-1

I am building REST API with Spring Boot and I use Spring Security. I started here but found some other tutorials and blog posts with this issue and managed to get it work after implementing custom stuff. This and this SO posts answer some of my questions, but I have one more:

Is there any extension that implements some of the things like REST AuthenticationEntryPoint that returns 401 instead of redirect, or JWT generating and verifying or I should just implement same things for every REST service?

Thank you for your answers.

brownies
  • 1
  • 1

2 Answers2

0

I also use Springboot but for the security I rely on Apache Shiro project which fundamentally, depending how you store the users accounts (mines are in a MongoDb instance),

  • takes care of the login - currentUser.login(token);
  • If fails throws an exception so you can handle the response
  • If succeed inject the authentication cookie in the response
  • For any other request, decode the cookie and inject the user with the proper authorizations

In few words Shiro does not redirect the HTTPRequest because it just care for the security leaving further decision, redirect in your case, to your controller logic. You can add it to your project with a simple Maven dependence.

user2688838
  • 761
  • 5
  • 11
0

@brownies..... try this one....

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;

@Component
public class RESTAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(final HttpServletRequest request, final HttpServletResponse response, final AuthenticationException authException) throws IOException, ServletException {
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
    }
}

@Autowired
    private RESTAuthenticationEntryPoint restAuthenticationEntryPoint;
@Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.cors().and().exceptionHandling().authenticationEntryPoint(restAuthenticationEntryPoint).and().authorizeRequests()......

add above RESTAuthenticationEntryPoint and config in your security configuration class then it will return 401 if auth fails.

kumar
  • 497
  • 4
  • 12