Spring Security REST Authentication:
One of the most searched terms on internet. Yes, I have searched a lot to accomplish a successful and well secured RESTful authentication. A lot of articles are available on internet regarding spring security, most of the articles are talking about the advanced technology behind it, but none of them explained the basic workflow of it. After searching for almost 2-3 weeks, Finally I have got a blog link for the entire code to achieve what I want, though, the explanation was not quite understandable. If you can understand just by looking at the code, you can copy paste the below code straight away. Users who prefer to understand the work flow nature of spring security REST authentication, please see the below picture. Its better to explain concepts using pictures rather than writing 1000 of words.
Let me list out the names of all classes we need
1) RESTAuthenticationFilter.java
2) RESTAuthenticationToken.java
3) RESTCredentials.java
4) UserSecurityServiceImpl.java
5) UserSecurityService.java
6) UserSecurityRepository.java
7) UserSecurityRepositoryImpl.java
8) RESTUser.java
9) HMacShaPasswordEncoder.java
10) RESTDaoAuthenticationProvider.java
11) UserNotFoundException.java
12) NoRedirectStrategy.java
Above diagram shows the basic authentication flow of spring security. It all begins with a user who tries to login to a secured system. For example, lets take a simple url ( http://localhost/web-app/secured/payment) We are going to let only users who have the right permission/role to access secured urls. In that URL, "web-app" is the context-name and "/secured" is the relative url prefix mapped to DispatcherServlet. Whevever a url request hits the server with "/secured" as its relative prefix, DispatcherServlet handles/process the request. Put the below code in web.xml to create url-mapping.
Web.xml
Before this request is handed over to Spring controller and DispatcherServlet, we have to make sure the user has the rights/authority/permission to access this particular page. To bring authentication in to play, Enable spring security filter in web.xml and map spring security filter to this url-mapping (.../secured/...) in applicationContext-security.xml to intercept the secured url calls. Use the below code
web.xml
applicationContext-security.xml
The above tag applies spring security to all urls begins with "/secured" as their relative path. Now, no one can access secured urls without proper authentication.
The above are the basic config tags that you must apply to implement any authentication scheme offered by spring. Lets take a look at some of the new bean instance references shown in applicationContext-security.xml (forbiddenEntryPoint and defaultRestAuthenticationFilter).
forbiddenEntryPoint: When a user tries to access a protected url without proper authentication details, display forbidden message ( httpstatus 405 ).
defaultRestAuthenticationFilter: As shown in the diagram, its the entry point for all url requests. This is the place where all secured url authentication is validated. This filter extracts the token, signatures and salt parameter and validates the authentication details. If the url has all the required authentication details, then it is passed on to the next spring security filter chain and finally to the actual spring controller. In our case its "payment" controller. Take some time to understand the below code, you can find a few new bean references.
applicationContext-security.xml
Authentication Manager processes an authentication request. As shown in the diagram above, Authentication Filter passes an authentication object to Authentication Manager and finally returns a fully populated authentication object(including granted authorities ) if successful.
http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/authentication/AuthenticationManager.html. AuthenticationManager is a kind of wrapper class, It can support multiple AuthenticationProviders.
AuthenticationProvider is where the core authentication details validation logic is defined. It has retrieveUser(......) delegate method that takes username and UsernamePasswordAuthenticationToken as params and returns UserDetails instance which includes GrantedAuthority if successful.