How to protect Spring Boot API using API key and secret.

edit

Here are the steps to protect a Spring Boot API using API key and secret:

1. Add the API key and secret to your application.yml or application.properties file.

Example configuration in application.yml file:

myApi:
  apiKey: myApiKey
  apiSecret: myApiSecret

1. Create a custom filter to intercept all incoming requests.

Example code for creating the custom filter:

@Component
public class ApiKeyFilter extends OncePerRequestFilter {

    @Value("${myApi.apiKey}")
    private String apiKey;

    @Value("${myApi.apiSecret}")
    private String apiSecret;

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        String apiKeyValue = request.getHeader("X-API-KEY");
        String apiSecretValue = request.getHeader("X-API-SECRET");
        if (apiKey.equals(apiKeyValue) && apiSecret.equals(apiSecretValue)) {
            filterChain.doFilter(request, response);
        } else {
            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        }
    }
}

In the above code, we are intercepting all incoming requests and checking if the X-API-KEY and X-API-SECRET headers match the values in our configuration. If the headers match, the request is allowed to proceed. Otherwise, a 401 Unauthorized response is returned.

1. Register the custom filter with the Spring Boot application.

Example code for registering the custom filter:

@Configuration
@EnableWebSecurity
public class ApiSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private ApiKeyFilter apiKeyFilter;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilterBefore(apiKeyFilter, BasicAuthenticationFilter.class)
            .authorizeRequests()
            .antMatchers("/api/**")
            .authenticated();
    }
}

In the above code, we are registering the custom filter and restricting access to all URLs under the /api path.

1. Test the API protection.

Once the above steps are completed, you can test the API protection by sending a request with the correct X-API-KEY and X-API-SECRET headers. If the headers are correct, the API will be accessible. However, if the headers are incorrect or missing, a 401 Unauthorized response will be returned.