Securing your rest API with SpringSecurity

erwanlt

Erwan Le Tutour

Posted on January 31, 2022

Securing your rest API with SpringSecurity

order66

What we will do

After creating our API in the previous step, we will now secure it using Spring Security.
In order to do so, we need to add 2 dependencies to our pom.xml file

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-test</artifactId>
    <scope>test</scope>
</dependency>
Enter fullscreen mode Exit fullscreen mode

What it will look like

UML

Execute Order 66

The Account Entity

In order to secure our API, we will use some roles, so to achieve that, we will create an account entity that will use those roles.

The Repository

In order to know if the user who will try to use our API exists and have the role associated we also need to create the repository linked to the Account entity.


When we created the CloneRepository earlier, we didn’t need to create any method in it because all the methods we used were already implemented thanks to inheritance.
Here we will need a specific method like the one above findOneByUsername, with that one our repository will know that we search only one result that matches the String username passed on the argument. (see Spring Data JPA doc if you want to know how it works).

The controller

Now that we have created the account that will have the roles to connect to our API we can update our controller to make it accept these roles on its method.


As you can see, our method now avec the @PreAuthorize annotation that indicates the roles who can access it.

So, is my API secured now? The response is NO !
We have created the account entity and its a repository, we have upgraded our controller to indicate the roles that it will use, but we have yet to implement the security configuration.
So now let’s implement it.

The configuration

In order to make all the above code run properly, we will implement security.
To do so we will extend WebSecurityConfigurerAdapter in a configuration class.

Configuration


As you can see in the first configure method, we indicate the roles who can access the endpoint.
In the second method, we describe the service that will be used to authenticate the user.

Authentication Service

To authenticate our user we need to create a service that will implement the UserDetailsService from the Spring Security package, especially the method loadUserByUsername.

Testing our API

To test our API we need to first launch our application.
Then we can try to connect to the entry point that we created in our controller using postman or any other tool that permits you to make HTTP calls.

the examples will be the same as when we created the API, but with basic authentication.
In order to test my API, I have created 2 accounts that will be pre-loaded in the database.


So now if I try to access a datapoint with bad credentials, i will have a 401 error.
{
  "timestamp": "2021-03-08T09:45:09.332+00:00",
  "status": 401,
  "error": "Unauthorized",
  "message": "Unauthorized",
  "path": "/kamino/order66"
}
Enter fullscreen mode Exit fullscreen mode

And if i try to access a datapoint when i don’t have the appropriate role, i will have a 403 error.

postman

I have intercepted my 403 error in my exceptions handler to have something more readable than the exception stack trace.

Thanks for your reading time, as previously, the code used in this tutorial is findable in this Github repository, branch security.

💖 💪 🙅 🚩
erwanlt
Erwan Le Tutour

Posted on January 31, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related