If you are building a with Spring Boot, you will eventually need to secure your application. Luckily, Spring Security provides a powerful and flexible framework for implementing authentication and authorization. We will start by understanding these two ideas conceptually. Afterward, we will use Spring Security to secure a sample Spring Boot application. REST API Authentication Authentication is a broad term, but in the context of REST APIs, authentication is the process of proving user identity. Since the early days of the Internet, authentication has been important because the Internet is an open and global platform. Authentication helps applications build trust with their users by ensuring that only authorized individuals can access protected resources. Over the years, many methods for authenticating users have been created to address security challenges and increasing demand for user convenience and privacy. Some of the most popular authentication methods include: – Since its invention in the 1990s, browsers could include a request header like , where the credentials are a Base64 encoded username and password joined by a colon. All HTTP requests accessing protected resources needed to include this request header. Basic Access Authentication Authorization: Basic <CREDENTIALS> – With the invention of , browsers could now store user session state, allowing users to log in once and stay authenticated for subsequent requests without re-entering user credentials. Sessions cookies – In the past decade, having users prove their identity in multiple ways has become popular because it is more secure than using passwords alone. Multi-Factor Authentication (MFA) – In recent years, you may have seen that many platforms now allow you to register for accounts and authenticate using Facebook or Google. This feature is called SSO and has become popular because of its convenience. Single Sign-On (SSO) In this guide, we will learn more about sessions, a typical method of authenticating users over HTTP. While sessions are a bit outdated compared to other modern authentication methods, they are simple to understand and still have production use cases. How To Authenticate Users With Sessions As mentioned in the previous section, sessions are an authentication method that leverages cookies, which you could think of as a key-value pair with optional metadata fields that indicate its expiration time and restrict its access. Clients can send cookies to servers by using the request header. For example, an HTTP request might contain the following request header: Cookie Cookie: JSESSIONID=B2236C29AC9CBE6FE0DC02A61596554D Here, the request header includes a cookie named , the default name of session cookies created by , the default servlet container used by . The corresponding value is a unique identifier that Spring Security uses to identify the user making the request. JSESSIONID Tomcat Spring Boot Clients typically get cookies from servers, which send cookies by using the response header. For example, a server might respond to an HTTP request with a response containing the following response header: Set-Cookie Set-Cookie: JSESSIONID=B2236C29AC9CBE6FE0DC02A61596554D; Path=/; HttpOnly Let’s break down the three parts of this response header: – This part tells us that the cookie’s name is and its associated value is . JSESSIONID=B2236C29AC9CBE6FE0DC02A61596554D JSESSIONID B2236C29AC9CBE6FE0DC02A61596554D – This part tells us that the server intends for this cookie to be included in all requests where the URL path contains the prefix . Since all URL paths start with , this tells the client that all subsequent requests need this cookie in the request header. Path=/ / / – This part is a flag that prevents client-side scripts (JavaScript) from accessing this cookie, which helps to mitigate . HttpOnly cross-site scripting (XSS) attacks Putting it all together, the entire authentication process for a sample application might look like this: An unauthenticated client sends a POST request to the endpoint with the following request body: /login {
 "username": "foo",
 "password": "bar"
} The server verifies whether the user credentials are valid or not. If they are, then the server creates an in-memory session object uniquely identified by a , which is returned to the client as a cookie in the response header: JSESSIONID Set-Cookie: JSESSIONID=B2236C29AC9CBE6FE0DC02A61596554D; Path=/; HttpOnly Subsequent HTTP requests made by the client include the session cookie in the request header: Cookie: JSESSIONID=B2236C29AC9CBE6FE0DC02A61596554D The server uses the in the request to look up the corresponding session object. If it exists, then it means the client has previously authenticated with the server successfully, so the server proceeds with handling the request. JSESSIONID Later, the client sends a GET request to the endpoint to terminate the current session. /logout The server handles this request by invalidating the session object corresponding to the provided . JSESSIONID Authorization Authentication and authorization are two terms that are related but distinct. Authentication is about verifying , while authorization is about . For example, an application might have regular users and administrators, who are able to perform actions that regular users should not be allowed to perform (e.g., banning users from the platform). who you are what you are allowed to do In the context of sessions, authorization is the responsibility of the server. The server can access each user’s login credentials (username and password) and their role or permission level. When an HTTP request comes in with a , the server looks up the associated session object and checks whether the authenticated user is authorized to make the request. JSESSIONID Full Code Example Now that we have the necessary background knowledge, let’s use what we have learned to secure a sample application. First, we must add Spring Security to our Spring Boot project (f you do not already have a minimally bootstrapped Spring Boot project, consider reading ). my post on Spring Initializr If you are using Gradle, add the following line to the dependencies block in the file: build.gradle dependencies {
 // ...
 
 implementation 'org.springframework.boot:spring-boot-starter-security'
} If you are using Maven, add the following lines to the element in your file: <dependencies> pom.xml <dependencies>
 
 
 <dependency>
 <groupId>org.springframework.boot</groupId>
 <artifactId>spring-boot-starter-security</artifactId>
 </dependency>

