1 Introduction to the Spring Security REST plugin

This plugin depends on Spring Security Core 2.x. Make sure your application is compatible with that version first. There is a feature request, that may be addressed in the future if there is enough community interest / love :)

The default behaviour of Spring Security is to store the authenticated principal in the HTTP session. However, in a RESTful scenario, we need to make sure our server is stateless.

If you are writing an API that will be used by other programs, you can use OAuth for this. But if you are exposing your API for a front-end Javascript client to implement a Single Page Interface, OAuth is not an option, specially if you want to authentication end users against your own user backend (eg: LDAP). In this case, a token-based authentication may be a more suitable implementation, like the following:

1. The client application requests and endpoint that requires authentication, so the server responds with a 401 response.
2. The client redirects the user to the login form.
3. The user enter credentials, and the client sends a request to the authentication endpoint. The server validates credentials, and if valid, generates, stores and sends back a token to the client.
4. The client then stores the token internally. It will be sent on every API method request.
5. The client sends again a request to the protected resource, passing the token as an HTTP header.
6. The server validates the token, and if valid, executes the actual operation requested.

As per the REST definition, the client is transferring its state on every request so the server is truly stateless. The approach to store tokens on the server is just an alternative to use HTTP basic authentication (see FAQ) (so credentials are not passed on every request). It also helps to perform the validation step (#5 in the diagram) faster, because the tokens, and the associated principal information may be cached. Finally, storing tokens gives you the chance to decide about expiration strategies.

More information about this strategy can be found on this post by James Ward.

This plugin helps you to wire your existing Spring Security authentication mechanism, provides you with ready-to-use token generation strategies and comes prepackaged with Memcached, GORM and Grails Cache support for token storage.

Release History

• 12 August 2014
• 1.4.0
• 14 July 2014
• 1.4.0.RC5
• 4 July 2014
• 1.4.0.RC4
• 24 June 2014
• 1.4.0.RC3
• 24 June 2014
• 1.4.0.RC2
• 20 June 2014
• 1.4.0.RC1
• 11 June 2014
• 1.4.0.M3
• 1 June 2014
• 1.4.0.M2
• 29 May 2014
• 1.4.0.M1
• 23 April 2014
• 1.3.4
• 16 April 2014
• 1.3.3
• 3 April 2014
• 1.3.2
• 18 March 2014
• 1.3.1
• 4 March 2014
• 1.3.0
• 17 February 2014
• 1.2.5
• 10 February 2014
• 1.2.4
• 4 February 2014
• 1.2.3
• 31 January 2014
• 1.2.2
• 15 January 2014
• 1.2.0
• 14 January 2014
• 1.1.0
• 13 January 2014
• 1.0.1
• 12 January 2014
• 1.0.0
• 10 January 2014
• 1.0.0.RC2
• 31 December 2013
• Initial 1.0.0.RC1 release.