Secure REST Service – Basic authentication

In this tutorial, we will learn how to secure a Jersey based REST server implementation using Basic Authentication. As we have already discussed various ways of securing a REST Service, here we look in detail at Basic Authentication.

REST Basic Authentication Tutorial

In Basic Authentication, the client will send user credentials every time data is requested from server. The server takes up authentication information from incoming HTTP request’s authorization header, decodes it and checks whether it is from a valid user. If it is from a valid user, it will respond with the information requested. If it is not a valid user, the server responds with an error saying that the user is unauthorized to access or modify the data requested.

Create POJO

 

Create Controller Class

Constants.java:


Notice that we are using annotations @GET, @POST, @PUT, @DELETE to perform CRUD operations. javax.ws.rs.core.Response.ResponseBuilder is used in cases when we need to return the right status code.

In our POST call, we embed the location of the newly created student record in the header. This is a standard that is followed widely in various applications so that the REST client can issue a GET request to ensure that the entity has been created properly. While using SoapUI for testing, the location header can be seen in response headers like the following:

 

Basic authentication post call
Basic authentication post call

Pom.xml Dependencies For XML And JSON

The following dependencies need to be added to pom.xml so that xml and json MediaTypes are supported. Note that the first two dependencies are added to avoid errors since we are using Jersey2.0.

 

 

Implementation For The ContainerRequestFilter Interface

We will create a class named AuthFilter that does the authentication by inspecting the authorization headers.


Our AuthService is nothing but a simple class which has a boolean method that validates the data included in authorization headers. The header is sent in the format “Basic <encodedString>” where encoded string is usually encoded using Base64. We decode it to get a string in format “username:password”. We check whether the credentials are proper here.

Testing Using Jersey-based REST Client Program

The initial Jersey client created in earlier tutorial can be reused and user credentials can be added in the following manner. This has to be done before creating the WebTarget instance.

In our example, username is admin and password is test123

Testing Using SoapUI

The accept headers can be added as shown:

 

soap ui accept headers
soap ui accept headers

Credentials for authentication can be added in the following manner via the Auth tab:

adding credentials REST API
adding credentials REST API

Summary

In this tutorial we saw how easy it is to secure a REST Service using Basic Authentication. It may not be the best way of securing a REST Service but still does provide a way to secure a REST Service at a basic level.

Leave a Reply