This is the sixth of a series of articles about setting up a secure RESTful Web Service using Spring 3.1 and Spring Security 3.1. A previous article introduced security in the context of a RESTful service, using form-based authentication. This article will focus on configuration of Basic and Digest authentication and on configuring both protocols for the same URI mapping of the API, using Spring Security 3.1.
The REST with Spring series:
- Part 1 – Bootstrapping a web application with Spring 3.1 and Java based Configuration
- Part 2 – Building a RESTful Web Service with Spring 3.1 and Java based Configuration
- Part 3 – Securing a RESTful Web Service with Spring Security 3.1
- Part 4 – RESTful Web Service Discoverability
- Part 5 – REST Service Discoverability with Spring
Configuration of Basic Authentication
In part 3 of the series, the Spring Security configuration was done using form based authentication, which is not really ideal for a RESTful service. To start setting up basic authentication, first we remove the old custom entry point and filter from the main <http> security element:
<intercept-url pattern="/api/admin/**" access="ROLE_ADMIN" />
Note how support for basic authentication has been added with a single configuration line – <http-basic /> – which handles the creation and wiring of both the BasicAuthenticationFilter and the BasicAuthenticationEntryPoint.
Satisfying the stateless constraint – getting rid of sessions
One of the main constraints of the RESTful architectural style is that the client-server communication is fully stateless, as the original dissertation reads:
We next add a constraint to the client-server interaction: communication must be stateless in nature, as in the client-stateless-server (CSS) style of Section 3.4.3 (Figure 5-3), such that each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. Session state is therefore kept entirely on the client.
The concept of Session on the server is one with a long history in Spring Security, and removing it entirely has been difficult until now, especially when configuration was done by using the namespace. However, Spring Security 3.1 augments the namespace configuration with a new stateless option for session creation, which effectively guarantees that no session will be created or used by Spring. What this new option does is completely removes all session related filters from the security filter chain, ensuring that authentication is performed for each request.