Basic and Digest authentication for a RESTful Service with Spring Security 3.1, part 6 | Javalobby

Basic and Digest authentication for a RESTful Service with Spring Security 3.1, part 6 | Javalobby

• Bootstrapping a web application with Spring 3.1 and Java based Configuration
• Building a RESTful Web Service with Spring 3.1 and Java based Configuration
• Securing a RESTful Web Service with Spring Security 3.1
• RESTful Web Service Discoverability
• REST Service Discoverability with Spring

• Basic and Digest authentication
• <http-basic />
• BasicAuthenticationFilter
• BasicAuthenticationEntryPoint
• Satisfying the stateless constraint – getting rid of sessions
• One of the main constraints of the RESTful architectural style is that the client-server communication is fully stateless, as theoriginal dissertation reads:
• 5.1.3 Stateless
• We next add a constraint to the client-server interaction: communication must be stateless in nature, as in the client-stateless-server (CSS) style of Section 3.4.3 (Figure 5-3), such that each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. Session state is therefore kept entirely on the client.
• Configuration of Digest Authentication
• Unfortunately there is no support in the security namespace to automatically configure the digest authentication the way basic authentication can be configured with <http-basic>. Because of that, the necessary beans had to be defined and wired manually into the security configuration.
• Anonymous request
• Request with authentication credentials

Conclusion

This article covered the configuration and implementation of both Basic and Digest authentication for a RESTful service, using mostly Spring Security 3.0 namespace support as well as some new features added by Spring Security 3.1. In the next articles I will focus on OAuth authentication. In the meantime, check out the github project.