1

I have a spring boot back-end server application that implements basic authentication over https. Will not have a traditional web based front end, rather my android and IOS clients will be using Rest API calls.

The backend application is currently validating the username and password information received and is responding with the correct status messages (401, 200). Can I use spring boot session to have the user login at the start of the session and then use the session value for each subsequent rest api call for that session?

Realize this question is similar to [Spring boot rest security with android and ios but that question did not seem to cover caching and using the session value received for all additional Rest API calls for the session. Do I pass the session value as a parameter in Rest put and post API commands? Goal is to have the application verify the user is registered and validate their credentials before accepting additional rest put and post commands.

I did read the spring.io documentation but did not find this topic covered. Somewhat new to Spring boot.

Michael Petch
  • 46,082
  • 8
  • 107
  • 198
geezer57
  • 17
  • 1
  • 9
  • Why not simply pass the credentials for each request, or pass a [JWT](https://jwt.io/) instead of relying on a session ID. That would keep things stateless, and trivial to distribute the load to multiple servers. – JB Nizet Oct 31 '17 at 23:23
  • It's possible that the mobile application could be posting more that 30 records x 2 tables. Validating the user for each post has to impact performance, no? – geezer57 Oct 31 '17 at 23:36
  • It should, yes. But a JWT shouldn't, and has many advantages over a session. – JB Nizet Oct 31 '17 at 23:38

1 Answers1

7

You can use session based authentication and token based authentication. When using session based authentication after successful login it creates a session(with limited time) in spring security context and also returns a cookie named JSESSIONID(default name) to client in response. For example:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=301225C7AE7C74B0892887389996785D; Path=/auth/; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 90
Date: Tue, 1 Nov 2017 01:19:38 GMT

Client needs to keep this cookie and for each request needs to set this cookie(JSESSIONID) to request for to be able to request as logged user(Until session expire).As client you can use Postman for testing or you can do it programmatically using Jersey client or one of HttpClients. you can check sending cookie with postman from this link.
Also you can check how cookie domain works from this link . Checking this request is authenticated or not we can use just Principal or httpServletRequest reference as below :

@RequestMapping(value = "/username", method = RequestMethod.POST)
@ResponseBody
public String loggedUserName(Principal principal) {
    return principal.getName();
}

@RequestMapping(value = "/username1", method = RequestMethod.POST)
@ResponseBody
public String loggedUserName1(HttpServletRequest request) {
    Principal principal = request.getUserPrincipal();
    return principal.getName();
}

if you debug /username1 endpoint you will be able see that cookie is set to request correctly or not ,when not set correctly probably you will get problem related anonymous user.

Second way you can use token based authentication using JWT(Json Web Token). It works as stateless over tokens.example of response :

{
"token_type": "Bearer",
"expires_in": "3599",
"resource": "qwd636-27bso-joiue9-ee",
"access_token": "eyJ77hqggqDd3DctNDFjMS05MjE2LWNiYjEw"

}

And for every request you can check request validity using access and refresh tokens.

Boolean isValidToken = jwtTokenUtil.validateToken(token, principal.getUsername());

Hope it helps!

Samir
  • 655
  • 5
  • 14