We have a Spring web application created using Spring MVC 3.0 In the same application, we have created RESTful web services using Springs's REST API.
Now we need to secure those web services. How do we do this in spring? Can we use spring security for this? If not what are the other options?
Thanks.
It really depends on the level of security you want to impose. You could just use simple web.xml based access control with realms, usernames and passwords.
Security of your webservices is another matter. From the Spring Security FAQ:
Web applications are vulnerable to all kinds of attacks which you should be familiar with, preferably before you start development so you can design and code with them in mind from the beginning. Check out the OWASP web site for information on the major issues facing web application developers and the countermeasures you can use against them.
Spring Security is certainly an option. It is for the most part, easy (nowadays) to integrate with Spring and has a flexible authentication module.
You should also consider Apache Shiro. A comparison to Spring Security question has already been answered - Shiro vs. SpringSecurity and Shiro also integrates nicely with Spring.
There are also some other questions already answered on this topic - How to secure a service REST with spring3? and Looking for a Simple Spring security example
I do not think there is a definitive answer to the question in it's current form, but I hope this helps all the same.
Related
We are going to start a project that will mostly rely on services. Is it better to start with the Symfony2 REST edition or the standard one ? Or that´s just a starting composer file so it´s not very important at all.
You should just use the normal Symfony2 version. There's no reason to take the Symfony2 REST Edition if you don't want to create a REST Service. From what I understood from your question is that your web application simply rely on services. Your Web application itself is NOT a REST Service from what I understood.
We are developing RESTful webservices using Spring MVC 3.x. I am wondering what is the best way to implement Basic Auth. Note that we do not want to use Spring Security. We just want to use regular Basic Auth.
Each request should be authenticated. No state maintained. Its regular u/p authentication and the credentials are validated against the database.
I was thinking of using Interceptors. So every request to the server will first go through the interceptor. Is this the best practice?
I am not sure about filters. Is this same as interceptors?
Any other better way to implement this? What is industry standard for this implementation?
What are the use cases for interceptors / filters, if these two are different?
Thoughts?
Thanks much!
I'm writing a RESTfull service using jersey and Spring 3 (including spring-security), and trying to figure out how to implement authentication and authorization.
I'm new both to jersey and to Spring so it's all a bit confusing...
Users and their roles are defined in DB. (and not defined in the web.xml or in tomcat-users)
Here are my thoughts about the Authorization part:
Since my service shouldn't necessarily serve web-apps, the authorization should be done on the REST resources (and not on pages) - how do i do this? i saw there's #RolesAllowed annotation but it seems too simple, i need more logic. i think i have to somehow activate spring security from there to use the authorization capabilities they offer.
Any suggestions as to how to do this?
For the Authentication part it seems i should use spring security's AuthenticationManager, and SessionManagement but i'm not sure how to connect it to the REST API:
1. how the API that gets the authentication request should look like?
2. if Spring handles my sessions, how can i add the authorization on my REST resources?
I'd really appreciate if you could help me clear up things...
Thanks!
Sorry, but if you're at that early stage with your Spring Security know-how I must suggest you work through the excellent tutorial first. I'm sure your questions will be answered automatically and you'll learn a lot of valuable stuff along the way.
I am looking for a robust REST framework to eliminate all that boilerplate code with starting up a new REST-only web service (mobile clients). Is there a framework that already has this built-in where I could, for example, simply build the domain models and run with it? I would like to see:
Authentication & User Model
Logging
Basic CRUD
Permissions (for model access)
Scalability
It seems every web service at a minimum needs the above capabilities. Somebody, somewhere must have written a good re-usable framework with the above capabilities. Any ideas? I would prefer Node.js, Java or even hosting with a PaaS service provider that offers these features.
Spring 3 MVC provides a very nice and simple annotation based framework for REST.
See http://blog.springsource.org/2009/03/08/rest-in-spring-3-mvc/ it can be deployed on any java web server like Jetty or Tomcat.
A framework like XAP provides a combined solution of Spring and Jetty plus it's built for dynamic scaling.
See http://www.gigaspaces.com/xap.
Last if you want to easily on board this solution on any cloud CloudifySource provides an open source project which includes XAP capabilities and PaaS.
See http://www.cloudifysource.org
I use Symfony 1.4 for this. It is an PHP framework. It generates most of what you need for free. The database stuff is also quite easy as the Symfony uses ORM libraries (you can choose but I can recommend Doctrine: http://www.doctrine-project.org/).
For example the whole backend site(admin) generating is a matter of running one command. They have a great e-book fro free. More info here:http://www.symfony-project.org/.
There is also Symfony 2.X (http://symfony.com/), which have a lot of new features (e.g. new Doctrine 2.0). Especially with the bundle (plugin) https://github.com/FriendsOfSymfony/FOSRestBundle is the RESTful service quite easy.
I'm an experienced client application developer (C++/C#), but need to come up to speed quickly on writing server side code to perform RESTful interactions. Specifically, I need to learn how to exchange data with OpenSocial containers via the RESTful API.
The RESTWiki is a very good resource and then there is the classic "How I explained REST to my Wife".
However, don't forget to go read about it directly from the source, it is not as difficult a read as it may first seem.
And I am assuming you will be doing REST over HTTP so this will come in very handy.
Lastly, considering OpenSocial supports the Atom Publishing Protocol, this will be useful.
Enjoy.
RESTful Web Services
I found this this to be a good introduction to RESTful web apps, although it doesn't refer to OpenSocial containers.