1

I am trying to get spring-boot-starter-security to work along with spring-boot-starter-web and spring-boot-starter-tomcat. I tried following the guide from spring-boot-sample-secure and spring-boot-sample-web-secure however I did not get it to work.

I am trying to build a REST application without any ui interactions. Hence I found both samples are not fully suitable for my purpose. Currently my solution is by using AOP.

ControllerMonitor.java:

@Before("execution(* my.zin.rashidi.openshift.tomcat.controller.*.*(..)) && args(authorization, ..)")
public void authenticate(String authorization) {

    if (!isEmpty(authorization)) {
        SecurityContextHolder.getContext().setAuthentication(
                new UsernamePasswordAuthenticationToken("user", "N/A",
                        AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"))
        );
    }
}

UserController.java:

@RequestMapping(method = GET)
public ResponseEntity<User> get(@RequestHeader String authorization, @RequestBody User user) {
    HttpStatus status = OK;
    User returnObject = null;

    try {
        returnObject = service.get(user);
    } catch (AuthenticationCredentialsNotFoundException e) {
        status = UNAUTHORIZED;
    }

    return new ResponseEntity<User>(returnObject, status);
}

The solutions is working for me. However I would like to know if this is a good solution. I'm curious if there is a better solution.

Thanks in advanced for your helps!

Rashidi Zin
  • 266
  • 2
  • 4
  • 18
  • It's not really clear what you achieved with that. Is it an authentication endpoint? Why did you need AOP? Does the client have to send a cookie to authenticate the other requests, so you use Spring Security to manage those? – Dave Syer Jul 20 '14 at 06:33
  • Hi Dave Syer. Client will be sending 'authorization' in the header for each request. AOP will validate the authorization, in this case just making sure it is not empty, before proceeding to process the request. I am using Spring Security to store user's role and making use of @Secured in the service class. – Rashidi Zin Jul 20 '14 at 10:48
  • Also regarding what I'm trying to achieve. I'm trying to do something similar to spring-boot-secure-sample but for web. There is no UI interactions and client will be authenticated at each requests. – Rashidi Zin Jul 20 '14 at 10:55
  • It's not clear to me how a request to a different controller than the `UserController` would be authenticated then. There is even one method in the `UserController` itself that doesn't match the pointcut. So anyone can create a new user in your system? – Dave Syer Jul 20 '14 at 15:17
  • I haven't create other controllers but my plan is to store them in the same package and their parameters will start with `authorization` as well. You're right. Anyone can create a user. – Rashidi Zin Jul 20 '14 at 21:08
  • OK, it's your choice. I wouldn't want to add an optional parameter to every controller method, and because it's optional the risk of forgetting is quite high. You asked for an opinion, and I think a better solution is to use a more normal Spring Security approach with a filter (standard basic auth if that's good enough, or maybe a custom filter like a pre-auth, for instance, if it doesn't meet your needs). – Dave Syer Jul 20 '14 at 21:55
  • Thank you Dave Syer! I will look into that :-) – Rashidi Zin Jul 20 '14 at 23:17
  • Also if you don't mind can you post your opinion as an answer? – Rashidi Zin Jul 20 '14 at 23:18

1 Answers1

0

I wouldn't want to add an optional parameter to every controller method, and because it's optional the risk of forgetting is quite high. You asked for an opinion, and I think a better solution is to use a more normal Spring Security approach with a filter (standard basic auth if that's good enough, or maybe a custom filter like a pre-auth, for instance, if it doesn't meet your needs). You get http basic security out of the box in a Spring Boot app, so you don't really need to do anything at all to get started.

Dave Syer
  • 56,583
  • 10
  • 155
  • 143
  • "You get http basic security out of the box in a Spring Boot app, so you don't really need to do anything at all to get started", I must have missed this somewhere. Is there a URL I can refer to? – Rashidi Zin Jul 21 '14 at 07:29
  • Docs link: http://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/htmlsingle/#boot-features-security – Dave Syer Jul 21 '14 at 11:35
  • You can also ask the user for the credentials and set them dynamically once the server starts (very effective when you need to publish the solution on a customer environment); check this code sample: https://stackoverflow.com/a/47526134/6792588 – Naor Bar Nov 28 '17 at 07:29