CODEWITHSUNDEEP
springrestauthenticationspring-mvcspring-security
Itai Sagi
Itai Sagi

Reputation: 5615

Authentication in Spring MVC via REST

I've been looking for a way to authenticate a user via REST controller (URL params). The closest thing to do so is the following:

@Controller
@RequestMapping(value="/api/user")
public class UserController extends BaseJSONController{

    static Logger sLogger = Logger.getLogger(UserController.class);

    @RequestMapping(value = "/login", method = RequestMethod.POST)
    public @ResponseBody String login(@RequestParam(value="username") String user, @RequestParam(value="password") String pass) throws JSONException {
        Authentication userAuth = new UsernamePasswordAuthenticationToken(user, pass);
        MyCellebriteAuthenticationProvider MCAP = new MyCellebriteAuthenticationProvider();

        if (MCAP.authenticate(userAuth) == null){
            response.put("isOk", false);
        }
        else{
            SecurityContextHolder.getContext().setAuthentication(userAuth);
            response.put("isOk", true);
            response.put("token", "1234");
        }
        return response.toString();
    }

}

However, this doesn't create a cookie. Any idea or a better way to implement what I want to achieve?

Upvotes: 3

Views: 2874

Answers (1)

Maciej Ziarko
Maciej Ziarko

Reputation: 12084

Firstly, you should not do this manually:

SecurityContextHolder.getContext().setAuthentication(userAuth)

It is better to employ special filter responsible for authentication, setting security context and clearing it after request is handled. By default Spring Security uses thread locals to store security context so if you don't remove it after client invocation, another client can be automatically logged in as someone else. Remember that server threads are often reused for different request by different clients.

Secondly, I would recommend using basic or digest authentication for your RESTful web service. Both are supported by Spring Security. More in docs http://static.springsource.org/spring-security/site/docs/3.1.x/reference/basic.html

And finally, remember that RESTful web service should be stateless.

Also remember that Spring Security documentation is your friend. :-)

Upvotes: 3

Related Questions