I am making a REST api with spring boot and looking for a way to secure some of the api's. I also worked on another project where they used the grails spring security plugin (http://alvarosanchez.github.io/grails-spring-security-rest/2.0.0.M2/docs/index.html).
I want to work the exact same way, annotate the methods with the roles that can use them and so on. I find it difficult to find a tutorial to implement this way in spring boot. Or is there another very easy but secure way to do it?
(I use http so basis auth is not an option and I like the way the token is in te JSON response and then given with a header)
EDIT 5 sep
I searched a lot in the last 10 days and I found some tutorials but most of them are with spring and not spring-boot or they are not using annotations for controller methods. I also found JWT, it seems like a good idea but I still don't know how to combine it with spring-boot and annotations.
I found a very clear example after hours of searching. https://github.com/brahalla/Cerberus. It does exactly what I want.
Related
I am a beginner in the world of the OAuth2.0 and OpenID Protocols. I would like to implement a custom server - provider for multiple applications. So, to use it for Single Sign-On (SSO). I would like to work with python. Till now I have found four packages, for an OAuth2.0 and an OpenID Connect server implementation, in Python: pyoidc, django-oidc-provider, Django OAuth Toolkit (DOT) by OAuthlib and Authlib. I tried to read and understand pyoidc, but it was not so helpful and easy, basic things were missing. I have tried django-oidc-provider and I was really satisfied, and the whole implementation was really easy. So, after those trials, I am left with Django OAuth Toolkit (by OAuthlib) and Authlib. Has anyone tried them? Are these packages the same? Is Authlib an updated version of the OAuthlib library? The only information I know till now, is that Flask-OAuthlib is deprecated, and Authlib is was its new version.
*Every answer or advice or personal experience would be really helpful and always appreciated!
Thank you again for your help.
After some research, I concluded to work generally with JWTs. As before, I would like to work with a GraphQL API, so I am searching for solutions about JWT authentication on it. I maybe use Passport.js (passport-jwt) or something else for Python. All the libraries mentioned above possibly will be not used.
I will just redirect the user to my main application, authenticate them with JWT, and then return the JWT back to the application. In the future and after deployment, I might also implement an OAuth2.0 provider for my website. Although those packages did not really help me, I would recommend Django OAuth Toolkit (DOT) and django-oidc-provider to others. But, also I learned that django-oidc-provider only supports the implementation of a small and simple OAuth2.0 provider. Django OAuth Toolkit comes with lots of options for implementing an advanced OAuth2.0 Authentication Server (AS), including Authorization Code flow with PKCE (Proof Key with Code Exchange), which is the most secure flow. It is also scalable and has great documentation with lots of customizations if you want.
*I sent an email to the support of Authlib, and of course no one has answered to me after a week.
I have a single page app built with emberjs with an a rails backend. Is it a common pattern to build an admin interface on rails serverside on a subdomain. What is the right approach for this?
Your question is vague but I will try to answer it my best. I have done this with a Node and a Go backend combined with Ember.js.
No, there is technically nothing to prevent you from doing a single page application for an admin interface.
Rails is a good choice for this, and generally you should stick with the backend framework/language you and your team master the most.
As for what would be the right approach, there is no magic recipes. Document your code, write test and follow best practices for the tools you are using.
One key element though will be the communication between your frontend and your backend. Ember chose to follow the JSON API specification (http://jsonapi.org/) and comes out of the box with an adapter to talk with these kind of API. Using such adapter will help you save a lot of time.
Here are some implementation of JSON API for Ruby : http://jsonapi.org/implementations/#server-libraries-ruby
One more thing about your frontend code structure. You haven't say how big your app will be. If it gets big, you may want to take the pod approach in ember-cli (http://ember-cli.com/user-guide/#pod-structure). It basically changes the structure of the code so it's easier to maintain a lot of files.
Hello fellow developers!
I am using a Spring backend with MongoDB for a Rest based service as described here:
http://spring.io/guides/gs/accessing-mongodb-data-rest/
This is a great way to create powerful rest services and I would like to continue to use it, but I am having problems with its formatting of the JSON, for consumption by an Ember front end.
I really want to make my restful services on the back end return JSONApi.org formatting and not have to play tricks in Ember to massage the data.
I'm sure others must have encountered this very same problem and there is some community based solution, but I can't seem to find it. Can anyone point me in the right direction here?
Also, is there a community of people using Ember + Spring Rest? Or am I alone? :D
Thanks!
Peter
I am trying to set up a web store using magento on a SOA Architecture. So I intend to use all of the functionalities through the API connecting it with mule ESB.
However on my research I have read that the magento API is Silly Slow. And now I am wondering if it actually can handle the requests of an entire website.
Has anybody done something like this before? Can it actually work? If not, is there a workaround?
Regards
Leo
No, it is not viable to setup a store using only Magento's SOAP and RPC APIs. THat is not the intention of these APIs.
There are examples where people have done what you are looking for such as http://www.yireo.com/software/magebridge
They claim to be 40% faster than native Magento.
I've tried the tool, and it is quite functional.
I am a noob to web services world. I need to develop a login validator module and expose it as a service. I want it to be service independent, i.e I should have the option of exposing it as a SOAP service or REST service in the future.
What pattern should I follow ? Sorry if I am unclear in my requirements, I can clarify as per need.
Thanks !!
Edit : I am using Eclipse as an IDE and Jersey libraries. I am not into any framework, simply using the MVC pattern. I find a lot of difference between SOAP ann REST methods, so I want my methods to be implementation independent - i.e I should be easily able to use my method through a SOAP or REST service call as per need. What should I do for maximum flexibility ?
Picking a good MVC framework and understanding how to use it properly can help ensure that your feature is "service independent". Most of the documentation I've read for good frameworks suggest that you keep your business logic separate from your controller.
If you read the documentation for the tools that you use, and ensure that there is a layer between your business logic and your controllers, then that will make the job of switching from SOAP to REST or some other protocol much, much easier.
Since you mentioned you're using Eclipse in your comment below, I'm assuming you are using or are willing to use Java:
Restlets
http://www.restlet.org/
Spring 3.0 REST
http://blog.springsource.com/2009/03/08/rest-in-spring-3-mvc/
Develop your service as a POJO. Make sure to respect staless pattern.
Create an EndPoint class for each publication type you require (Soap, Rest, EJB, JMS, what ever)
Use appropriate standard to expose your EndPoint. For Soap and Rest the JAX-WS api and implementations can do it for you using java annotations on your EndPoint.
That's it !