How to Secure REST API using Spring Security and OAuth2 - part2

142 阅读4分钟
原文链接: sivatechlab.com

This blog post is part of a multi-part series:

Part 1 – Fundamentals of OAuth2, its roles, and Grant types
Part 2 – Setting up a starter Project with REST API endpoints (this post)
Part 3 – Adding Spring Security and OAuth2 to protect REST API endpoints
Part 4 – Authenticating user against the credentials stored in the database
Part 5 – Persisting Client registration and auth tokens in the database

In this post we are going to learn:

  • How to download a git branch from GitHub
  • How to import the project into STS IDE
  • How to deploy the application to Tomcat Application Server
  • How to verify the REST API endpoints

We are going to get the starter project from GitHub. The starter project contains the REST API endpoints, which are not secured. We will be adding code step by step by to secure the endpoints.

Before we start writing code, we should make sure that we can run the starter project without any issues. We will follow these simple steps:

  • Download the starter project from GitHub
  • Import the starter project into STS IDE
  • Build the project
  • Deploy the project

Download the starter project:

A complete source code is available on GitHub. In order to follow along with this series, download the ‘beforeOAuth’ branch, which is a starter project that contains the REST API endpoints. The code used in this starter project combines the following blog posts.

How to create a REST API using Spring MVC
How to use Spring Data JPA with Spring MVC

There are two ways to download the ‘beforeOAuth’ branch.

#1) If you are using git, issue the following clone command from the folder of your choice to clone the ‘beforeOAuth’ branch.

git clone -b beforeOAuth –single-branch https://github.com/sivaappavu/crm-oauth2.git

#2) The second option is to download the ‘beforeOAuth’ branch directly from the GitHub.
Go to https://github.com/sivaappavu/crm-oauth2/tree/beforeOAuth

Click ‘Clone or download’ button to download the starter project.

Then copy the downloaded zip file to a folder of your choice and unzip it.

Import the starter project into STS IDE:

Launch the STS IDE or your preferred IDE. Click on File –> Import…, expand Maven,  and select ‘Existing Maven Project’ as seen in the following screenshot and click Next.

We need to select the root directory of the starter project. Click on ‘Browse’, select the root directory, and click OK.

You should get the Maven Projects screen as follows. Click the Finish button.

Build the project:

Right click on the project from Package Explorer window, click ‘Run as’ and then click ‘Maven build’ as follows.

Enter ‘clean package’ on the Goals input line, click Apply, and click Run.

You will see a ‘BUILD SUCCESS’ message in the Console window as follows. Make a note of the folder location of the war file.

Deploy the project:

We are going to deploy the project to the Tomcat stand-alone application server (container). If you don’t have Tomcat installed, the following section will help you.

Download and Install Tomcat on Windows:

Go to http://tomcat.apache.org/, under Tomcat 8.0.xx Released, Downloads –> 8.0.44 –> Core –> zip.

Create a folder called tomcat under c:\ drive.

Copy the zip file to c:\tomcat and unzip it. You would end up a directory structure like c:\tomcat\apache-tomcat-8.0.xx. Let’s refer this folder as <TOMCAT_HOME>.

To start tomcat, run <TOMCAT_HOME>\bin\startup.bat file.

To deploy the web application, place war file to <TOMCAT_HOME>\webapps folder. If the Tomcat is running, it will unpack the war file into a folder with the same name as the war file name without the extension.

To re-deploy the application, first delete the war file to the <TOMCAT_HOME>\webapps folder, wait a few seconds to make sure that Tomcat erases the unpack folder, and then copy the war file to <TOMCAT_HOME>\webapps folder.

To stop Tomcat, press Ctrl-C on the Tomcat console.

Let’s continue to Deploy the project. Switch to STS IDE, copy the crm-oauth2.war file under the target folder as seen in the following screenshot, and paste it to <TOMCAT_HOME>\webapps folder. In case crm-oauth2.war doesn’t show up, click the target folder and press F5 to refresh. You can also navigate to the folder where the war file is generated using File Explorer.

If the Tomcat server is not already running, start the Tomcat server.

Check the Tomcat console window to make sure there are no errors or exceptions.

Testing REST API endpoints

Launch Postman app. If you don’t have the Postman tool installed, see the ‘How To Test’ section in this post.

List of Customers (GET):

Enter the following URL in the ‘Enter request URL’ box and click on send button.
http://localhost:8080/crm-oauth2/api/customers

The database is already populated with a sample customer. Take a look at the CustomerService class under  com.stl.crm.service package. The getCustomers method checks the database and if there is no data, it adds a new customer.

Add a Customer (POST):

Enter the following URL:
http://localhost:8080/crm-oauth2/api/customers

Make sure to select the HTTP method as POST.

Select the ‘Body’ tag, click on the ‘raw’ radio button under the Body tag, click the drop down arrow on the ‘Text’ and select JSON(application/json). Enter the following JSON data as the body.

{
"name": "Microsoft Inc",
"address": "Redmond, WA 98052-6399",
"phone": "425-882-8080",
"contact": "IT Sales Manager"
}

Your selection should match the following screen. Click on the Send button and verify the response. Note down the id value.

GET a Customer (GET):

To get a specific Customer, enter the following URL and replace the <id> with the value of id you got in the above section. Select the HTTP method as GET.
http://localhost:8080/crm-oauth2/api/customers/<id>

Update a customer (PUT):

Enter the following URL and select the HTTP method as PUT.
http://localhost:8080/crm-oauth2/api/customers/<id>

Select the ‘Body’ tag, click on the ‘raw’ radio button, and select JSON(application/json). Enter the following JSON data as we are making changes to contact and phone fields.

{
"id": <id>,
"name": "Microsoft Inc",
"address": "Redmond, WA 98052-6399",
"phone": "1-800-882-8080",
"contact": "HR Manager"
}

Your selection should match the following screen. Click on the Send button and verify the response. You should get the updated customer data back.

Delete a customer (DELETE):

Enter the following URL and select the HTTP method as DELETE.
http://localhost:8080/crm-oauth2/api/customers/<id>

Click on the Send button and verify the response status ‘200 OK’.

That’s all with the basic testing. You can run more tests to get familiar with these endpoints.

Conclusion

In this post, we saw how the REST API works. We learned how to download the starter project from GitHub, import the project into IDE, deploy it to stand-alone Tomcat server, and test the REST API endpoints using Postman.

What’s Next in this series?

In the next part of this series, we will implement the OAuth2 to protect the REST API endpoints.

 

Share this post: on Twitter on Facebook on Google+