rest-security

Securing REST endpoint using spring security

点点圈 提交于 2019-12-22 04:13:07
问题 I am trying to provide security to the REST endpoints. I am following instructions from this page. In my case I don't have view hence I haven't created controller to specify the views and haven't added viewResolver in my AppConfig.java After implementation it correctly shows the access denied error upon calling a secured REST endpoint. But even though I specify username/password in the request header I get the access denied error. I am testing in postman setting username/password in Basic

Spring @EnableResourceServer vs @EnableOAuth2Sso

此生再无相见时 提交于 2019-12-20 08:00:50
问题 Most of the tutorials I've read so far uses @EnableOAuth2Sso instead of @EnableResourceServer on the API gateway. What are the differences? What the OAuth2Sso does in contrast? Details: I'm implementing a security/infra architecture for spring-based microservices and single page apps. For some time, while we didn't have security requirements, the SPAs talked directly to open microservices, on different hosts (CORS party). Now I'm adding a layer of security and the gateway pattern using spring

How to allow access to API only for own pages?

♀尐吖头ヾ 提交于 2019-12-14 03:56:00
问题 I'm developing Spring Boot web application, that provides REST API. Most of my pages(thymeleaf templates) use this API to communicate with back-end(using AJAX requests). I have read about different approaches such as Basic Authentication, OAuth2 etc. These approaches describe user authentication, after which users can access API. But i don't want users to directly communicate with my API, using browser or REST client (i.e. postman chrome extension, that has access to browser's cookies, where

OAuth 2.0 Life cycle of “code” in Authorization code Grant

南楼画角 提交于 2019-12-13 15:20:53
问题 Authorization code Grant : I know the code is short lived token exchanged for the real long-lived access token. I have gone through the Oauth 2.0 but could not find this information so asking here: What is the life cycle of code? Is it for only one-time use? How many times can a code be exchanged to get access token? What happen to a code after access token is given for that code? I am using oAuth 2.0 plugin on Kong API gateway. it is keeping the code alive for a particular time and multiple

Securing REST endpoint using spring security

雨燕双飞 提交于 2019-12-05 02:52:14
I am trying to provide security to the REST endpoints. I am following instructions from this page . In my case I don't have view hence I haven't created controller to specify the views and haven't added viewResolver in my AppConfig.java After implementation it correctly shows the access denied error upon calling a secured REST endpoint. But even though I specify username/password in the request header I get the access denied error. I am testing in postman setting username/password in Basic Auth. What am I missing any idea? The example you have followed is implementing a form-based

JWT (Json web token) Vs Custom Token

别说谁变了你拦得住时间么 提交于 2019-12-03 11:33:14
问题 I was looking through the questions but I did not find anything which could solve my doubt. I found extensive information about JWT, but not much when comparing the advantages JWT could offer over generating a custom token to authentication requests against REST services. What is the advantage to use a JWT (Json Web Token) over generating a custom generating token ? To generating the custom token I could use some hashing strategy or some unique random number generator. If I generate a custom

JWT (Json web token) Vs Custom Token

拟墨画扇 提交于 2019-12-03 02:00:01
I was looking through the questions but I did not find anything which could solve my doubt. I found extensive information about JWT, but not much when comparing the advantages JWT could offer over generating a custom token to authentication requests against REST services. What is the advantage to use a JWT (Json Web Token) over generating a custom generating token ? To generating the custom token I could use some hashing strategy or some unique random number generator. If I generate a custom token, Could I have any security concerns ? Would you recommend to use any other authentication

Security of REST authentication schemes

烈酒焚心 提交于 2019-11-26 04:02:24
问题 Background: I\'m designing the authentication scheme for a REST web service. This doesn\'t \"really\" need to be secure (it\'s more of a personal project) but I want to make it as secure as possible as an exercise/learning experience. I don\'t want to use SSL since I don\'t want the hassle and, mostly, the expense of setting it up. These SO questions were especially useful to get me started: RESTful Authentication Best Practices for securing a REST API / web service Examples of the best SOAP

Best Practices for securing a REST API / web service [closed]

时间秒杀一切 提交于 2019-11-25 22:48:50
问题 When designing a REST API or service are there any established best practices for dealing with security (Authentication, Authorization, Identity Management) ? When building a SOAP API you have WS-Security as a guide and much literature exists on the topic. I have found less information about securing REST endpoints. While I understand REST intentionally does not have specifications analogous to WS-* I am hoping best practices or recommended patterns have emerged. Any discussion or links to

RESTful Authentication

梦想的初衷 提交于 2019-11-25 22:23:11
问题 What does RESTful Authentication mean and how does it work? I can\'t find a good overview on Google. My only understanding is that you pass the session key (remeberal) in the URL, but this could be horribly wrong. 回答1: How to handle authentication in a RESTful Client-Server architecture is a matter of debate. Commonly, it can be achieved, in the SOA over HTTP world via: HTTP basic auth over HTTPS; Cookies and session management; Token in HTTP headers (e.g. OAuth 2.0 + JWT); Query
订阅 rest-security