Securing Spring Boot API With API Key and Secret

Securing APIs is essential to ensure that only authorized clients can access application resources. One common approach is using an API Key and API Secret, which act as credentials sent with each request. Spring Security allows us to validate these credentials before granting access to protected endpoints.

• API Key and Secret provide a simple authentication mechanism for APIs.
• Requests are validated before accessing protected resources.
• Spring Security filters can be used to intercept and authenticate API requests.

Major concepts

The following concepts are fundamental to understanding how API Key and Secret authentication works in Spring Security.

1. Authentication and Authorization

Authentication: It verifies the identity of the client making the request.

Example: Checking whether the provided API Key and Secret are valid.

Authorization:It determines whether the authenticated client has permission to access a resource.

Example: Allowing authenticated users to access /api/** endpoints.

2. API Key and Secret

• API Key : A public identifier used to identify the client.
• API Secret : A private credential used to verify the client.

3. Custom Authentication token

A custom authentication token stores the API Key and Secret during the authentication process.

• Holds authentication credentials.
• Maintains authentication state.

4. Custom Authentication Filter

The filter intercepts incoming HTTP requests and extracts credentials from request headers.

• Read API Key and Secret.
• Create authentication token.

5. Security Configuration

Spring Security configuration defines:

• Protected endpoints.
• Authentication rules.

6. API Endpoint

The controller exposes secured REST endpoints that can only be accessed after successful authentication.

Implementation to Secure Spring Boot API With API Key and Secret

We can develop the simple spring boot application that can demonstrates the securing spring boot API key and secret of the application.

Step 1: Create the Spring project.

Create a new Spring Boot project using Spring Initializr and add the required dependencies,

• Spring Web
• Spring Security
• Lombok
• Spring DevTools

pom.xml

After the creation of the project has done, the folder structure will be like below image.

Step 2: Configure the Application properties

Open application.properties file and add the configuration for the server port in the project.

spring.application.name=spring-boot-secure-api
server.port=8081

Step 3: Create the ApiKeyAuthentication Token class

Create a custom authentication token class.

• Store API Key.
• Store API Secret.

Step 4: Create the ApiKeyAuthFilter class

Create a custom filter that intercepts requests.

• Extract API Key header.
• Extract API Secret header.

Step 5: Create the SecurityConfig class

Create the SecurityConfig class.

• Register custom filter.
• Protect API endpoints.

Step 6: Create the ApiController class

• Create a secured REST controller.
• Provides a protected API endpoint.

Step 7: Main Class

Create the Spring Boot entry point.

Step 8: Run the application

Once, we run the application, it will start at port 8081.

Step 9: Endpoint Testing

1. Endpoint without the api key and secret

GET http://localhost:8081/api/data

Then show the error like below:

Missing API Key and secret

Output:

2. Endpoint Test with API key and secret

GET http://localhost:8081/api/data

Add the API key and secret in Header section.

API Key : valid-api-key
API Secret: valid-api-key

Output:

By the following these steps, we can secure the Spring Boot API using API keys and secrets. This method ensures that only the clients with valid credentials can access the API endpoints and thereby adding the extra layer of the security to the Spring Boot application.