2

I have a Spring REST application, and I'm thinking about what type of security to use. I'm considering between two options:

  1. Spring Security with OAuth2
  2. Spring Security with JWT like here https://www.toptal.com/java/rest-security-with-jwt-spring-security-and-java
  3. Any other option?

It must be good and secure enough for nowadays. Application is going to be a simple service or few small services. As a database I'm using MongoDB (probably it doesn't matter).

Maybe someone has some pros and cons of each type or any other suggestions what to use.

Orest
  • 6,548
  • 10
  • 54
  • 84

1 Answers1

2

First of all , your both points are same and point # 2 is incorrect as JWT is only a token format and not the actual security mechanism so both can't be compared.

OAuth2 server is the one which will generate token for you either in JWT or non-JWT format , that is your choice.

I am not sure about all the technologies out there but if you go by popularity, an OAuth2 as Authorization Server and JWT as token format are quite popular.

Application / API Security means lots of things and Authentication plus Authorization prevents lots of attacks. Obviously, not everything is a developer concern and most goes to infrastructure or security teams.

Flow

  1. Set up an Authentication Mechanism
  2. Set up an Authorization Mechanism ( OAuth2 ) connected to same User Source as Authentication mechanism. From here , you will get a token in JWT or non - JWT format. Getting token in JWT format has advantages that you can read on
  3. Now you set up a mechanism in your API project ( Usually Filters ) to parse and validate JWT token. Requests without valid tokens would be declined. This will force your clients to first authenticate themselves and retrieve a valid token to use your APIs.
  4. You can set up few more security in your API using Spring Security like XSS attacks, Cross Domain etc
Sabir Khan
  • 9,826
  • 7
  • 45
  • 98