Spring boot REST token authorization and authentication best practices

Question

What is the best practise for authorization and authentication of users in REST spring boot?

I am building web app with standard pages + REST API for mobile. I looked a

Answer 1

Did you find a solution to your problem?

I have answered this problem elsewhere, if you are sure you won't want to open up the API to other developers/clients in the future (if you do then you should look at OAuth) then a simple token based solution will work.

Something basically along the lines of this:

• Setup a standard html login page, that you can use for user login to the app
• setup spring security to return a cookie on sucessful login with an authentication token
• in your mobile app, embed a WebView (or equivalent) and load this login form - allow the user to login via that webview, on response grab the cookie and store the token (as mobile is generally single user, you can keep that pretty long to save mobile users having to keep logging in)
• Add a security filter to the the REST API to authenticate against the token (from the mobile app pass the token in the header for example) - then you will be able to use normal spring authentication context for current users etc.

This approach is suggested by Google here: (EDIT: Google seems to have changed the page I originally read to be about using Google+ sign in and OAuth2.0 - I can't see a link to their general Mobile/API docs so here it is in the web archive :) )

I have also written up my implementation here:

Overview of the approach using Spring security

The code & details

Although this was really just an experiment/Proof of concept, it might be useful in your thinking.

Answer 2

Cookie approach seems perfect for the use case. Token can be tied up with user id. Filter can extract cookie and pass user id for example as header to apis - that should take care of GET...