Top Posts Tagged with #spring-security

Configuring SAML Login with Spring Security: metadata-location and Relying Party Setup

🔐 SAML SSO with Spring Security 6 — production guide + companion repo! After configuring SAML for 30+ Spring Boot apps, here's what actually works: ✅ spring.security.saml2.relyingparty.registration config ✅ Dynamic IdP metadata (no manual cert copy-paste) ✅ Multi-IdP support: Keycloak, Okta, Azure AD, Ping Identity ✅ Custom attribute mapping (email, roles normalization) ✅ Single Logout (SP + IdP initiated) ✅ Debug guide for "SAML signature validation failed" 🐙 New companion repo: github.com/IAMDevBox/spring-security-saml-example → Docker Compose with Keycloak, integration tests, cert generation script Full guide: https://iamdevbox.com/posts/configuring-saml-login-with-spring-security/ #SpringSecurity #SAML #SSO #SpringBoot #Java #IAM #Keycloak #Security Read more: Configuring SAML Login with Spring Security: metadata-location and Relying Party Setup

#spring-security #saml #sso #spring-boot

•18+ Adults Only

Watch Anya Live on Cam

Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.

✓ Live Streaming✓ Interactive Chat✓ Private Shows✓ HD Quality

Anya is LIVE right now

FREE

Free to watch • No registration required • HD streaming

quest : custom filter dynamically add spring security xml configuration information.

정해진 필터영역에 여러개의 필터를 동적으로 만들어 주입할 수 있는 방법...

기존 정적인 방법

<beans:bean id="requestAuthenticationFilters" class="org.springframework.web.filter.CompositeFilter"> <beans:property name="filters"> <beans:list> <beans:ref bean="" /> <beans:ref bean="" /> <beans:ref bean="" /> </beans:list> </beans:property> </beans:bean>

xml 설정에서 사용할 수 있는 어떠한 방법이라도 좋다.

#spring #spring-security #java #quest

spring security lifecycle

[2017-10-19 11:20:01,159] Artifact fxb-example:war exploded: Deploy took 5,691 milliseconds 2017-10-19 11:20:04 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/member/user'; against '/resources/**' 2017-10-19 11:20:04 DEBUG o.s.security.web.FilterChainProxy - /member/user at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 2017-10-19 11:20:04 DEBUG o.s.security.web.FilterChainProxy - /member/user at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 2017-10-19 11:20:04 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No HttpSession currently exists 2017-10-19 11:20:04 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created. 2017-10-19 11:20:04 DEBUG o.s.security.web.FilterChainProxy - /member/user at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter' 2017-10-19 11:20:04 DEBUG o.s.s.w.h.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@66b95447 2017-10-19 11:20:04 DEBUG o.s.security.web.FilterChainProxy - /member/user at position 4 of 14 in additional filter chain; firing Filter: 'CsrfFilter' 2017-10-19 11:20:04 DEBUG o.s.security.web.FilterChainProxy - /member/user at position 5 of 14 in additional filter chain; firing Filter: 'LogoutFilter' 2017-10-19 11:20:04 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /member/user' doesn't match 'POST /member/signout 2017-10-19 11:20:04 DEBUG o.s.security.web.FilterChainProxy - /member/user at position 6 of 14 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' 2017-10-19 11:20:04 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /member/user' doesn't match 'POST /member/signin 2017-10-19 11:20:04 DEBUG o.s.security.web.FilterChainProxy - /member/user at position 7 of 14 in additional filter chain; firing Filter: 'BasicAuthenticationFilter' 2017-10-19 11:20:04 DEBUG o.s.security.web.FilterChainProxy - /member/user at position 8 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 2017-10-19 11:20:04 DEBUG o.s.security.web.FilterChainProxy - /member/user at position 9 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 2017-10-19 11:20:04 DEBUG o.s.security.web.FilterChainProxy - /member/user at position 10 of 14 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter' 2017-10-19 11:20:04 DEBUG o.s.security.web.FilterChainProxy - /member/user at position 11 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 2017-10-19 11:20:04 DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' 2017-10-19 11:20:04 DEBUG o.s.security.web.FilterChainProxy - /member/user at position 12 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter' 2017-10-19 11:20:04 DEBUG o.s.s.w.s.SessionManagementFilter - Requested session ID 0D67E8B759BBBF45E3851F57FD657F6C is invalid. 2017-10-19 11:20:04 DEBUG o.s.security.web.FilterChainProxy - /member/user at position 13 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 2017-10-19 11:20:04 DEBUG o.s.security.web.FilterChainProxy - /member/user at position 14 of 14 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 2017-10-19 11:20:04 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Public object - authentication not attempted 2017-10-19 11:20:04 DEBUG o.s.security.web.FilterChainProxy - /member/user reached end of additional filter chain; proceeding with original chain

#spring #security #spring-security

Authorization on a PreAuthenticated spring-security scenario (Round 2)

In my previous post we explored authorization in a preauthenticated scenario and spotted that it seems not working easily out of the box. It seems like there is a hole between the PreAuthenticatedGrantedAuthoritiesUserDetails service and the RequestHeaderAuthenticationFilter which makes no possible to use a request header based preauthenticated authentication system without additional classes.

