After a quick introduction we are now ready to begin our journey towards stateless authentication for RESTful APIs… by setting up a stateful example. Yes I know, but we have to start somewhere, right? In this part we’ll set up our project and code a couple of simple endpoints. One of those will be secured using Spring Security’s session-based authentication.
By now “stateful” or session-based authentication is pretty much well-accepted. Frameworks such as Spring Security or Apache Shiro make it really easy to implement a decent solution in just a few easy steps. I previously discussed how to secure a Spring-based REST API using Spring Security for authentication, CSRF protection and CORS. But in some cases, session-based security might not be good enough…
Software companies used to have one goal: to develop efficient applications that users liked. When people switched from desktop to SaaS / web applications, companies were forced to focus on security to avoid being hacked. Now they will have a new mission: to ensure the privacy of their users. At any costs.
You are developing your web client (AngularJS or any other) against your REST services’ server, secured using cookies-based sessions and CSRF tokens sent as cookies. You’ve done everything by the book, followed the tutorials to make your security work, especially CORS and CSRF tokens. And yet you still get a pesky 403 when trying to login!
In October 2015 me and my partner-in-dev Emad Heydari Beni ran a small survey on how our blog readers, friends and relatives felt about privacy and security on the Internet. The survey was closed November the 11th and we started analyzing the data we had gathered. The short version? We were actually surprised at some of the answers!
