Announcement Announcement Module
Collapse
No announcement yet.
RESTful webservice + token authentication Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • RESTful webservice + token authentication

    Hi,

    I am not too familiar with Spring but I have read some articles and how-tos.

    The business required are:
    • typical client-server architecture: mobile clients and RESTful services on server side
    • clients have to different choice for log into the mobile application: application login and facebook login
    • have to protect all RESTful services on server side against unauthorized users

    My responsibility is to develop RESTful services. I am very good at Application Servers, J2EE, JMS, JDBC, distributed transactions (XA) but I am not too good at security

    I developed with Spring some STATELESS RESTful webservices. These services are not protected, so everybody can use them.

    For example:
    • http://...../api/country/{user_id}
    • http://...../api/country/{user_id},{country_id}

    Each of my webservices has a user_id input parameter because I need to identify which user made the server call. The result of webservices depend on the user. Of course, it is absolutely normal.

    Now, I have to develop some new things because I have to protect these webservices against unauthorized users.

    My idea is:

    (*) I will create two new webservice like this:
    applicationLogin(String username, String password)
    and
    facebookLogin(String accessToken)
    • http://...../api/login/{username}, {password}
    • http://...../api/login/{facebook accass token}


    (*) I will have to protect my webservices against unauthorized users


    The user logging process may look like this:
    (1) user fill up the username and password fields on the his/her mobile device
    (2) click on the application login button
    (3) the mobile application makes a server call to http://...../api/login/{username}, {password} public service
    (4) if username and password is correct I will generate a token (a long string with expiration date information) and I will put the username and the token string into the answer of HTTP header
    (5) after it the all client have to send back to the server these two parameters (username and token) when they make webservice call.

    On the server side I can read the username from the HTTP request so I can remove the user_id parameter from the signature of all webservices.

    I am trying to implement this process in Spring. I think I need to use the PRE_AUTH_FILTER from Spring security module. But I do not know if my idea is good?

    I did it:

    web xml
    Code:
    <filter>
    	<filter-name>springSecurityFilterChain</filter-name>
    	<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    
    <filter-mapping>
    	<filter-name>springSecurityFilterChain</filter-name>
    	<url-pattern>/api/country/*</url-pattern>
    </filter-mapping>
    
    <context-param>
    	<param-name>contextConfigLocation</param-name>
    	<param-value>/WEB-INF/applicationContext-security.xml, /WEB-INF/applicationContext.xml</param-value>
    </context-param>
    applicationContext-security.xml
    Code:
    <beans xmlns="http://www.springframework.org/schema/beans"
    	    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	    xmlns:p="http://www.springframework.org/schema/p"
                xmlns:security="http://www.springframework.org/schema/security"
    
    	   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    	   http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
    	<security:http use-expressions="true" create-session="stateless" auto-config="false" entry-point-ref="authenticationEntryPoint">
        	<security:intercept-url pattern="/api/login/*" access="permitAll"/>
        	<security:intercept-url pattern="/api/country/*" access="isAuthenticated()" />
        	<security:custom-filter position="PRE_AUTH_FILTER" ref="authenticationTokenProcessingFilter" />
        </security:http>
    
    	<bean id="authenticationEntryPoint" class="com.samples.spring.auth.ForbiddenAuthenticationEntryPoint" />
    
    	<bean id="userDetailsServiceImpl" class="com.samples.spring.auth.UserDetailsServiceImpl" />
    
    	<bean id="preAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    
        	<property name="preAuthenticatedUserDetailsService" ref="userDetailsServiceImpl" />
    	</bean>
    
        <bean id="authenticationTokenProcessingFilter" class="com.samples.spring.auth.AuthenticationFilter">
    
            <property name="authenticationManager" ref="appControlAuthenticationManager" />
        </bean>
    
    	<security:authentication-manager alias="appControlAuthenticationManager">
        	<security:authentication-provider ref="preAuthenticationProvider" />
    	</security:authentication-manager>		
    
    </beans>
    What do you think, about my login process? Is it a good way to start to implement the token handling method?

    Thank you!
Working...
X