Disable CSRF and set session creation policy to STATELESS in SecurityConfig to ensure no session is created; 2. Use JWT for token-based authentication by generating a signed token after login and returning it to the client; 3. Validate the JWT in a custom filter (JwtAuthFilter) that extracts the token from the Authorization header and sets authentication in the security context; 4. Secure endpoints using role-based access control via request matchers or method-level annotations like @PreAuthorize; 5. Follow best practices including using HTTPS, short-lived tokens, refresh tokens, rate limiting, and avoiding token logging to enhance security. This approach ensures secure, stateless, and scalable REST APIs in Java with Spring Security.

Securing REST APIs in Java using Spring Security is a common requirement for modern web applications. Since REST APIs are stateless by design, traditional session-based security doesn't fit well. Spring Security, however, provides flexible tools to secure REST endpoints effectively—especially when combined with token-based authentication like JWT (JSON Web Tokens).

Here’s how to properly secure REST APIs in Java using Spring Security:

1. Disable CSRF and Enable Stateless Authentication

REST APIs are typically consumed by frontend apps, mobile clients, or third-party services, not browsers relying on cookies. So, CSRF protection is unnecessary and can interfere with API calls.

In your SecurityConfig, disable CSRF and set the session strategy to stateless:

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .csrf().disable()  // Not needed for stateless APIs
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeHttpRequests(authz -> authz
                .requestMatchers("/api/public/**").permitAll()
                .requestMatchers("/api/admin/**").hasRole("ADMIN")
                .anyRequest().authenticated()
            )
            .httpBasic().disable() // Prefer token-based over Basic Auth
            .addFilterBefore(jwtAuthFilter(), UsernamePasswordAuthenticationFilter.class);

        return http.build();
    }

    @Bean
    public AuthenticationManager authenticationManager(
            AuthenticationConfiguration authConfig) throws Exception {
        return authConfig.getAuthenticationManager();
    }

    @Bean
    public JwtAuthFilter jwtAuthFilter() {
        return new JwtAuthFilter();
    }
}

? Key Point: Use SessionCreationPolicy.STATELESS so Spring doesn’t create or use HTTP sessions.

2. Use JWT for Token-Based Authentication

JWT is a compact, URL-safe way to represent claims between parties. It’s ideal for REST APIs because it carries user info and is self-contained.

Steps to Implement JWT:

• Generate Token: After successful login, generate a JWT containing user details (e.g., username, roles).
• Send Token: Return it in the response (usually in JSON body or Authorization header).
• Validate Token: On each request, extract and validate the JWT from the Authorization: Bearer <token> header.

Example of a simple JwtUtil class:

@Component
public class JwtUtil {
    private String secret = "yourSecretKey"; // Use a strong key from environment
    private int expiry = 86400; // 24 hours

    public String generateToken(UserDetails userDetails) {
        Map<String, Object> claims = new HashMap<>();
        return Jwts.builder()
                .setClaims(claims)
                .setSubject(userDetails.getUsername())
                .setIssuedAt(new Date())
                .setExpiration(new Date(System.currentTimeMillis()   expiry * 1000))
                .signWith(SignatureAlgorithm.HS512, secret)
                .compact();
    }

    public boolean isTokenValid(String token, String username) {
        return getUsernameFromToken(token).equals(username) && !isTokenExpired(token);
    }

    public String getUsernameFromToken(String token) {
        return getClaim(token, Claims::getSubject);
    }

    private <T> T getClaim(String token, Function<Claims, T> resolver) {
        Claims claims = Jwts.parser()
                .setSigningKey(secret)
                .parseClaimsJws(token)
                .getBody();
        return resolver.apply(claims);
    }

    private boolean isTokenExpired(String token) {
        return getClaim(token, Claims::getExpiration).before(new Date());
    }
}

?? Never hardcode the secret key in production—use environment variables or a secrets manager.

3. Custom Filter to Intercept and Validate JWT

Create a filter that runs before the main authentication chain to check for the JWT in the request header.

@Component
public class JwtAuthFilter extends OncePerRequestFilter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private JwtUtil jwtUtil;

    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain chain) throws ServletException, IOException {

        final String header = request.getHeader("Authorization");
        String jwt = null;
        String username = null;

        if (header != null && header.startsWith("Bearer ")) {
            jwt = header.substring(7);
            try {
                username = jwtUtil.getUsernameFromToken(jwt);
            } catch (Exception e) {
                // Invalid token
            }
        }

        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
            UserDetails userDetails = userDetailsService.loadUserByUsername(username);
            if (jwtUtil.isTokenValid(jwt, userDetails.getUsername())) {
                UsernamePasswordAuthenticationToken authToken =
                        new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
                authToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                SecurityContextHolder.getContext().setAuthentication(authToken);
            }
        }

        chain.doFilter(request, response);
    }
}

This filter:

• Extracts the token from the Authorization header.
• Parses and validates it.
• Loads the user and sets the authentication in the security context.

4. Secure Endpoints with Proper Role-Based Access

Use Spring Security annotations to protect methods or endpoints:

@RestController
@RequestMapping("/api/admin")
@PreAuthorize("hasRole('ADMIN')")
public class AdminController {

    @GetMapping("/users")
    public List<User> getAllUsers() {
        // Only accessible to ADMIN
    }
}

Enable method-level security:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig {
    // No additional config needed
}

5. Additional Security Best Practices

• ? Use HTTPS: Always serve APIs over HTTPS to protect tokens in transit.
• ? Set short token expiration: Reduce the window of exposure if a token is stolen.
• ? Refresh tokens: Use a refresh token mechanism to reissue access tokens without re-login.
• ? Rate limiting: Prevent brute-force attacks using tools like Bucket4j or Spring Cloud Gateway.
• ? Avoid logging tokens: Ensure tokens aren’t accidentally logged in server logs.

Summary

To secure REST APIs in Java with Spring Security:

• Disable CSRF and use stateless sessions.
• Use JWT for authentication instead of sessions.
• Validate tokens via a custom filter.
• Enforce access control with method or path-level security.
• Follow security best practices (HTTPS, short-lived tokens, etc.).

With this setup, your REST APIs will be both secure and scalable—perfect for SPAs, mobile apps, or microservices.

Basically, it's not complex once you get the flow: authenticate once, get a token, and prove identity on every request without sessions.

The above is the detailed content of Securing REST APIs in Java using Spring Security. For more information, please follow other related articles on the PHP Chinese website!