Skip to content

Protecting your REST API

Mislav Miličević edited this page Feb 13, 2020 · 3 revisions

If you're using Spring as your web development framework of choice, you can easily protect your REST API with a Spring Filter that RSP4J provides.

Before you continue reading the guide, make sure you have the filter dependency installed. If you don't have it installed, head over to our dependency installation guide.

Registering the Filter

In order to register the Spring Filter, we must extend the AbstractProtectedRouteFilter class and annotate it with @Component:

import com.nsoft.api.security.spring.filter.AbstractProtectedRouteFilter;
import com.nsoft.api.security.spring.filter.ProtectedRouteFilterConfiguration;
import com.nsoft.api.security.spring.filter.route.ProtectedRouteRegistry;
import org.springframework.stereotype.Component;

@Component
public class MyRouteFilter extends AbstractProtectedRouteFilter {

    @Override
    protected void configureFilter(ProtectedRouteFilterConfiguration configuration) {

    }

    @Override
    protected void registerProtectedRoutes(ProtectedRouteRegistry registry) {

    }
}

Configuring the Filter

Before the Filter can function properly it needs to be configured. This is done inside the #configureFilter method.

When configuring the filter, the only required property is the processor configuration, which can be set as follows:

@Override
protected void configureFilter(ProtectedRouteFilterConfiguration configuration) {
    configuration.setJWTProcessorConfiguration(new MyProcessorConfiguration());
}

If you don't have a processor configuration ready, please take a look at our Creating a Processor Configuration guide.

Protecting API routes

To protect your API routes via the filter, they must be explicitly registered in the #registerProtectedRoutes method:

@Override
protected void registerProtectedRoutes(ProtectedRouteRegistry registry) {
    registry.registerRoute("/route1"); // protects route for all HTTP methods

    registry.registerRoute("/route2", "GET"); // protects route only for GET requests
    
    registry.registerRoute("/route3/*"); // protects route with * as a placeholder for a single resource

    registry.registerRoute("/route4/**"); // protects route with ** as a placeholder for multiple layers of resources
}