Northern Virginia Software Symposium

November 1 - 3, 2019

Securing Spring: REST and OAuth2

Saturday - Nov 2 9:00 AM

Craig Walls

Craig Walls

Author of Spring in Action

In this session, we'll explore Spring Security and OAuth2, including building an OAuth2 authorization server, fronting an API with a resource server, and verifying an OAuth2 access token's claims to ensure that the client is allowed to access the resource they are asking for.

Securing REST APIs presents some unique challenges as compared to securing a typical web application. The client of any REST endpoint may not even be a user in the traditional sense, but is more likely to be another application or a browser-based Javascript client. How can you ensure that the clients of your REST API are allowed to access the resources they are asking for?

OAuth2 offers a means by which a client application can request authorization to access a resource and be given an access token that must be presenting when making HTTP requests. This involves creating an authorization server that issues tokens and defining a resource server which acts as a wall around an API that verifies the presented access token's claims before allowing the request to proceed.

Spring Security has historically supported OAuth2 as part of a separate project called Spring Security for OAuth. But gradually, Spring's OAuth2 support is moving into the main Spring Security project.

About Craig Walls

Craig Walls is a principal engineer with Pivotal and is the author of Spring in Action and Spring Boot in Action. He's a zealous promoter of the Spring Framework, speaking frequently at local user groups and conferences and writing about Spring. When he's not slinging code, Craig is planning his next trip to Disney World or Disneyland and spending as much time as he can with his wife, two daughters, 2 birds and 3 dogs.