REST API (Web API) Part 2 - Security

-
This post is part 2 in the series of REST API's using spring and spring boot. If you have not yet read part 1, then please do so in order to follow along the steps in this tutorial. However if you only wish to obtain the information about API Security and have no interest in building a rest service yourself using JAVA then feel free to read along.

In order to secure a REST API or anything else for that matter, we need to have a formal understanding of what security is within this context. This tutorial will focus on security centered around Authentication and Authorization as this is what we are going to center our implementation around.

Authentication

Authentication is the act of proving the identity of who we are. So when someone is trying to access our REST API, we want to ensure that the caller can be identified and thereby only allow trusted users to access the service. The most basic way of authentication is by using a User/password approach which works if we trust that the password is kept secure. However there are other ways of Authentication and these can be combined in what is called Two Factor Authentication. Two Factor Authentication is acomblished by using two or more techniques to authenticate. See example of such techniques below:
  • Something you know (e.g A user account containing a username and Password)
  • Something you have (e.g A mobile phone where a SMS can be send with a unique code)
  • Somerthing you are (Biometics e.g fingerprint or eye scanner)

If you're further interrested in Authentication, the following video from the Vinsloev Academy YouTube channel is recommended:


Authorization

Authorization is the step following that a given user has Authenticated successfully. Authorization is the process of giving someone permission to do or access something. So if we have a Web Application there might be a set of Services which regular users can access and a set of admin services that only a admin is supposed to use. The users in the system is thereby divided into groups which will be given different authorization rights even though both groups can authenticate to the same Web Application.

Securing our REST API

Now that the differences between Authentication and Authorization has been established it's time to look further into how we can achieve such for our Java REST API. In this guide we will make use of the Spring Security Framework which is the de-facto standard for securing Spring-based applications. For more about Spring Security, see: https://spring.io/projects/spring-security. If you have followed the steps in Part 1 of this tutorial you can implement this without much effort. All you need to do to add this Framework to your project is to add the following to your POM.xml file. within the dependencies tag.



In this part of the tutorial we will stick to basic Authentication with the use of a single User account. To add such you will go to the resources packed and then add the following in the application.properties file.


in the user.name you can specify a username whereas in the user.password you will write the password. When adding this you will see the following login page, next time you try to access your REST API.


In Part 3 we will take a closer look at how to add multiple users and implement Authorization mechanisms as the single user we have created now have access to all resources.




Kommentarer

Send en kommentar

Populære opslag fra denne blog

Artificial Intelligence - How it could lead to a greener and healthier world

-
Billede
This article is inspired by:  https://blogs.ei.columbia.edu/2018/06/05/artificial-intelligence-climate-environment/ One of the most discussed topics of this decade is without doubt global warming and how the climate changes are impacting our way of life. The general tempature is rising and the weather is getting more extreme. Its therefore vital that we find the most effecient solutions within the next decades if we are to save the next generations from living with the mistakes of the past. Many solutions do already exists to decrease the overall consumption of oil and gas, however most of these are either very expensive to implement or require us to rethink our daily habits. It's therefore important that we are as effecient as possible when it comes to managing the impact of climate changes and implementing countering solutions. To achieve such a new tool has been presented which we are only starting the see the real possibilties of namly Artifical Intelligence.  To discu
Læs mere

Uber Technology Stack

-
Billede
The Content of this blog post is based on:  https://eng.uber.com/tech-stack-part-one/ Almost everyone in the western world is familiar with the app called Uber. Uber is without doubt the most popular service of reliable transportation. By focusing entirely on mobile platforms they are a so called next generation company, which takes advantages of how a simple application build up around a strong inovative idea can make an impact on millions of people around the world. However a good idea and a great UI can't stand alone, especially not when dealing with such a large user base. In this blog post we will try break down the technology stack used in Uber. As Ubers user base has grown with such a rapid speed, they now face similar global scaling problems as some of the most successful software companies. The infrastructure and storage of Uber has therefore changed since their first launch and will most likely conteniue to do so as new solutions is found to optimize todays stand
Læs mere