Questions about securing the API

In my public API i need to register users with customer role, add rows in other related entities. (CustomerEntity, WebsiteInfoEntity and such…)

How is that supposed to happen?
Do I need to handle the above entirely with the anonymous user?
I assume that from this point and on, I will work with his user and password?
But what happened during the registration?

What’s the best practice here?


If you want to perform some actions on behalf of system you can use a middleware service and perform all operations under system session. Anonymous should not be used since usually anonymous is restricted user for anonymous access, e.g. login window or REST-API calls.

  1. Create a custom middleware service RegistrationService with your register() method.
  2. Use bean and its withSystemUser method:
protected Authentication authentication;
authentication.withSystemUser(() -> {
    // register user here, create entities and so on
  1. Call your middleware service from LoginWindow or from REST-API endpoint. Probably, in case of public REST-API you will need additional captcha check in Spring MVC controller to prevent spam.
1 Like

But, in my website, when I calling RegistrationService.register() I need to identify someone or else I will get an exception on trying to invoke a service without a session.

Or what you are saying is that RegistrationService.register() should be unsecured and inside I will impersonate as system user? if so, why not doing that also when logging in?