Spring Security in Rest API

Question

I have problem to choose security type to our REST API. Firstly I describe a problem. There is an application which will be using this REST API. This application has front end and back end side. It implements spring security with library spring-security-oauth2 and spring-boot-starter-security. It uses JWT and will be on AWS. It will be using tokens from AWS. This application will be using rest service which extracts data from another database.

I would like to use in REST API spring security oauth2 and JWT but this REST API will be deployed on the old JBOSS 4.2 with JAVA 1.5 (it can't be changed unfortunately with java 1.5, it is restriction which I got). Spring security oauth2 as I checked uses 1.6 and above versions. And my question is this, can someone advise me what to use in REST API for security purpose?

In future this REST API could be used by different apllications. I would like to use something safer than basic authentication. I searched for solution but nothing meaningful and useful I found. I would like to ask for opinion who uses spring security.

EDIT :
I decided to use Basic Authentication with in memory user and password hold. I added two classes to implementation:

@Configuration
@EnableWebSecurity
public class SecurityConfiration extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER");
    }

    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .httpBasic();
    }
}

Second class:

public class SecurityApplicationInitializer extends AbstractSecurityWebApplicationInitializer {

    public SecurityApplicationInitializer() {
        super(SecurityConfiration.class);
    }
}

Basically that is it. It doesn't work. Calling rest api works fine and results are showing. 401 not working. Did I forget about something? Moreover I don't want to use redirecting to login or showing window with credentials to enter. I want sent in body or header information with error or message. Can I override something to do that?

Environment: deploying on Jboss 4.2 (Java 1.5), and Spring Security 3.2.10.

Answer 1

This might not be the answer you are looking for, but here is suggestion :

Don't confine yourself in thinking "what kind of framework should I use". In the end rest is about http and is not aware about spring(-security) or java altogether, It's all just passing requests with headers that contain some authorization tokens.

In normal circumstances making custom oauth(2) implementation would be discouraged, but under some restrictions like Java 1.5 might be only option. Or depending on situation (non critical resources, internal vpn) some simple token based authorization might be enough.