Home > Software Development > Securing REST APIs or Web Application With Basic Authentication

Securing REST APIs or Web Application With Basic Authentication

September 5th, 2013 Leave a comment Go to comments

If you implement REST Web Services, you want to secure them. The simplest approach is to use the basic authentication () with user name and password. To protect all the resources behind the REST APIs, you can simply implement filter as introduced in Java Servlet 2.3 ().

As I searched the Internet, I could not find an out of box filter implementation. After spending a bit time on it, I got a simple filter work as listed below. Although designed to protect REST APIs, it can actually work with any Web application (REST API service is essentially a Web application that returns XML or JSON content instead of HTML).

Time to learn how to "Google" and manage your VMware and clouds in a fast and secure

HTML5 App

The sample just checks the user name and password as hardcoded. In real project, you want to check the combination with database, SSO, or simply file. Whatever the source of the credential, it’s important to validate the user, and get her role which can be deferred later to other parts as well.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
package org.doublecloud.rest.demo;
 
import java.io.IOException;
 
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.bind.DatatypeConverter;
 
@WebFilter("/*")
public class BasicAuthFilter implements Filter
{
  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
  {
    HttpServletRequest req = (HttpServletRequest) request;
    HttpServletResponse res = (HttpServletResponse) response;
 
    try
    {
      String authHeader = req.getHeader("Authorization");
      String encodedCred = authHeader.substring(6); // after the "Basic "
 
      byte[] plainCred = DatatypeConverter.parseBase64Binary(encodedCred);
      String userPass = new String(plainCred);
 
      int pos = userPass.indexOf(":");
      String user = userPass.substring(0, pos);
      String password = userPass.substring(pos + 1);
 
      if("admin".equals(user) && "doublecloud".equals(password))
      {
        req.setAttribute("user", user);
        chain.doFilter(req, res); // pass the request along the filter chain
      }
      else
      {
        res.sendError(HttpServletResponse.SC_UNAUTHORIZED);
      }
    }
    catch(NullPointerException npe)
    {
      res.sendError(HttpServletResponse.SC_UNAUTHORIZED);
    }
    catch(Exception e)
    {
      res.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
    }
  }
 
  public void init(FilterConfig fConfig) throws ServletException
  {}
 
  public void destroy()
  {}
}
  1. No comments yet.
  1. No trackbacks yet.