayHello(HttpServletRequest request, HttpServletResponse response) { Application application = client.getResource(applicationRestUrl, Application.class); OauthAuthenticationResult result = (OauthAuthenticationResult) application.authenticateOauthRequest(request).execute(); System.out.println(result.getApiKey()); System.out.println(result.getAccount()); //At this point the authorization was successful, you can now allow the actual operation to be executed doSayHello(); } 

All this will not need any special Spring Security configuration, this is plain Java code that you can run in any framework.

Please take a look here for more information.

Hope that helps!

Disclaimer, I am an active Stormpath contributor.