Win a copy of The Way of the Web Tester: A Beginner's Guide to Automating Tests this week in the Testing forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Securing mobile REST Api with spring Security enough?

John Boby
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm planing to make a little mobile app that will rely on a java (spring-spring mvc) rest API. The API will have paths that look like this for example:

/rest/account POST (will create a new account (account is composed of a username+pass+email)

/rest/photo/like for example that modify behaviour and add things to the DB...

I'm also planing to use Spring Security to handle the authentication/authorisation. So the mobile app before to make any authorise call (for example to /rest/photo/like) it will have to login (so the basically to /security_check?j_username=username&password

And from now on every request will have to include the JSESSIONID in the cookie.

My question is, is this secure enough? Do I have to use OAUTH2? Or is it overkill?

Bonus question: As you don't need to be authenticated to make the /rest/account call to create an account, what is the best way to avoid that a user create 1000000 accounts ?? Apache/ip-filter? Or should I handle this in some interceptor in spring-mvc ?
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic