Skip to main content

Securing REST Services

REST services must be explicitly secured because they do not rely on standard browser cookies to track a user's session state.

Basic Authentication

The simplest security protocol is Basic Auth. The client application attaches a base64-encoded string combining the username and password directly in the HTTP header for every single request.

Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l

This is extremely easy to implement but highly vulnerable if not executed strictly over an encrypted HTTPS connection.

JWT and OAuth2

JSON Web Tokens (JWT) are the modern standard for REST API security.

  1. The user posts credentials to /api/login.
  2. The server verifies the credentials against the database.
  3. The server constructs a cryptographic JWT string and signs it with a secret key. It returns this string to the client.
  4. The client saves the token and attaches it to the header of all subseqent API requests.

The Spring Security backend uses an OAuth2 Resource Server configuration to automatically decode and verify the JWT signature on incoming network requests.