Securing Rest Service with Spring Security

Time needed to complete  ~25 minutes

1.Introduction

Rest Services are common today and the change to be asked to develop one and secure it is 
high, this article will demonstrate how to do that. 

2.What is used in this tutorial:

1- Maven 3

2- Jdk 1.8

3- Tomcat 7.0.55

4- Eclipse Mars 4.5.1

5- Spring 4.1.8
6- Spring Security 4.0.2
7-MySql 5

3.Project Structure

Picture 3.1: Project structure

4. Pojo and Rest Service

-  Person pojo class will be used as simple model with, Listing 4.1.

Listing 4.1: Person pojo

   
package org.phoenix.model;

import java.io.Serializable;


public class Person implements Serializable {

 private static final long serialVersionUID = 14567946798436034L;

 private int id; 
 private String name; 
 private String surname; 
 private double salary;

 public Person() {
 }

 public Person(int id, String name, String surname, double salary) {  
  this.id = id;
  this.name = name;
  this.surname = surname;
  this.salary = salary;
 }

 public int getId() {
  return id;
 }

 public void setId(int id) {
  this.id = id;
 }

 public String getName() {
  return name;
 }

 public void setName(String name) {
  this.name = name;
 }

 public String getSurname() {
  return surname;
 }

 public void setSurname(String surname) {
  this.surname = surname;
 }

 public double getSalary() {
  return salary;
 }

 public void setSalary(double salary) {
  this.salary = salary;
 }

 @Override
 public String toString() {
  return "Person [id=" + id + ", name=" + name + ", surname=" + surname + ", salary=" + salary + "]";
 }

 @Override
 public int hashCode() {
  final int prime = 31;
  int result = 1;
  result = prime * result + id;
  result = prime * result + ((name == null) ? 0 : name.hashCode());
  long temp;
  temp = Double.doubleToLongBits(salary);
  result = prime * result + (int) (temp ^ (temp >>> 32));
  result = prime * result + ((surname == null) ? 0 : surname.hashCode());
  return result;
 }

 @Override
 public boolean equals(Object obj) {
  if (this == obj)
   return true;
  if (obj == null)
   return false;
  if (getClass() != obj.getClass())
   return false;
  Person other = (Person) obj;
  if (id != other.id)
   return false;
  if (name == null) {
   if (other.name != null)
    return false;
  } else if (!name.equals(other.name))
   return false;
  if (Double.doubleToLongBits(salary) != Double.doubleToLongBits(other.salary))
   return false;
  if (surname == null) {
   if (other.surname != null)
    return false;
  } else if (!surname.equals(other.surname))
   return false;
  return true;
 }

}
 
   
 

- Rest Service with 3 methods that will be secured in Listing 4.2. 

Listing 4.2: Rest Controller

  

 package org.phoenix.app;  
   
 import java.util.Collection;  
 import java.util.HashMap;  
 import java.util.Map;  
   
 import org.springframework.web.bind.annotation.PathVariable;  
 import org.springframework.web.bind.annotation.RequestMapping;  
 import org.springframework.web.bind.annotation.RequestMethod;  
 import org.springframework.web.bind.annotation.RestController;  
   
 import org.phoenix.model.Person;  
   
 /*  
  * This is a secured path /p, rest ws   
  *   
  * */  
   
   
 @RestController  
 @RequestMapping("/p")  
 public class PersonRest {  
    
  public static final Map<integer erson=""> map = new HashMap<integer erson="">();  
  {  
  map.put(1, new Person(1,"John","Smith",1000.0));  
  map.put(2, new Person(2,"Bill","Gates",2000.0));  
  map.put(3, new Person(3,"Steve","Balmers",3000.0));  
  map.put(4, new Person(4,"Larry","King",5000.0));  
  }  
    
    
  @RequestMapping(value="/test", method= RequestMethod.GET)  
  public String test(){  
  return "This is a test";  
  }  
    
    
  @RequestMapping("/{id}")  
  public Person getPersonById(@PathVariable int id){  
    
  Person p = map.get(id);  
     
  if(p == null){  
   p = new Person(-1,"Error","No person with id ="+id,-1.0);  
  }   
    
  return p;  
  }  
    
    
  @RequestMapping("/all")  
  public Collection<person> getAllPersons(){   
  return map.values();  
  }  
    
