Effective & Secure Method to populate Access Token for authorization header in Rest TemplateFluent...

What is the white spray-pattern residue inside these Falcon Heavy nozzles?

What are these boxed doors outside store fronts in New York?

Why is the design of haulage companies so “special”?

How can bays and straits be determined in a procedurally generated map?

What is GPS' 19 year rollover and does it present a cybersecurity issue?

Why did the Germans forbid the possession of pet pigeons in Rostov-on-Don in 1941?

A Journey Through Space and Time

Can Medicine checks be used, with decent rolls, to completely mitigate the risk of death from ongoing damage?

XeLaTeX and pdfLaTeX ignore hyphenation

I see my dog run

Is Social Media Science Fiction?

Why is "Reports" in sentence down without "The"

Extreme, but not acceptable situation and I can't start the work tomorrow morning

How does one intimidate enemies without having the capacity for violence?

Draw simple lines in Inkscape

What is the offset in a seaplane's hull?

Can I interfere when another PC is about to be attacked?

I probably found a bug with the sudo apt install function

What Brexit solution does the DUP want?

Why is an old chain unsafe?

Shell script can be run only with sh command

What do you call something that goes against the spirit of the law, but is legal when interpreting the law to the letter?

Infinite past with a beginning?

Prevent a directory in /tmp from being deleted



Effective & Secure Method to populate Access Token for authorization header in Rest Template


Fluent LinkedIn REST API client interface designDoes RunLengthEncoding class provide abstraction and encapsulation?Secure Token for use in API callsREST API for user access using ASP.NET CoreMethod to check header token if valid






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







2












$begingroup$


I am trying to consume a REST endpoint by using the RestTemplate Library provided by the spring framework.
The endpoint also demands a Bearer Access Token as its authorization header, which is only obtained as the response from a user authentication endpoint, which in turn expects an encoded Basic Auth in its Header.



This is the high-level implementation that I have done thus far.



HttpHeaders headers = new HttpHeaders();

    headers.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));

    headers.setBearerAuth(fetchAccessToken());

    HttpEntity<String> entity = new HttpEntity<String>("parameters",headers);

    ResponseEntity<?> result = this.restClient.exchange(urlToConsume, HttpMethod.GET, entity, String.class);


The 'fetchAccessToken' Method is implemented as follows



HttpHeaders headers = new HttpHeaders();

    headers.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));

    headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);

    headers.setBasicAuth(externalDestination.getClientId(),

            externalDestination.getClientSecret());

    HttpEntity<String> entity = new HttpEntity<String>("parameters", headers);



    ResponseEntity<?> result = restClient.exchange(authUrl, HttpMethod.GET, entity, String.class);

    //And Thereby fetching 'access_token' from the successful fetch.


I Want to know whether there is any cleaner way to replicate the above task of dealing with multiple Rest calls to accomplish a single task.
Also, I want to know whether I am missing out any essential validations from a security point of view.






java security rest spring spring-mvc







share|improve this question







New contributor




nithin pankaj is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$








  • 1




    $begingroup$
    Do you need to fetch the bearer token every time? Isn't it valid for some time after issuing, so you can cache it?
    $endgroup$
    – TomG
    Apr 2 at 17:26










  • $begingroup$
    @TomG Presently, the function determines whether or not call the Token Endpoint by checking whether the previous token has passed its expiry time.
    $endgroup$
    – nithin pankaj
    Apr 2 at 18:20


















2












$begingroup$


I am trying to consume a REST endpoint by using the RestTemplate Library provided by the spring framework.
The endpoint also demands a Bearer Access Token as its authorization header, which is only obtained as the response from a user authentication endpoint, which in turn expects an encoded Basic Auth in its Header.



This is the high-level implementation that I have done thus far.



HttpHeaders headers = new HttpHeaders();

    headers.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));

    headers.setBearerAuth(fetchAccessToken());

    HttpEntity<String> entity = new HttpEntity<String>("parameters",headers);

    ResponseEntity<?> result = this.restClient.exchange(urlToConsume, HttpMethod.GET, entity, String.class);


The 'fetchAccessToken' Method is implemented as follows



HttpHeaders headers = new HttpHeaders();

    headers.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));

    headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);

    headers.setBasicAuth(externalDestination.getClientId(),

            externalDestination.getClientSecret());

    HttpEntity<String> entity = new HttpEntity<String>("parameters", headers);



    ResponseEntity<?> result = restClient.exchange(authUrl, HttpMethod.GET, entity, String.class);

    //And Thereby fetching 'access_token' from the successful fetch.


