Spring Security for REST APIs
Authentication, authorization, and common defenses
Topic: Software Development
Would you ever give out your credit card information in reply to an unidentified text message? Of course not. And yet we do this all the time with our REST APIs when we don’t know who’s talking to them and whether they have authority to do so.
Join Spring Security maintainer Josh Cummings to learn how to secure a Spring Boot-powered REST API. You’ll explore the simplicity of HTTP Basic, the scalability of JSON Web Tokens (JWTs), and the security of opaque tokens in your journey toward an API that authenticates and authorizes each request. By the time you’re through, you’ll understand the different authentication mechanisms relevant to REST APIs—and how and when to apply them in practice. You’ll also have a deeper knowledge of how Spring Security is architected, enabling you to apply your own secure customizations with greater ease.
What you'll learn-and how you can apply it
By the end of this live online course, you’ll understand:
- How to authenticate a REST request with Spring Security and OAuth 2.0
- How to authorize that request’s actions in both fine- and coarse-grain ways
- How to securely expose your REST API to the public
- How to communicate with other OAuth 2.0-secured REST APIs
And you’ll be able to:
- Use Spring Boot properties and the Spring Security DSL to protect an application
- Work with Keycloak to secure a single-page application (SPA) and Spring Boot REST API together
- Consider RESTful multitenancy scenarios
This training course is for you because...
- You’re a Java application developer.
- You work with Spring.
- You want to become a more security-conscious engineer.
- A working knowledge of Java 8 and Spring Boot 2
- Familiarity with Spring Security 5 (useful but not required)
- Take Getting Started with Spring and Spring Boot (live online training)
- Read sections 9, 10, and 12.3 of Spring Security’s reference documentation
- Watch relevant sections in Spring Security (video, 6h 22m)
About your instructor
Josh enjoys application security, live hacking, and frosted mini-wheats. He works for VMWare, maintaining Spring Security with Rob Winch.
The timeframes are only estimates and may vary according to how the class is progressing
Local authentication (45 minutes)
- Group discussion: What are your goals?
- Presentation: An unsecured REST API; Spring Boot security starters; the Spring Security filter chain; UserDetailsService; customizing the principal and authorities
- Hands-on exercises: Use spring-boot-starter-security; use an in-memory user details service; use a custom user principal; determine how secure the solution is
Break (5 minutes)
Local authorization (45 minutes)
- Presentation: Filter-based security; method-based security; insecure direct object references; authorities versus roles; complex authorization rules
- Hands-on exercises: Use @PreAuthorize, @PostAuthorize, @PostFilter, and @Query; extract authorization rules to a Spring Bean; add a record; determine why your user doesn’t have the authority
Break (5 minutes)
Ingress (25 minutes)
- Group discussion: When is it safe to turn off CSRF?; How realistic is HTTP Basic for REST APIs?
- Presentation: CORS
- Hands-on exercise: Enable CORS
Distributed authorization with JWT (45 minutes)
- Presentation: Bearer tokens and JWT; the delegator pattern; canonicalization; testing
- Hands-on exercises: Add the JWT authentication mechanism; customize granted authorities; canonicalize the authentication; introduce tests that mock authentication
- Group discussion: Scopes versus authorities; thoughts on multitenancy
Break (5 minutes)
Distributed authorization with opaque tokens (45 minutes)
- Presentation: Opaque versus JWT; customizing the principal; multitenancy—opaque or JWT?
- Hands-on exercises: Switch to an opaque token; customize the principal; create an AuthenticationManagerResolver
Egress (20 minutes)
- Presentation: CORS and CSRF with REST APIs; propagating the token
- Hands-on exercises: Configure CORS; coordinate with a downstream service
- Group discussion: What if you need to renew the token?