Previously we have managed to finally get rid of that Session object and transform our RESTful API security to leverage a stateless authentication solution. We replaced our beloved JSESSIONID with a simple string of text, a token, that allowed us to identify a user. But the solution we used is not secure at all. We still need to find a token with the right characteristics to be safe enough in this world of leaks and breaches. Enter JWTs...
Tag: REST
From stateful to stateless RESTful security using Spring and JWTs – Part 3 (token-based authentication)
Last time we reviewed how to quickly set up stateful authentication on our Spring-based project. That's very nice 'n' all, and in many cases you won't need anything more. However shouldn't we try to get rid of that session-based dependency and attempt to move to a REST-friendly stateless authentication solution? Let's begin...
From stateful to stateless RESTful security using Spring and JWTs – Part 2 (session-based authentication)
After a quick introduction we are now ready to begin our journey towards stateless authentication for RESTful APIs... by setting up a stateful example. Yes I know, but we have to start somewhere, right? In this part we'll set up our project and code a couple of simple endpoints. One of those will be secured using Spring Security's session-based authentication.
From stateful to stateless RESTful security using Spring and JWTs – Part 1 (intro)
By now "stateful" or session-based authentication is pretty much well-accepted. Frameworks such as Spring Security or Apache Shiro make it really easy to implement a decent solution in just a few easy steps. I previously discussed how to secure a Spring-based REST API using Spring Security for authentication, CSRF protection and CORS. But in some cases, session-based security might not be good enough...
403 Forbidden on web clients against cookie-based secured REST services
You are developing your web client (AngularJS or any other) against your REST services' server, secured using cookies-based sessions and CSRF tokens sent as cookies. You've done everything by the book, followed the tutorials to make your security work, especially CORS and CSRF tokens. And yet you still get a pesky 403 when trying to login!
AngularJS web apps for Spring-based REST services security: the client side
After a summer break we return to our secure web client / REST-based solution: in this post we examine how our AngularJS-based web client should behave in order to comply with the security measures we've enforced on the server side.
AngularJS web apps for Spring-based REST services security: the server side part 2 (CSRF)
Part 2 of examining a full, secure implementation of a solution for web-client, REST-based systems using AngularJS and Spring and addressing authentication, CORS and CSRF aspects. The full, working code is available on GitHub. In this part, we look at how we can prevent CSRF attacks from a server's perspective.
AngularJS web apps for Spring-based REST services security: the server side part 1
A full, secure implementation of a solution for web-client, REST-based systems using AngularJS and Spring and addressing authentication, CORS and CSRF aspects. The full, working code is available on GitHub. In this part, we setup the project and examine how CORS is configured on the server side.
Spring Security’s CSRF protection for REST services: the client side and the server side
Spring Security offers CSRF (cross-site request forgery) protection by default for Java web applications. In this post I will examine how you can make that CSRF protection work for a web client interacting with REST-based CSRF-protected services. Both the web client's code and the server application's configuration will be described.