I Want to know whether there is any cleaner way to replicate the above task of dealing with multiple Rest calls to accomplish a single task.
Also, I want to know whether I am missing out any essential validations from a security point of view.






java security rest spring spring-mvc







share|improve this question







New contributor




nithin pankaj is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$








  • 1




    $begingroup$
    Do you need to fetch the bearer token every time? Isn't it valid for some time after issuing, so you can cache it?
    $endgroup$
    – TomG
    Apr 2 at 17:26










  • $begingroup$
    @TomG Presently, the function determines whether or not call the Token Endpoint by checking whether the previous token has passed its expiry time.
    $endgroup$
    – nithin pankaj
    Apr 2 at 18:20














2












2








2





$begingroup$


I am trying to consume a REST endpoint by using the RestTemplate Library provided by the spring framework.
The endpoint also demands a Bearer Access Token as its authorization header, which is only obtained as the response from a user authentication endpoint, which in turn expects an encoded Basic Auth in its Header.



This is the high-level implementation that I have done thus far.



HttpHeaders headers = new HttpHeaders();

    headers.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));

    headers.setBearerAuth(fetchAccessToken());

    HttpEntity<String> entity = new HttpEntity<String>("parameters",headers);

    ResponseEntity<?> result = this.restClient.exchange(urlToConsume, HttpMethod.GET, entity, String.class);


The 'fetchAccessToken' Method is implemented as follows



HttpHeaders headers = new HttpHeaders();

    headers.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));

    headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);

    headers.setBasicAuth(externalDestination.getClientId(),

            externalDestination.getClientSecret());

    HttpEntity<String> entity = new HttpEntity<String>("parameters", headers);



    ResponseEntity<?> result = restClient.exchange(authUrl, HttpMethod.GET, entity, String.class);

    //And Thereby fetching 'access_token' from the successful fetch.


I Want to know whether there is any cleaner way to replicate the above task of dealing with multiple Rest calls to accomplish a single task.
Also, I want to know whether I am missing out any essential validations from a security point of view.






java security rest spring spring-mvc







share|improve this question







New contributor




nithin pankaj is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$




I am trying to consume a REST endpoint by using the RestTemplate Library provided by the spring framework.
The endpoint also demands a Bearer Access Token as its authorization header, which is only obtained as the response from a user authentication endpoint, which in turn expects an encoded Basic Auth in its Header.



This is the high-level implementation that I have done thus far.



HttpHeaders headers = new HttpHeaders();

    headers.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));

    headers.setBearerAuth(fetchAccessToken());

    HttpEntity<String> entity = new HttpEntity<String>("parameters",headers);

    ResponseEntity<?> result = this.restClient.exchange(urlToConsume, HttpMethod.GET, entity, String.class);


The 'fetchAccessToken' Method is implemented as follows



HttpHeaders headers = new HttpHeaders();

    headers.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));

    headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);

    headers.setBasicAuth(externalDestination.getClientId(),

            externalDestination.getClientSecret());

    HttpEntity<String> entity = new HttpEntity<String>("parameters", headers);



    ResponseEntity<?> result = restClient.exchange(authUrl, HttpMethod.GET, entity, String.class);

    //And Thereby fetching 'access_token' from the successful fetch.


I Want to know whether there is any cleaner way to replicate the above task of dealing with multiple Rest calls to accomplish a single task.
Also, I want to know whether I am missing out any essential validations from a security point of view.






java security rest spring spring-mvc




java security rest spring spring-mvc






share|improve this question







New contributor




nithin pankaj is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




nithin pankaj is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




nithin pankaj is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Apr 2 at 7:07









nithin pankajnithin pankaj

1111




1111




New contributor




nithin pankaj is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





nithin pankaj is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






nithin pankaj is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 1




    $begingroup$
    Do you need to fetch the bearer token every time? Isn't it valid for some time after issuing, so you can cache it?
    $endgroup$
    – TomG
    Apr 2 at 17:26










  • $begingroup$
    @TomG Presently, the function determines whether or not call the Token Endpoint by checking whether the previous token has passed its expiry time.
    $endgroup$
    – nithin pankaj
    Apr 2 at 18:20














  • 1




    $begingroup$
    Do you need to fetch the bearer token every time? Isn't it valid for some time after issuing, so you can cache it?
    $endgroup$
    – TomG
    Apr 2 at 17:26










  • $begingroup$
    @TomG Presently, the function determines whether or not call the Token Endpoint by checking whether the previous token has passed its expiry time.
    $endgroup$
    – nithin pankaj
    Apr 2 at 18:20








1




1




$begingroup$
Do you need to fetch the bearer token every time? Isn't it valid for some time after issuing, so you can cache it?
$endgroup$
– TomG
Apr 2 at 17:26




