Secure endpoint protection of the Java REST framework is crucial and can be achieved through the following mechanisms: Authentication and authorization: using JWT or OAuth2 Authorization server data validation: using input validation and output encoding Defense against attacks: including SQL injection protection, CSRF protection and rate limiting
In the context of today’s internet-based world, protecting API endpoints from malicious attacks is crucial important. The Java REST framework provides various mechanisms to secure endpoints, and this article will show how to leverage these features for effective protection.
1. Authentication and Authorization
JWT (JSON Web Token): Generate JWT token and use It authenticates and passes the token in the request to access the protected endpoint.
@PostMapping("/login") public ResponseEntity<String> login(@RequestBody User user) { String jwt = Jwts.builder() .setSubject(user.getUsername()) .setExpiration(Date.from(Instant.now().plusMillis(60000L))) .signWith(SignatureAlgorithm.HS256, "secretkey") .compact(); return ResponseEntity.ok(jwt); }
OAuth2 Authorization Server: Integrate an OAuth2 server for secure authentication with external services.
@PostMapping("/oauth2/access-token") public ResponseEntity<String> accessToken(@RequestBody OAuth2Request oauth2Request) { OAuth2Authentication oauth2Authentication = getOAuth2Authentication(oauth2Request); return ResponseEntity.ok(oauth2Authentication.getAccessToken()); }
2. Data validation
Input validation:Use Jackson's @Valid
annotation and tools such as Hibernate Validator to validate the request body.
@PostMapping("/create") public ResponseEntity<Void> create(@RequestBody @Valid User user) { // 用户对象被自动验证。 return ResponseEntity.created(URI.create("/" + user.getId())).build(); }
@JsonView
annotations or other libraries to control field visibility in the returned JSON response. 3. Defense against attacks
##SQL injection protection:Use tools such as Hibernate Validator to ensure that query parameters are No malicious SQL statements are included.
<property name="hibernate.validator.allow_blank_string_parameters" value="false" />
CSRF Protection: Use Spring Security's CsrfTokenRepository component or other mechanisms to prevent cross-site request forgery attacks.
public class CsrfFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); if (token == null || !token.getToken().equals(request.getHeader("X-CSRF-Token"))) { throw new InvalidCsrfTokenException("Invalid CSRF token"); } filterChain.doFilter(request, response); } }
Practical case:
Use Spring Boot and Spring Security to protect REST API endpoints:<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
@Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) { http .authorizeRequests() .antMatchers("/login").permitAll() .anyRequest().authenticated() .and() .oauth2Login(); } }
@PostMapping("/create") public ResponseEntity<Void> create(@RequestBody @Valid User user) { return ResponseEntity.created(URI.create("/" + user.getId())).build(); }
<property name="hibernate.validator.allow_blank_string_parameters" value="false" />
@Bean public CsrfFilter csrfFilter() { return new CsrfFilter(); }
The above is the detailed content of Secure endpoint protection for Java REST framework. For more information, please follow other related articles on the PHP Chinese website!