search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.76k stars 5.88k forks source link

SEC-2936: Rest API Authentication support #3144

Open spring-projects-issues opened 9 years ago

spring-projects-issues commented 9 years ago

raintung (Migrated from SEC-2936) said:

Rest API look like not support authentication, Rest API it is common usage that easy to authenticate that don't require the session. Every API call need authenticate again. Ex. Token authenticate

I don't find the any web filter can support the rest API. Was it customized?

I think it should be standard filter in the Spring web security. Please correct me it I am wrong or miss something.

spring-projects-issues commented 9 years ago

Rob Winch said:

Please see http://docs.spring.io/spring-session/docs/current/reference/html5/#httpsession-rest and http://docs.spring.io/spring-session/docs/current/reference/html5/guides/rest.html

spring-projects-issues commented 9 years ago

raintung said:

I don't see the any authentication in the doc for Rest API. Could you give some simple?

spring-projects-issues commented 9 years ago

Rob Winch said:

Please read the second link I provided. Specifically.... http://docs.spring.io/spring-session/docs/current/reference/html5/guides/rest.html#exploring-the-rest-sample-application

spring-projects-issues commented 9 years ago

Rob Winch said:

Actually it is probably better to refer to http://docs.spring.io/spring-session/docs/current-SNAPSHOT/reference/html5/guides/rest.html#exploring-the-rest-sample-application since the previous link has a formatting error

spring-projects-issues commented 9 years ago

raintung said:

It seem not my wanted. For example: http://localhost:8080/restapi/createuser?token=xxxxrrrr&username=test

Don't require the username/password at first, don't need log in the site. The server just authenticate whether the token is valid, also token has encrypt the username, that I can get it from token. If token is valid, can authorize the privilege(admin) for the username. Only has admin privilege can access the URL: /restapi/createuser

Very time will deliver the token parameter, SecurityContextPersistenceFilter look like don't need. Does have this function in the spring security framework (web module)?

spring-projects-issues commented 9 years ago

Rob Winch said:

The server just authenticate whether the token is valid, also token has encrypt the username, that I can get it from token

Encrypting a token does not guarantee its authenticity. Please see Exploiting encrypted cookies for fun and profit. More generally, having no state is a bad thing when it comes to security. See my talk on The State of Securing RESTful APIs with Spring