$begingroup$
Do you need to fetch the bearer token every time? Isn't it valid for some time after issuing, so you can cache it?
$endgroup$
– TomG
Apr 2 at 17:26












$begingroup$
@TomG Presently, the function determines whether or not call the Token Endpoint by checking whether the previous token has passed its expiry time.
$endgroup$
– nithin pankaj
Apr 2 at 18:20




$begingroup$
@TomG Presently, the function determines whether or not call the Token Endpoint by checking whether the previous token has passed its expiry time.
$endgroup$
– nithin pankaj
Apr 2 at 18:20










1 Answer
1






active

oldest

votes


















1












$begingroup$

You can have an interceptor on RestTemplate. It will be called for each request. You can have the access token logic within the interceptor. You can also implementing caching so that you do not fire two requests for each task. In case the token expires (401 response), you can regenerate the token



@Component

class MyInterceptor implements ClientHttpRequestInterceptor {

   @Override

    public ClientHttpResponse intercept(HttpRequest request, byte[] body, ClientHttpRequestExecution execution){

      HttpHeaders headers = request.getHeaders();

      headers.setBearerAuth(someCachedService.getBearerToken());

      ... response = execution.execute(request, body);

     // handle unauthorized request



   }

}



@Bean

RestTemplate restTemplate(MyInterceptor interceptor){

  RestTemplate restTemplate = new RestTemplate();

  restTemplate.setInterceptors(Arrays.asList(interceptor));

}





share|improve this answer








New contributor




sidgate is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






$endgroup$














    Your Answer





    StackExchange.ifUsing("editor", function () {
    return StackExchange.using("mathjaxEditing", function () {
    StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
    StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
    });
    });
    }, "mathjax-editing");

    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "196"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });






    nithin pankaj is a new contributor. Be nice, and check out our Code of Conduct.










    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f216700%2feffective-secure-method-to-populate-access-token-for-authorization-header-in-r%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1












    $begingroup$

    You can have an interceptor on RestTemplate. It will be called for each request. You can have the access token logic within the interceptor. You can also implementing caching so that you do not fire two requests for each task. In case the token expires (401 response), you can regenerate the token



    @Component
    
class MyInterceptor implements ClientHttpRequestInterceptor {
    
   @Override
    
    public ClientHttpResponse intercept(HttpRequest request, byte[] body, ClientHttpRequestExecution execution){
    
      HttpHeaders headers = request.getHeaders();
    
      headers.setBearerAuth(someCachedService.getBearerToken());
    
      ... response = execution.execute(request, body);
    
     // handle unauthorized request
    

    
   }
    
}
    

    
@Bean
    
RestTemplate restTemplate(MyInterceptor interceptor){
    
  RestTemplate restTemplate = new RestTemplate();
    
  restTemplate.setInterceptors(Arrays.asList(interceptor));
    
}





    share|improve this answer








    New contributor




    sidgate is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






    $endgroup$


















      1












      $begingroup$

      You can have an interceptor on RestTemplate. It will be called for each request. You can have the access token logic within the interceptor. You can also implementing caching so that you do not fire two requests for each task. In case the token expires (401 response), you can regenerate the token



      @Component
      
class MyInterceptor implements ClientHttpRequestInterceptor {
      
   @Override
      
    public ClientHttpResponse intercept(HttpRequest request, byte[] body, ClientHttpRequestExecution execution){
      
      HttpHeaders headers = request.getHeaders();
      
      headers.setBearerAuth(someCachedService.getBearerToken());
      
      ... response = execution.execute(request, body);
      
     // handle unauthorized request
      

      
   }
      
}
      

      
@Bean
      
RestTemplate restTemplate(MyInterceptor interceptor){
      
  RestTemplate restTemplate = new RestTemplate();
      
  restTemplate.setInterceptors(Arrays.asList(interceptor));
      
}





      share|improve this answer








      New contributor




      sidgate is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      $endgroup$
















        1












        1








        1





        $begingroup$

        You can have an interceptor on RestTemplate. It will be called for each request. You can have the access token logic within the interceptor. You can also implementing caching so that you do not fire two requests for each task. In case the token expires (401 response), you can regenerate the token



        @Component
        
class MyInterceptor implements ClientHttpRequestInterceptor {
        
   @Override
        
    public ClientHttpResponse intercept(HttpRequest request, byte[] body, ClientHttpRequestExecution execution){
        
      HttpHeaders headers = request.getHeaders();
        
      headers.setBearerAuth(someCachedService.getBearerToken());
        
      ... response = execution.execute(request, body);
        
     // handle unauthorized request
        

        
   }
        
}
        

        
@Bean
        
RestTemplate restTemplate(MyInterceptor interceptor){
        
  RestTemplate restTemplate = new RestTemplate();
        
  restTemplate.setInterceptors(Arrays.asList(interceptor));
        
