Issue
Currently, we have a spring boot REST application connecting to a mysql database in which we have a table named "User" with several fields. Among them, the field "email" and the field "password" stored as sha256(email + plain_password).
We also have an endpoint named "login" that receives 2 strings: email & password. If a user with such an email exists, we proceed to calculate sha256(email + plain_password) and then compare against the one we have in the database. If the strings are equal, the identity is verified and a signed "token" (with expire time and more user related data) is issued and returned to the client.
Now, every time we need to "secure" any endpoint, we ask for a "token" in the request header of the http call. An Interceptor reads every header for every call and in case one of those headers is the issued "token", we verify the signature, the expiration time and the name for whom it was issued.
The "secured" endpoint also has a custom annotation that indicates which role is allowed to invoke it. So if the interceptor verifies the token and the token belongs to a user with the role annotated, then we proceed with the normal flow of the endpoint. Otherwise, we throw an UnauthorizedException.
Question: Does Spring Security provides "out of the box" a token generation / verification mechanism like the one described above?
Solution
You have implemented custom security model for authentication and authorization. If someone else is to look at your code, they would be able to eventually figure it out but they would have many questions. Spring security based implementation is easier to understand and extend. Spring security also provides support for testing.
If you were to switch to an oauth based auth model, you would have to do it yourself. Spring security would make this transition mush faster.
Answered By - Delta George
Answer Checked By - Senaida (JavaFixing Volunteer)
