Question

I am trying to enable token based authentication for a HTTP api with spring security.

Looking around i see answers about implementing the filters and the handlers like

Spring Security authentication via token

Spring Security 3.2 Token Authentication

There is a pretty interesting KeyBasedPersistenceTokenService class.

Is there no filter or the rest of the elements needed to build up the authentication mechanism in spring security?

Was it helpful?

Solution

The Token interface in Spring Security is pretty abstract - you would need to provide your own implementation to carry actual authentication information, and your own endpoints for issuing tokens to authenticated users or clients, as well as the filter you mention to process the token on protected resources (one of the links you posted suggests using AbstractPreAuthenticatedProcessingFilter and that is correct). There isn't really a one-size fits all solution.

You might be better off with OAuth2 since it's a standard and supported separately in Spring OAuth. At least you get all those features out of the box that way.

Another interesting token implementation is Github's "secure http" - they give you a token and you use it as a password in HTTP Basic authentication (widely supported client-side and also available out of the box in Spring Security). You would only have to plugin a UserDetailsService (and hook it up to some token issuing UI) if you were implementing it in Spring Security.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top