}





        share|improve this answer








        New contributor




        sidgate is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        $endgroup$



        You can have an interceptor on RestTemplate. It will be called for each request. You can have the access token logic within the interceptor. You can also implementing caching so that you do not fire two requests for each task. In case the token expires (401 response), you can regenerate the token



        @Component
        
class MyInterceptor implements ClientHttpRequestInterceptor {
        
   @Override
        
    public ClientHttpResponse intercept(HttpRequest request, byte[] body, ClientHttpRequestExecution execution){
        
      HttpHeaders headers = request.getHeaders();
        
      headers.setBearerAuth(someCachedService.getBearerToken());
        
      ... response = execution.execute(request, body);
        
     // handle unauthorized request
        

        
   }
        
}
        

        
@Bean
        
RestTemplate restTemplate(MyInterceptor interceptor){
        
  RestTemplate restTemplate = new RestTemplate();
        
  restTemplate.setInterceptors(Arrays.asList(interceptor));
        
}






        share|improve this answer








        New contributor




        sidgate is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        share|improve this answer



        share|improve this answer






        New contributor




        sidgate is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        answered Apr 3 at 4:55









        sidgatesidgate

        1315




        1315




        New contributor




        sidgate is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.





        New contributor





        sidgate is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        sidgate is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






















            nithin pankaj is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            nithin pankaj is a new contributor. Be nice, and check out our Code of Conduct.













            nithin pankaj is a new contributor. Be nice, and check out our Code of Conduct.












            nithin pankaj is a new contributor. Be nice, and check out our Code of Conduct.
















            Thanks for contributing an answer to Code Review Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            Use MathJax to format equations. MathJax reference.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f216700%2feffective-secure-method-to-populate-access-token-for-authorization-header-in-r%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            is 'sed' thread safeWhat should someone know about using Python scripts in the shell?Nexenta bash script uses...

            Image
            1970s scifi/horror novel where protagonist is used by a crablike creature to feed its larvae, goes mad, and is defeated by retraumatising him Practical reasons to have both a large police force and bounty hunting network? Is there a frame of reference in which I was born before I was conceived? A peculiar integral identity Is there a way to find out the age of climbing ropes? PTIJ: Aharon, King of Egypt Specific Chinese carabiner QA? Can we carry rice to Japan? Would the melodic leap of the opening phrase of Mozart's K545 be considered dissonant? Can an earth elemental drown/bury its opponent underground using earth glide?
            Read more

            How do i solve the “ No module named 'mlxtend' ” issue on Jupyter?

            Image
            Dilemma of explaining to interviewer that he is the reason for declining second interview Meaning of すきっとした How much time does it take for a broken magnet to recover its poles? Can a hotel cancel a confirmed reservation? Removing debris from PCB Using AWS Fargate as web server When does coming up with an idea constitute sufficient contribution for authorship? If a druid in Wild Shape swallows a creature whole, then turns back to her normal form, what happens? How Should I Define/Declare String Constants How to add multiple differently colored borders around a node? Can I retract my name from a
            Read more

            Pilgersdorf Inhaltsverzeichnis Geografie | Geschichte | Bevölkerungsentwicklung | Politik | Kultur...

            Image
            Gemeinde im BurgenlandOrt im Bezirk OberpullendorfPilgersdorfErsterwähnung 1225 ungarischkroatischBurgenlandBezirk OberpullendorfÖsterreichZöbernbachKirchschlag in der Buckligen WeltLockenhausKatastralgemeindenNoricumkeltischen Höhensiedlung BurgBurgbergPannoniaLudwigs des DeutschenDominicusRatpotsRihherisMagyarenGüssinger FehdeAlbrechtFranziskanernKanizsayKirchschlagKrumbachTürkenProtestantenSteinbachHaidukenAugustiner-EremitenKuruzenPestVolkszählungGemeinderatBürgermeisterdirektwahlErstenZweiten WeltkriegsDeutschkreutzDraßmarktFrankenau-UnterpullendorfGroßwarasdorfHoritschonKaisersdorfKobersdorfLackenbachLackendorfLockenhausLutzmannsburgMannersdorf an der RabnitzMarkt Sankt MartinNeckenmarktNeutalNikitschOberloisdorfOberpullendorfPilgersdorfPiringsdorfRaidingRitzingSteinberg-DörflStoobUnterfrauenhaidUnterrabnitz-SchwendgrabenWeingrabenWeppersdorf Dieser Artikel erläutert die burgenländische Gemeinde. Siehe auch Pilgersdorf (Gemeinde Lasberg), Oberösterreich bzw. Pilgersdorf,
            Read more