Reputation: 7719
Spring boot Restful API: Simple authentication
I'm writing Restful API endpoints using Spring boot. I want to create login/logout functionality. I don't want to use Spring boot default login page.
From my understanding, a simple and secure way to do so, is:
- Client provides server with username and password
- Server sends back an authentication code, which user can use for subsequent calls to the API endpoints
- The authentication code is valid until users logs out/a certain amount of time passes
Is there any conventional name for this method of authentication ?
I don't want to use Spring boot login page. Does Spring boot have any other default implementation for this authentication method ? If yes, where does it store the authentication code. Does it store in the memory ?
Upvotes: 3
Views: 1721
Answers (2)
Reputation: 30088
Stateless, token-based authentication is what you're looking for. Json Web Tokens (JWT) is one implementation of that.
I wrote a tutorial about setting up JWT in SpringBoot for use with Angular. It's too long to include here - it's a two-parter, and the second part, dealing with JWT is at http://chariotsolutions.com/blog/post/angular-2-spring-boot-jwt-cors_part2
If you want the first part, it's at http://chariotsolutions.com/blog/post/angular-2-spring-boot-jwt-cors_part1
Upvotes: 2
Reputation: 629
I have had the same question before. Since you are implementing a Rest API, it should be stateless by default, so that means you should authenticate yourself every time when you want to request some API. If you prefer this way, maybe try to have some CAS system which you can use to perform the authentication. This is almost the same as what you described in the question. (Here is a post of simplified CAS from my blog).
Otherwise, you can also consider having an entry point or maybe proxy in front of your Rest service, in this proxy you can set a token for the client based on the credentials it provides, then ask the client to send this token along with the request. Set an expire time for the token and invalidate after that time.
I don't think there is any existing implementation for this in Spring boot, but for both CAS and token based request, you can use Spring Security for part of the features, e.g. TokenBasedAuthentication is already implemented in Spring Security
Upvotes: 1
Related Questions
- Basic Authentication on REST service with Spring Boot
- Basic REST Authentication in Spring Boot
- RESTful Authentication via Spring
- Authenticate my spring boot app using a restful login api
- How to do a RESTful login API using Spring Security?
- Spring Boot: Consume Secured API with Basic Authentication
- Simple REST endpoints authentication
- How to use RESTful with Basic Authentication in Spring Boot
- Spring Rest authentication
- Spring Security Rest Basic authentication