</dependencies> Next, create a new class called , which handles GET requests to , , and : ExampleController / /users /admins @RestController
public class ExampleController {

 @GetMapping("/")
 public String home() {
 return
 "<html>\n" +
 " <head>\n" +
 " <title>Home</title>\n" +
 " <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n" +
 " </head>\n" +
 " <body>\n" +
 " \n" +
 " <a href=\"http://localhost:8080/users\">Users</a>\n" +
 " \n" +
 " \n" +
 " <a href=\"http://localhost:8080/admins\">Admins</a>\n" +
 " \n" +
 " \n" +
 " <a href=\"http://localhost:8080/logout\">Log out</a>\n" +
 " \n" +
 " </body>\n" +
 "</html>\n";
 }

 @GetMapping("/users")
 public String getUsers() {
 return "Only users can see this";
 }

 @GetMapping("/admins")
 public String getAdmins() {
 return "Only admins can see this";
 }
} By adding Spring Security as a dependency, all requests require authentication by default. We can see this by starting the Spring Boot application locally and going to with a web browser. http://localhost:8080/ We should be redirected to Spring Security’s default login page, : http://localhost:8080/login Since our Spring Boot application has no users, there is no way to sign in. We can create users by defining a that returns a in a new class: Spring bean UserDetailsService WebSecurityConfiguration @Configuration
@EnableWebSecurity
public class WebSecurityConfiguration {

 @Bean
 public UserDetailsService users() {
 UserDetails user = User.builder()
 .username("user")
 .password("{noop}password")
 .roles("USER")
 .build();
 
 UserDetails admin = User.builder()
 .username("admin")
 .password("{noop}password")
 .roles("ADMIN")
 .build();
 
 return new InMemoryUserDetailsManager(user, admin);
 }
} In the code block above, we create one regular user and one administrator, both of which use as their password for simplicity. password We prefix the password with so Spring Security knows this is a plaintext password. If we wanted to, we could, for instance, use a hashing algorithm like : {noop} bcrypt @Configuration
@EnableWebSecurity
public class WebSecurityConfiguration {

 @Bean
 public UserDetailsService users() {
 UserDetails user = User.builder()
 .username("user")
 .password("{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG")
 .roles("USER")
 .build();
 
 UserDetails admin = User.builder()
 .username("admin")
 .password("{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG")
 .roles("ADMIN")
 .build();
 
 return new InMemoryUserDetailsManager(user, admin);
 }
} To learn more about how Spring Security handles password storage, see . the official documentation on password storage Now, when we go to , we can try signing in as a user by using as the username and as the password. We should be able to successfully authenticate and redirect back to , which looks like this: http://localhost:8080/ user password http://localhost:8080/ If we click on the link, we should see a greeting for users, and if we go back and click on the link, we will also be able to see the greeting for administrators, even though we authenticated as a user. This is possible because we have not protected and by role. Users Admins /users /admins To do that, we can define a Spring bean that returns a in the class: SecurityFilterChain WebSecurityConfiguration @Configuration
@EnableWebSecurity
public class WebSecurityConfiguration {

 @Bean
 public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 http.authorizeHttpRequests(
 requests ->
 requests
 .requestMatchers(HttpMethod.GET, "/users")
 .hasRole("USER")
 .requestMatchers(HttpMethod.GET, "/admins")
 .hasRole("ADMIN")
 .anyRequest()
 .authenticated())
 .formLogin(Customizer.withDefaults());
 return http.build();
 }

 @Bean
 public UserDetailsService users() {
 UserDetails user = User.builder()
 .username("user")
 .password("{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG")
 .roles("USER")
 .build();
 
 UserDetails admin = User.builder()
 .username("admin")
 .password("{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG")
 .roles("ADMIN")
 .build();
 
 return new InMemoryUserDetailsManager(user, admin);
 }
} The method above has the following rules: securityFilterChain All GET requests to must come from an authenticated user with the role. /users USER All GET requests to must come from an authenticated user with the role. /admins ADMIN All other requests (except for ) must come from an authenticated user. /login Now, when we go to , log in as a user, and click on the link, we should get a default error page indicating that the Spring Boot server returned a response of : http://localhost:8080/ Admins 403 Forbidden If we log out and log back in as an administrator using as the username and as the password, we should be able to access the page, but not the page, as expected. admin password Admins Users Conclusion Congratulations! You now better understand authentication and authorization, how user sessions work, and how to secure REST API endpoints with Spring Security. Also published . here

The code in this story is for educational purposes. The readers are solely responsible for whatever they build with it.

Check out my personal website!

Read my newsletter!

Too Long; Didn't Read

In your car, at home, or at work — Bosch technology shapes many areas of life.

Mastering Authorization and Authentication With Spring Security

Too Long; Didn't Read

Sammy Tran

STORY’S CREDIBILITY

Code License

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Mastering Authorization and Authentication With Spring Security

Too Long; Didn't Read

Sammy Tran

STORY’S CREDIBILITY

Code License

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES