How to secure REST with Spring Security

Maria J. Danford

Securing world wide web programs is an inherently intricate proposition. Spring Safety features Java developers a effective framework for addressing this want, but that electrical power arrives with a steep understanding curve.

This short article features a concise survey of the important parts driving securing a Rest API with Spring Safety. We’ll establish a simple application that works by using a JSON Website Token (JWT) to retail store the user’s information and facts.

JWT is quick getting the regular technique to keeping auth information and facts due to the fact of its simplicity and compactness.

A simple safe Rest API

Here’s what we want our simple application to do:

  1. Supply a UI with a button that sends a ask for to a again-stop endpoint.
  2. Supply a username and password area for users to log in.
  3. If the API button is clicked and the person is not logged in, reject the endpoint call with a “HTTP 401 Forbidden” response.
  4. If the person is logged in, deliver them the response from the endpoint.

This simple application will show all of the parts required for using Spring with JWT to safe a Rest API. The total, operational edition of the instance application is listed here.

Just before we begin, I’ll give you a birds-eye overview, and then visit each file in the venture as soon as to emphasize the most significant elements.

The venture documents and structure are viewed in the red highlighted area of Figure 1.

jwt project files IDG

Figure 1. A simple safe Rest API venture.

The class documents associated in the sample application are stated below (joined to their sources).

  • The most important application file, designed by Spring Boot.
  • The implementation of TokenService, utilised by TokenAuthenticationService.
  • The world wide web controller that contains the secured endpoint.
  • NoRedirectStrategy: Utilized in to steer clear of Spring Security’s default redirection habits.
  • Responsible for configuring Spring Safety.
  • Responsible for checking for person auth details when secured means are requested. Applied by
  • Provided by to the AuthenticationManager to supply a way to get well the person in TokenAuthenticationFilter.
  • The token-based mostly implementation of UserAuthenticationService.
  • Utilized by TokenAuthenticationService to create and confirm JWT tokens. Applied by JWTTokenService.
  • A simple implementation of the Spring UserDetails interface. Utilized to maintain person details.
  • A middleware support. Utilized by to manage the small business logic of log-in and by TokenAuthenticationProvider to obtain users by token.
  • The world wide web controller that offers the log-in API.
  • An interface for obtaining users. Utilized by TokenAuthenticationService to get well the person by means of the token details.
  • The implementation of In this scenario, a simple assortment of users.

To continue to keep things as simple as possible and make it a lot easier to get your head all-around things, I have spurned Java most effective follow and place all of the lessons you will use in a single deal.

There is also an index.html file serving the simple front stop from /means/static.

The front stop with simple log-in ability

Spring Website will by default provide documents in the means/static folder. That is where the consumer lives in the kind of a compact index.html file. This will give you a sense of how a JavaScript front stop interacts with the server stability.

This simple index.html file lets the person to simply click a button and see the message returned from the secured endpoint. It also offers a simple log-in ability. You can see the JS for dealing with these interactions in Listing 1.

Listing 1. The secured API and login calls (index.html)

Listing 1 depends on two API endpoints: /open up/login and /secured. It works by using the final results of the login call to set the price of the token variable, and if the token is current, the secured call sends the token in the authorization header. The server will use that token to validate the user’s auth when the person accesses the safe endpoint.

The secured endpoint (

MyController is a simple Spring Website Rest mapping, as viewed in Listing two.

Listing two.

@GetMapping( "/secured" )
public String protectedEndpoint()
  return "Safeguarded Endpoint Reaction"

Observe that no stability wiring is current at the mapped route amount.

The file is the heart of the stability set up. Let’s begin there and go outward.

The class is annotated with @configuration and @EnableWebSecurity, which alerts Spring to the actuality that stability is active and that this class will implement configurations to it.

The bulk of that get the job done is performed in the configure() process viewed in listing 4.

Listing three. SecurityConfig.configure()

personal static closing RequestMatcher Public_URLS = new OrRequestMatcher(
    new AntPathRequestMatcher("/"), new AntPathRequestMatcher("/open up/**")
  TokenAuthenticationProvider provider
  personal static closing RequestMatcher Safeguarded_URLS = new NegatedRequestMatcher(Public_URLS)
  secured void configure(closing HttpSecurity http) throws Exception
      .defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), Safeguarded_URLS)
      .addFilterBefore(restAuthenticationFilter(), AnonymousAuthenticationFilter.class)
  TokenAuthenticationFilter restAuthenticationFilter() throws Exception
    closing TokenAuthenticationFilter filter = new TokenAuthenticationFilter(Safeguarded_URLS)
    return filter

A several remarks on Listing three. The configure process works by using an Ant pattern matcher (Safeguarded_URLS) to permit requests to the static directory ("/") and everything after the ("/open up/") route to go through with out an auth look at. This suggests you can even now strike the /static/index.html file, and the log-in endpoint can be hosted at /open up/login.

