0
votes

we have an application in Spring boot using Spring Security for authorization and authentication of REST API's.

We have a REDIS server running, which along with spring security stores X-AUTH-TOKEN and sends it as a HEADER parameter for 404 RESPONSE to user who executes a /login attempt.

This X-AUTH-TOKEN can then be used as a header parameter to authenticate other REST API's.

The problem here is that user can copy this X-AUTH-TOKEN and use it from another machine and bypass the login credentials on which X-AUTH-TOKEN is generated.

How to disable this security breach in Spring Security token based?

Please help

1

1 Answers

0
votes

If you are using JSON web tokens then you can add a custom field in the claims that can uniquely identify the machine and validate if its same.

The post here can be useful too if you don't mind making your application stateful.