Is it possible to secure only one spring boot rest endpoint via certificate?

Question

some infos about the architecture: - we are running in cloud foundry (with https routes) - we have a gateway (spring cloud Netflix zuul) - our apps are internally secured by a token

if you need some other infos, just ask.

now we want to secure one route of our gateway (api/v1/authorizations) by certificate. so that only the client which has this certificate, can call this endpoint.

is that possible?

Answer 1

I'm going to break your question into two parts because they are two separate concerns with Spring Security.

Is it possible to secure only one spring boot rest endpoint

Yes, you can customize your Spring Security configuration quite a bit. It is possible to have all endpoints open except one endpoint secure. It's also possible to mix things, so have some open to all, some secured by methodA (maybe password) and others secured by methodB (maybe certificate).

Here's a simple example where you have mixed open (/css/**) and secured endpoints (/user/**).

protected void configure(HttpSecurity http) throws Exception {
            http
            .authorizeRequests(authorizeRequests ->
                authorizeRequests
                    .antMatchers("/css/**", "/index").permitAll()
                    .antMatchers("/user/**").hasRole("USER")
            )
            .formLogin(formLogin ->
                formLogin
                    .loginPage("/login")
                    .failureUrl("/login-error")
            );
}

From: https://github.com/spring-projects/spring-security/blob/master/samples/boot/helloworld/src/main/java/org/springframework/security/samples/config/SecurityConfig.java#L34-L44

via certificate?

Absolutely. Spring Security supports authentication via x.509 certificate.

https://docs.spring.io/spring-security/site/docs/5.1.6.RELEASE/reference/htmlsingle/#x509

Here's an example of configuring x.509 authentication with Spring Security.

    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
            .x509()
                .subjectPrincipalRegex("OU=(.*?)(?:,|$)")
                .and()
            .authorizeRequests()
                .mvcMatchers("/admin/**").hasRole("ADMIN")
                .mvcMatchers("/noauth").permitAll()
                .anyRequest().authenticated();
        // @formatter:on
    }

From: https://github.com/nebhale/mtls-sample/blob/master/server/src/main/java/io/pivotal/mtlssample/server/ServerApplication.java#L96-L105

The first three lines configure authentication to use x509 certificates. The remaining four lines configure authorization to require an admin user to access /admin/**, allow anyone to access /noauth, and require any authenticated user to access anything else.

For running on Cloud Foundry, you don't need to do anything special in your app, however your platform operator needs to have mTLS support enabled. You can see the full demo I sited above for a client & server test with instructions for running on Cloud Foundry.

https://github.com/nebhale/mtls-sample

Hope that helps!