   
 }  

5. Spring Configuration

- Spring security configuration Listing 5.1. The path that will be /p/ , only authorized persons
with role ROLE_REST will be able to access the service, the users,roles and passwords are
stored in DB.
Note: don't forget to change username and password for database in security-context file  

                                      

Listing 5.1: Security Configuration

 <?xml version="1.0" encoding="UTF-8"?>  
   
 <beans:beans xmlns:security="http://www.springframework.org/schema/security"  
      xmlns:beans="http://www.springframework.org/schema/beans"   
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
      xsi:schemaLocation="http://www.springframework.org/schema/beans  
   http://www.springframework.org/schema/beans/spring-beans.xsd  
   http://www.springframework.org/schema/security  
   http://www.springframework.org/schema/security/spring-security-4.0.xsd">  
   
      <security:http pattern="/p/**" create-session="stateless">  
           <security:intercept-url pattern='/**'  
                access="hasRole('ROLE_REST')" />  
           <security:http-basic />  
      </security:http>  
   
   
      <security:authentication-manager>  
           <security:authentication-provider>  
                <security:jdbc-user-service  
                data-source-ref="xdataSource"  
                authorities-by-username-query="select email,authority 
                                               from authority where email=?"  
                users-by-username-query="select email, password, enabled 
                                         from user where email=?" />  
           </security:authentication-provider>  
      </security:authentication-manager>  
   
      <beans:bean id="xdataSource"  
           class="org.springframework.jdbc.datasource.DriverManagerDataSource">  
           <beans:property name="driverClassName" value="com.mysql.jdbc.Driver" />  
           <beans:property name="url"  
                value="jdbc:mysql://localhost:3306/rest_db" />  
           <beans:property name="username" value="yourUsername" />  
           <beans:property name="password" value="youtPassword" />  
      </beans:bean>  
   
 </beans:beans>  

6. Database tables

Listing 6.1: DDL for creating tables

CREATE TABLE `user` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `email` varchar(60) NOT NULL,
  `password` varchar(128) NOT NULL,
  `enabled` tinyint(1) unsigned zerofill NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `email` (`email`),
  UNIQUE KEY `UK_ob8kqyqqgmefl0aco34akdtpe` (`email`)
) ENGINE=InnoDB AUTO_INCREMENT=22 DEFAULT CHARSET=utf8;


CREATE TABLE `authority` (
  `email` varchar(60) NOT NULL,
  `authority` varchar(80) NOT NULL,
  PRIMARY KEY (`email`,`authority`),
  KEY `email` (`email`),
  CONSTRAINT `email_fk7` FOREIGN KEY (`email`) REFERENCES `user` (`email`)
  ON DELETE NO ACTION ON UPDATE NO ACTION
) ENGINE=InnoDB DEFAULT CHARSET=utf8;


insert into `user` 
values (20,'example@gmail.com','1b4f0e9851971998e732078544c96b36c3d01cedf7caa332359d6f1d83567014',1);
insert into `user` 
values (21,'user2@yahoo.com','60303ae22b998861bce3b28f33eec1be758a213c86c93c076dbe9f558c11c752',1);

insert into `authority` 
values ('example@gmail.com','ROLE_REST');
insert into `authority` values 
('user2@yahoo.com','ROLE_USER');

7. Deploying to tomcat

Note: don't forget to change username and password for tomcat server in pom.xml file

- Start tomcat.

- Deploy application from run configuration in goal type clean install tomcat7:redeploy
   click Apply and Run buttons.

7.1- In browser type http://localhost:8080/SecureRestExample/  will go to home page that is not secure , typing
http://localhost:8080/SecureRestExample/ p/test 
http://localhost:8080/SecureRestExample/ p/all 
http://localhost:8080/SecureRestExample/ p/1 will ask for username and password
entering 
 username: example@gmail.com  
password: 1b4f0e9851971998e732078544c96b36c3d01cedf7caa332359d6f1d83567014
will access rest service, Picture 7.1.

Picture 7.1: Calling rest service result

 7.2- OR can run CallRestServiceAppProgramatically class that uses RestTemplate from eclipse project ExampleRestClient.

8. Eclipse Project

Secured Rest Application Project

Rest Client Project(Calling from Java code)