search

spring-guides / getting-started-guides

Getting Started Guide template :: The template for new guides and also the place to request them.
https://github.com/spring-guides/getting-started-guides/wiki
Apache License 2.0
521 stars 204 forks source link

gs-securing-rest-api Spring Security Stateless session creation policy example #10

Closed gunayus closed 9 years ago

gunayus commented 9 years ago

This guide walks you through the process of creating a simple REST API application with resources that are protected by Spring Security's STATELESS session creation policy.

You'll build a Spring REST API application that secures the API services with pre authenticated access token backed by a fixed list of users.

gregturn commented 9 years ago

@egunay We have taken a look at your newly submitted guide. There are some technical aspects of bigger importance we have to consider.

It appears that x-auth, a solution created by Twitter for mobile clients since oauth1 was too heavyweight, is being replaced with oauth2 in the industry. Spring Security OAuth2 is meant to address this. Another that might have overlap (or not) is Spring Session.

The solution you have crafted predates both of these and works quite well. But we more likely would like to have a guide showing how Spring interacts with solutions more widely adopted. Spring Security OAuth2 is a bit cumbersome, but it might be simplified in the coming months. Spring Session's GA target date is sometime in November. It is probably best if we revisit this guide in that time frame, and assess the state of those projects then, and if we can adjust the guide to use them instead.

/cc @rwinch @habuma @dsyer

dsyer commented 9 years ago

I agree that this is only one of a class of solutions, and not a "standard" one at that. It's very handy, and quite easy to implement, as is obvious from the code here. It probably doesn't deserve to be promoted ahead of the others though, so I would prefer to make this content part of a bigger "guide" and include some other options as well.

Even this content (while excellent) is arguable a little long for a Getting Started Guide on its own. I could slim it down a bit maybe, but it would be better in a longer piece IMO. Do we still do "Tutorials"?

gregturn commented 9 years ago

@royclarkson has a good example using spring security oauth2 at https://github.com/royclarkson/spring-rest-service-oauth.

gregturn commented 9 years ago

Based on the discussion of this issue, I plan to delete the related guide soon

gregturn commented 9 years ago

Done