secure a REST API using Spring Security
--
-
A
REST APIcan be secured using Spring Security Java configuration. A good approach is to use form login with fallback toHTTP Basic authentication, and include someCSRFprotection and the possibility to enforce that all backend methods are only accessible viaHTTPS -
This means the backend will propose the user a login form and assign a
session cookieon successful login to browser clients, but it will still work well for non-browser clients by supporting a fallback to HTTP Basic where credentials are passed via theAuthorization HTTP header. -
Following OWASP recommendations, the REST services can be made minimally
stateless(the only server state is thesession cookieused for authentication) to avoid having to send credentials over the wire for each request.
--
网友评论