SEC-2936: Rest API Authentication support

[spring-projects-issues]

raintung (Migrated from SEC-2936) said:

Rest API look like not support authentication, Rest API it is common usage that easy to authenticate that don't require the session. Every API call need authenticate again.
Ex. Token authenticate

I don't find the any web filter can support the rest API. Was it customized?

I think it should be standard filter in the Spring web security. Please correct me it I am wrong or miss something.

[spring-projects-issues]

Rob Winch said:

Please see http://docs.spring.io/spring-session/docs/current/reference/html5/#httpsession-rest and http://docs.spring.io/spring-session/docs/current/reference/html5/guides/rest.html

[spring-projects-issues]

raintung said:

I don't see the any authentication in the doc for Rest API. Could you give some simple?

[spring-projects-issues]

Rob Winch said:

Please read the second link I provided. Specifically.... http://docs.spring.io/spring-session/docs/current/reference/html5/guides/rest.html#exploring-the-rest-sample-application

[spring-projects-issues]

Rob Winch said:

Actually it is probably better to refer to http://docs.spring.io/spring-session/docs/current-SNAPSHOT/reference/html5/guides/rest.html#exploring-the-rest-sample-application since the previous link has a formatting error

[spring-projects-issues]

raintung said:

It seem not my wanted.
For example:
http://localhost:8080/restapi/createuser?token=xxxxrrrr&username=test

Don't require the username/password at first, don't need log in the site.
The server just authenticate whether the token is valid, also token has encrypt the username, that I can get it from token. If token is valid, can authorize the privilege(admin) for the username. Only has admin privilege can access the URL: /restapi/createuser

Very time will deliver the token parameter, SecurityContextPersistenceFilter look like don't need.
Does have this function in the spring security framework (web module)?

[spring-projects-issues]

Rob Winch said:

The server just authenticate whether the token is valid, also token has encrypt the username, that I can get it from token

Encrypting a token does not guarantee its authenticity. Please see Exploiting encrypted cookies for fun and profit. More generally, having no state is a bad thing when it comes to security. See my talk on The State of Securing RESTful APIs with Spring