Login/Register
Spring Boot: Secured RESTful API using Spring Social and Spring Security
Asked Answered
springspring-securityspring-bootspring-socialspring-restcontroller
H

1

10

I am trying to define and secure a RESTful API using Spring Boot. Ideally, I would like to use Spring Social and allow clients (web and mobile) to login via Facebook.

What is working

So far, I managed to have a working API using @RestController and secure it with a basic Spring Security configuration as follows:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .authorizeRequests()
                .antMatchers(HttpMethod.POST, "/api/**").authenticated()
                .antMatchers(HttpMethod.PUT, "/api/**").authenticated()
                .antMatchers(HttpMethod.DELETE, "/api/**").authenticated()
                .anyRequest().permitAll()
            .and().httpBasic()
            .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
}

The antMatchers could probably be improved, but I made it like this for my own clarity for now and it works fine. Doing GET requests is allowed and all others required to send the standard user:password given by Spring Security at runtime. An example using httpie: 

http POST user:a70fd629-1e29-475d-aa47-6861feb6900f@localhost:8080/api/ideas/ title="My first idea"

Which right credentials, it sends a 200 OK back, otherwise a 401 Unauthorized.

Spring Social

Now, I am stuck and can't get my head around using Spring-Social-Facebook to get working with my current setup and keep fully RESTful controllers. Using standard forms and redirects seems trivial, but I couldn't find any solution for a REST-based approach that easily supports web and mobile clients for example.

As I understand, the client will have to handle the flow, since the back-end won't send any redirects to the /connect/facebook URL.

  • I followed the tutorial Accessing Facebook Data and it works on its own. However, I would like to avoid having to have those facebookConnect.html and facebookConnected.html templates like in the tutorial. So I don't know how to have change that.

  • Another Spring Boot tutorial for OAuth is also nice and working, but I would like to stick with Spring Social if possible due to the simplicity.

  • This post, helped for the Method not allowed issue of the /connect/facebook redirect when using those views mentioned above.

  • Post about Social Config. Probably, I am missing something there.

Any advice, solution or link to a better tutorial would be really helpful.

Thanks!

UPDATE 1

Now, I have a working website with traditional User SignUp and Login over forms. I have a "Login with Facebook" button that sends me over the "OAuth dance". So next issue is that I have to create somehow the User manually after the Facebook login has been successful, because for the moment both "logins" are not related, so even though the user is logged in with Facebook, he doesn't yet have an associated User object with the right authorisations.

Hebdomadary answered 14/1, 2016 at 9:38 Comment(4)
Hi ralph, can you share how you did it at the end .. a rest api with ability to signup/signin for both web and mobile apps using both social and normal form registration .. that's exactly what I need and I'm stuck with the same problem you were stuck inShellishellie
Did you ever get a satisfactory solution to this? I have exactly the same requirement in that I want my REST api secured by a facebook login, and I'm having trouble understanding how the oauth dance works in this context without having controllers with views ( eg facebookConnect.html) in my RESTful apiWorldlywise
Did anyone managed to get the final solution, all the information is so scattered, im sure many people have this problem when it comes to implementing this on mobile appsExperience
I have the same issue in case you can provide an answer to this.Englert
M
0

SocialAuthenticationFilter by default, redirects to '/signup' in the case you described, user is signed in from a social app, however, no local account exists. You can provide a handler to create a local account. This is also covered in the spring-socal samples.

@RequestMapping(value = { "/signup" }, method = RequestMethod.GET)
public String newRegistrationSocial(WebRequest request, Model model) throws Exception {
    String view = "redirect:/home";
    try {
        Connection<?> connection = providerSignInUtils.getConnectionFromSession(request);
        if (connection != null) {
            UserProfile up = connection.fetchUserProfile();

            registerUser(up.getFirstName(), up.getLastName(), up.getEmail(), "DummyPassword");              
            providerSignInUtils.doPostSignUp(up.getEmail(), request);

            //SignInUtils.signin(up.getEmail());
            ...
            ...             
        } 
    } 
    return view;
}
Messaline answered 22/1, 2016 at 18:45 Comment(1)
What I do not get (see here) is how to correctly redirect the web client. I cannot return something like redirect:/home because the web client is separate from the rest api.Englert

© 2022 - 2024 — McMap. All rights reserved.