Is there a point to use method level security in spring if we secured the REST API from the configuration

Question

I would like to ask if there is a point to secure the methods which I call in a REST Controller with Pre and Post annotations. I have configured a security through java configuration like this:

@Override
protected void configure(HttpSecurity http) throws Exception {
http
    .and()
        .formLogin()

    (...)

    .and()
        .authorizeRequests()
        .antMatchers("/api/**").hasAuthority("ROLE_USER");
}

So every request under /api should be authorized with ROLE_USER. I tried to find some information about this in the internet but the only thing i could find was this: https://coderanch.com/t/549265/Spring/method-security-spring-security

However I really can't think of a use case where a hacker would access somehow the methods in the service layer.

Answer 1

REST is stateless. You should send something like access token (like Google API) with every request:

https://{server}/api/customers?access_token=BGhznFGDS

You can also send this information via Header-Attribute. The validation layer (Filter) decides whether the controller method may be called or not.

I prefer to implement my own Filters to get 100% of control.

Answer 2

URL security and method security in service layer aims at different use cases.

If all you need is control that only users with a certain role can call URL with a given prefix (here API) URL security is what you need full stop.

If you have a complex application where some service methods can be called from different controllers and you want to make sure that you did not fail to restrict an access, method security can come to help by ensuring that only valid users can do certain business actions.

If you have a complex security model, for example several officse with one manager in each that has read and/or write access to his own employees data, method security on service layer directly using business model objects is the way to go.

BTW, using method security in a controller or even worse on a rest controller is generally design smell: if you can do it inside a controller it is generally better to use URL security. If it seems to make sense, you probably have imported business logic into a Fat Ugly Controller. Not speaking about method security being implemented with Spring AOP using by default JDK proxies, when controllers generally do not implement interfaces.

Answer 3

Method level security is used to authorize the user. Spring security performs two basic operations before allowing the access.

1. Authenticate (Who is the user)
2. Authorize (What authorities the user has)

so for example if the user is having an authority of ROLE_USER and later in the architecture you decide to have rights assigned to some of the roles.

for example let's consider a role 'ROLE_USER' and following rights has been assigned to the USER

• CAN_VIEW_DATA
• CAN_ADD_SUB_USERS and so on.

so when some of the users have the right of CAN_ADD_SUB_USERS and some dont, then the method level security comes in handy.

Of course you have to play with the spring configurations for the rights and authority. But Once configured it provides an extra level of security that the applicaton might need.

Refer to this link for more info http://www.baeldung.com/role-and-privilege-for-spring-security-registration

Answer 4

In addition to making it possible to have some kinds of functionality, using both techniques gives an additional layer of security.