android - Securing Spring RESTful webservice APIs from unautherized access? -
i have created spring restful webservice different apis. should protect them unauthorized access. followed http://www.beingjavaguys.com/2014/10/spring-security-oauth2-integration.html , login logic entirely different mine. can me move on?
fetch user login request
@requestmapping(value = "/login", method = requestmethod.post) @responsebody @responsestatus(httpstatus.ok) public userresponse login(@requestbody final userloginrequest userrequest) throws servletexception, ioexception { userresponse userresponse = new userresponse(); try { userresponse = accessservice.login(userrequest); } catch (sqlexception e) { e.printstacktrace(); } catch (classnotfoundexception e) { e.printstacktrace(); } return userresponse; }
process user login request
@transactional public userresponse login(userloginrequest userrequest) throws sqlexception, classnotfoundexception, ioexception { userresponse userresponse = new userresponse(); int status = 0; //boolean isexist = logindao.isuserexist(userrequest.getusername(), userrequest.getpassword()); user user = logindao.getuser(userrequest.getemailid()); if (user != null) { if (userrequest.getpassword().equals(user.getpassword())) {//case sensitive password , added check status //user exist if (user.getstatus().equals("1")) { //device token check logindao.isdevicetokenexists(userrequest, user.getprofileid()); status = 2; } else { status = 3; } } else { status = 4; } } else { status = 1; } if (status == 1) { userresponse.setcode(weekenterconstants.user_email_exist_code); userresponse.setmessage("user not exists.please register."); } else if (status == 2) { userresponse.setcode(weekenterconstants.success_code); userresponse.setmessage("user login success"); userresponse.setid(user.getprofileid()); } else if (status == 3) { userresponse.setcode(weekenterconstants.failure_code); userresponse.setmessage("your account blocked. please contact weekenter administrator."); userresponse.setid(user.getprofileid()); } else if (status == 4) { userresponse.setcode(weekenterconstants.failure_code); userresponse.setmessage("password wrong."); userresponse.setid(user.getprofileid()); } return userresponse; }
i have api's fetch countries, userlist etc. services should give data android client once user valid. know authentication processed using access token. how in standard way?
you can follow mentioned tutorial changing login logic in service.define custom authentication service in
spring-security.xml
.typically, simple spring security enabled application use simple user service authentication source:
<!--custom user details service provide user data--> <bean id="customuserdetailsservice" class="com.yourpackage.customuserdetailsservice" /> <authentication-manager alias="authenticationmanager"> <authentication-provider user-service-ref="customuserdetailsservice" /> </authentication-manager>
your
customuserdetailsservice
should implementuserdetailsservice
available inorg.springframework.security.core.userdetails.userdetailsservice
import com.weekenter.www.dao.logindao; import java.util.arraylist; import java.util.collection; import java.util.list; import org.springframework.beans.factory.annotation.autowired; import org.springframework.security.core.grantedauthority; import org.springframework.security.core.authority.simplegrantedauthority; import org.springframework.security.core.userdetails.user; import org.springframework.security.core.userdetails.userdetails; import org.springframework.security.core.userdetails.userdetailsservice; import org.springframework.security.core.userdetails.usernamenotfoundexception; import org.springframework.stereotype.service; import org.springframework.transaction.annotation.transactional; @service @transactional(readonly = true) public class customuserdetailsservice implements userdetailsservice { @autowired private logindao logindao; public userdetails loaduserbyusername(string login) throws usernamenotfoundexception { boolean enabled = true; boolean accountnonexpired = true; boolean credentialsnonexpired = true; boolean accountnonlocked = true; com.weekenter.www.entity.user user = null; try { user = logindao.getuser(login);//login variable contain requested username if (user != null) { if (user.getstatus().equals("1")) { enabled = false; } } else { throw new usernamenotfoundexception(login + " not found !"); } } catch (exception ex) { try { throw new exception(ex.getmessage()); } catch (exception ex1) { } } <!-- password comparison happen here --> return new user( user.getemail(), user.getpassword(), enabled, accountnonexpired, credentialsnonexpired, accountnonlocked, getauthorities() ); } public collection<? extends grantedauthority> getauthorities() { list<grantedauthority> authlist = getgrantedauthorities(getroles()); return authlist; } public list<string> getroles() { list<string> roles = new arraylist<string>(); roles.add("role_app"); return roles; } public static list<grantedauthority> getgrantedauthorities(list<string> roles) { list<grantedauthority> authorities = new arraylist<grantedauthority>(); (string role : roles) { authorities.add(new simplegrantedauthority(role)); } return authorities; } }
and in
spring-security.xml
can filter protected url's below
<!-- tells spring security url should protected , roles have access them --> <http pattern="/api/**" create-session="never" entry-point-ref="oauthauthenticationentrypoint" access-decision-manager-ref="accessdecisionmanager" xmlns="http://www.springframework.org/schema/security"> <anonymous enabled="false" /> <intercept-url pattern="/api/**" access="role_app" /> <custom-filter ref="resourceserverfilter" before="pre_auth_filter" /> <access-denied-handler ref="oauthaccessdeniedhandler" /> </http>
Comments
Post a Comment