Library to easily configure API Key authentication in (parts of) your Spring Boot Application

Last update: Dec 8, 2021

Related tags

Security api-key-authentication

Overview

42 API Key Authentication

A library to easily configure API Key authentication in (parts of) your Spring Boot Application.

Features

Easily configure API Key authentication for (a portion) of endpoints in your app
Support for specifying multiple keys from multiple sources
Configurable header name
Configurable filter placement in the FilterChain

Setting up API Key authentication

You must have the following components in your application:
- A list of authorized API keys (these can come from your application.yml, for example)
- One or more endpoints to protect
The maven dependencies you need:

<dependencies>
    <dependency>
        <groupId>nl.42</groupId>
        <artifactId>api-key-authentication</artifactId>
        <version>1.0.0</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>`
</dependencies>

Create a class annotated by @Configuration and extending WebSecurityConfigurerAdapter and add it to your app:

@Configuration
@EnableWebSecurity
public class ApiKeyConfig extends WebSecurityConfigurerAdapter {


  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // You can easily configure this library using the Builder...
    // ... or you can create your very own implementation of ApiKeyAuthenticationConfiguration
    ApiKeyAuthenticationConfiguration config = ApiKeyAuthenticationConfigurationBuilder.builder() 
            .authorizedApiKeys(Set.of(ALLOWED_KEY_1, ALLOWED_KEY_2)) // The API Keys that will be granted access to the endpoints
            .antPattern("/public-api/**") // The endpoints you want to protect by API Key (basic pattern). Defaults to 'all endpoints'.
            .requestMatcher(new OrRequestMatcher(new AntPathRequestMatcher("/public-api/v1/hello"), new AntPathRequestMatcher("/public-api/v1/goodbye"))) // The endpoints you want to protect by API Key (advanced matching)
            .addFilterBeforeClass(BasicAuthenticationFilter.class) // Customize where the API Key check will be inserted (defaults to before BasicAuthenticationFilter)
            .addFilterAfterClass(FooFilter.class) // Customize where the API Key check will be inserted  (defaults to null)
            .headerName("my-awesome-api-key") // Customize the header name (defaults to x-api-key)
            .build();

    ApiKeyAuthenticationConfigurer.configure(config, http);
  }
}

Customization

Using a custom header name

The default header name will be x-api-key, but you can override it as following:

@Configuration
@EnableWebSecurity
public class ApiKeyConfig extends WebSecurityConfigurerAdapter {

 @Override
 protected void configure(HttpSecurity http) throws Exception {
   ApiKeyAuthenticationConfiguration config = ApiKeyAuthenticationConfigurationBuilder.builder()
           .authorizedApiKeys(Set.of(ALLOWED_KEY_1, ALLOWED_KEY_2))
           .headerName("my-awesome-api-key-header-name")
           .build();

   ApiKeyAuthenticationConfigurer.configure(config, http);
 }
}

Advanced request matching

By default, all endpoints will be secured. You can either use a String-based ANT Pattern or a RequestMatcher to customize which endpoints to protect.

@Configuration
@EnableWebSecurity
public class ApiKeyConfig extends WebSecurityConfigurerAdapter {

 @Override
 protected void configure(HttpSecurity http) throws Exception {
   ApiKeyAuthenticationConfiguration config = ApiKeyAuthenticationConfigurationBuilder.builder()
           .authorizedApiKeys(Set.of(ALLOWED_KEY_1, ALLOWED_KEY_2))
           .requestMatcher(new OrRequestMatcher(new AntPathRequestMatcher("/public-api/v1/**"), new AntPathRequestMatcher("/public-api/v2/**")))
           .build();

   ApiKeyAuthenticationConfigurer.configure(config, http);
 }
}

NOTE: Unless configured otherwise, endpoints not matched by the request matcher will NOT be secured!

Customizing the timing of the check

The check will be done by a Filter in the FilterChain of each request.

If you want to change when this check happens (e.g. perform other checks first or afterwards), either use the addFilterBeforeClass and addFilterAfterClass methods of the Builder:

@Configuration
@EnableWebSecurity
public class ApiKeyConfig extends WebSecurityConfigurerAdapter {

 @Override
 protected void configure(HttpSecurity http) throws Exception {
   ApiKeyAuthenticationConfiguration config = ApiKeyAuthenticationConfigurationBuilder.builder()
           .authorizedApiKeys(Set.of(ALLOWED_KEY_1, ALLOWED_KEY_2))
           .addFilterBeforeClass(BasicAuthenticationFilter.class)
           .addFilterAfterClass(FooFilter.class)
           .build();

   ApiKeyAuthenticationConfigurer.configure(config, http);
 }
}

NOTE: You can only specify one position. The addFilterAfterClass has a higher priority than addFilterBeforeClass.

Releases(1.0.0)

1.0.0(Dec 8, 2021)

This is the first release of api-key-authentication
Source code(tar.gz)
Source code(zip)

Easily regenerate worlds at a specific time & date you want (SpigotMC plugin)

Restore/reset worlds at specific times without kicking players from the server! No need to go through the hassle of resetting your worlds manually anymore. Plenty of features are already included in the free version!

Sep 23, 2022

Make a customized list of exercises, create and save workouts, and be led through your routine. This application is currently under development.

HIIT Workout Builder ABOUT This application allows you to create and be led through customized high-intensity interval training (HIIT) sessions. The a

Nov 28, 2022

A desktop java GUI application to encrypt your plain text

Sep 10, 2022

Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!

Log4-detector Scanner that detects vulnerable Log4J versions to help teams assess their exposure to CVE-2021-44228 (CRITICAL), CVE-2021-45046, CVE-202

Dec 26, 2022

Toloka has a powerful open API, it allows you to integrate an on-demand workforce directly into your processes, and to build scalable and fully automated human-in-the-loop ML pipelines.

Toloka Java SDK Documentation Website | API Documentation | Platform Designed by engineers for engineers, Toloka lets you integrate an on-demand workf

Apr 27, 2022

Library to easily configure API Key authentication in (parts of) your Spring Boot Application

Related tags

Overview

42 API Key Authentication

Features

Setting up API Key authentication

Customization

Using a custom header name

Advanced request matching

Customizing the timing of the check

You might also like...

Easily regenerate worlds at a specific time & date you want (SpigotMC plugin)

Make a customized list of exercises, create and save workouts, and be led through your routine. This application is currently under development.

A desktop java GUI application to encrypt your plain text

Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too!

Toloka has a powerful open API, it allows you to integrate an on-demand workforce directly into your processes, and to build scalable and fully automated human-in-the-loop ML pipelines.

Okta Spring Boot Starter

An API wrapper for BotiCord API written in Java

A library for bypassing all of Java's security mechanisms, visibility checks, and encapsulation measures via the JNI API

A Twitter-API library JAVA

Releases(1.0.0)

1.0.0(Dec 8, 2021)

Owner

A simple HWID authentication system for your minecraft mod.

A simple HWID authentication system for your minecraft mod.

A Vaadin example application that use Firebase Authentication as its user database

An Editor for CSGO:botprofile.db, allows you to create&improve your own bot easily.

Jwks RSA - JSON Web Key Set parser.

FastKV is an efficient and reliable key-value storage component written with Java.

Security engine for Java (authentication, authorization, multi frameworks): OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...

JAP is an open source authentication middleware, it is highly decoupled from business code and has good modularity and flexiblity. Developers could integrate JAP into web applications effortlessly.

Spring boot application to display number of corona cases

Employee Management System using Spring Boot, Spring Security, Thymeleaf and MySQL database.