Observe that the configuration also adds in provider, which is a TokenAuthenticationProvider, and a filter, which is taken care of by a TokenAuthenticationFilter. Observe that the filter goes in advance of the AnonymousAuthenticationFilter, which is aspect of Spring Safety.

The auth filter (

TokenAuthenticationFilter is liable for checking the requests that occur into the secured URLs. The get the job done is performed in Listing 4.

Listing 4. The filter logic

  public Authentication attemptAuthentication(closing HttpServletRequest ask for,
                                              closing HttpServletResponse response)
    closing String param = ofNullable(ask for.getHeader(AUTHORIZATION)).orElse(ask for.getParameter("t"))

    closing String token = ofNullable(param).map(price -> removeStart(price, "Bearer"))
      .map(String::trim).orElseThrow(() -> new BadCredentialsException("No Token Observed!"))

    closing Authentication auth = new UsernamePasswordAuthenticationToken(token, token)
    return getAuthenticationManager().authenticate(auth)

  secured void successfulAuthentication(closing HttpServletRequest ask for,
        closing HttpServletResponse response, closing FilterChain chain,
        closing Authentication authResult) throws IOException, ServletException
      tremendous.successfulAuthentication(ask for, response, chain, authResult)
      chain.doFilter(ask for, response)

Mainly, the filter pulls the token (the just one despatched by the front-stop JS) out of the authorization header. If it’s not there, an exception is elevated. If it’s there, it is handed off to the authentication manager, where it will sooner or later be taken care of by the TokenAuthenticationProvider you just saw in SecurityConfig.

Checking the token (

TokenAuthenticationProvider is in cost of recovering the person based mostly on the auth token. It has just a single process that delegates its get the job done to UserAuthenticationService, as viewed in Listing 5.

Listing 5. TokenAuthenticationProvider.retrieveUser()

UserAuthenticationService auth
  secured UserDetails retrieveUser(closing String username, closing UsernamePasswordAuthenticationToken authentication)
    closing Object token = authentication.getCredentials()
    return Optional.ofNullable(token).map(String::valueOf).flatMap(auth::findByToken)
      .orElseThrow(() -> new UsernameNotFoundException("Couldn't obtain person: " + token))

If the person is null, an exception is elevated. and

TokenAuthenticationService is the implementation that will be automobile-wired into TokenAuthenticationProvider. It provides the findByToken process utilised to retrieve the person.

TokenAuthenticationService is also where the log-in circulation arrives collectively with the authentication circulation. It offers the login() process utilised by the UserController. Both procedures are viewed in Listing 6.

Listing 6. TokenAuthenticationService procedures

  TokenService tokenService
  UserService users

  public Optional login(closing String username, closing String password)
    return users
      .filter(person -> Objects.equals(password, person.getPassword()))
      .map(person -> tokenService.newToken(ImmutableMap.of("username", username)))

  public Optional findByToken(closing String token)
    Technique.out.println("$$$$$$$$$$$$$$$$$$$$ token: " + token)
    return Optional
      .map(map -> map.get("username"))

Both procedures — findByToken and login — rely on TokenService and UserService. findByToken normally takes a token, then works by using tokenService to confirm its validity. If the token is great, findByToken works by using UserService to get the actual person item.

login does the reverse: It normally takes a person title, grabs the person with userService, verifies that the password matches, then works by using tokenService to create the token. and

JWTTokenService is the area where the actual JWT token is taken care of. It depends on the JJWT library to do the get the job done, as viewed in Listing seven.

Listing seven. JWTTokenService

    this.issuer = requireNonNull("infoworld")
    this.secretKey = BASE64.encode("")
  public String newToken(closing Map attributes)
    closing DateTime now =
    closing Promises claims =


    return Jwts.builder().setClaims(claims).signWith(HS256, secretKey).compressWith(COMPRESSION_CODEC)

  public Map confirm(closing String token)
    closing JwtParser parser = Jwts.parser().requireIssuer(issuer).setClock(this).setSigningKey(secretKey)
    return parseClaims(() -> parser.parseClaimsJws(token).getBody())

  personal static Map parseClaims(closing Supplier toClaims)
      closing Promises claims = toClaims.get()
      closing ImmutableMap.Builder builder = ImmutableMap.builder()
      for (closing Map.Entry e: claims.entrySet()), String.valueOf(e.getValue()))
      return builder.establish()
    catch (closing IllegalArgumentException

The JJWT library will make it quite quick to create, parse, and confirm JWT tokens. The newToken() process works by using to set a few of regular claims (issuer and issuedAt) and any other claims handed in as arguments. In the scenario of log-ins, this will have the person title. That suggests the person title is obtainable to deserialize later in the auth approach. At this level, the application could also add other claims like roles or explicit permission types.

Next Post

VMware’s new Tanzu platform aims to unify Kubernetes development

VMware has introduced the beta release of the new Tanzu Application System (Tap) to help organization developers establish and operate cloud-native programs on Kubernetes as a result of a unified regulate plane. This opinionated developer platform aims to carry jointly templated starting up details, reliable deployment processes, automatic security, and […]

Subscribe US Now