Now, the good thing is that it is very easy to fix this. Lets see how!

As we saw, the main problem is that “user details service” expects a GrantedAuthoritiesContainer object in the “details” attribute of the PreAuthenticatedAuthenticationToken but no one puts it there (to understand why is this required, when there is a GrantedAuthorities collection present in the token, is a different story).

By default RequestHeaderAuthenticationFilter makes use of WebAuthenticationDetailsSource to provide WebAuthenticationDetails object with additional information present in the request, so we can extend WebAuthenticationDetailsSource with a replacement that makes use of, the more convenient, PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails which already has an attribute holding a collection of granted authorities. Our replacement will also take care about looking for an authorization header in the request, read authorization information there, and setting it up inside our new authentication details object.

One important thing that makes PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails very convenient is that it implements GrantedAuthoritiesContainer interface as well as extends WebAuthenticationDetails so it fits perfectly in the puzzle … just a little piece is missing to make it all works.

One simplistic implementation of that piece would be something like:

public class RequestHeaderAuthenticationDetailsSource extends WebAuthenticationDetailsSource { private static final String authorityHeader = "X-authority"; @Override public WebAuthenticationDetails buildDetails(HttpServletRequest context) { ArrayList<SimpleGrantedAuthority> authorities = new ArrayList<>(); String header = context.getHeader(authorityHeader); if (header != null) { authorities.add(new SimpleGrantedAuthority(header)); } return new PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails(context, authorities); } }

Now you just needs to configure RequestHeaderAuthenticationFilter to use our new class declaring it at the `WebSecurityConfigurerAdapter` configuration file, like this:

@Bean public RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter( final AuthenticationManager authenticationManager) { RequestHeaderAuthenticationFilter filter = new RequestHeaderAuthenticationFilter(); filter.setAuthenticationDetailsSource(new RequestHeaderAuthenticationDetailsSource()); filter.setAuthenticationManager(authenticationManager); filter.setExceptionIfHeaderMissing(false); return filter; }

So ... the good thing here is that we can have full spring-security authorization working with just one very simple class. The bad thing is that class should be not even required, in my opinion.

Happy Coding!

#java #spring #spring-security

Preauthenticated principals with spring-security on spring-boot

TODAY i want to share how to set up spring-security over spring-boot application on a preauthenticated scenario.

Preauthentication is a spring-security scenario supported for quite a long time. It is often used when the authentication is provided using X.509 certificates, or when you relay in an external authentication system.

Imgaine a microservice architecture implementing an api-gateway pattern. In this case you might want to avoid implementing authentication in all microservices and rely on a perimetral authentication implemented at the api-gateway component. There are many ways to implement this, and we can talk about that in a different post, but the important thing is that even when you want to avoid authentication in all microservices you might want to know the principal. Probably to implement authorization of some kind. This can be from role based endpoint access to filtering information to be sure principal only access his own data.

There are several handy classes already available in the spring security under the package: org.springframework.security.web.authentication.preauth you may take a look at, like:

PreAuthenticatedAuthenticationProvider

PreauthenticatedGrantedAuthoritiesUserDetailsService

RequestHeaderAuthenticationFilter

With all those pieces you should have already an idea of what comes here: The plan is api-gateway component will place the result of the authentication as custom headers, and rest of the services will transform those headers in a principal object that will be injected in the securityContext where it could be used in @Secured, @PreAuthorize, or any other authorization method you like.

Now lets see the code!

All you need to do in order to confugure preauthenticated filtering in spring-boot is a usual configuration bean extending WebSecurityConfigurerAdapter

@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true) public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter

Then you need to set the PreAuthenticatedAuthenticationProvider. e.g. like this:

@Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(preauthAuthProvider()); }

@Bean public PreAuthenticatedAuthenticationProvider preauthAuthProvider() { PreAuthenticatedAuthenticationProvider preauthAuthProvider = new PreAuthenticatedAuthenticationProvider(); preauthAuthProvider.setPreAuthenticatedUserDetailsService( new PreAuthenticatedGrantedAuthoritiesUserDetailsService() ); return preauthAuthProvider; }

Now you shall declare a RequestHeaderAuthenticationFilter

There are many configuration options in this class, like customizing the principal header name. Look at the documentation for addtional details. NOTE the standard header for the principal id is SM_USER (this is related an external authentication provider called SiteMinder)

Finally you can configure the FilterChainProxy like this:

@Override protected void configure(final HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/**").authenticated() .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and().securityContext() .and() .addFilterBefore(requestHeaderAuthenticationFilter(authenticationManager() LogoutFilter.class); }

With this simple configuration you can retrieve the principal id from standard or custom header and inject it in security context. There are plenty customization options on how the security process must behave depending on your needs, like what to do if header is absent, what HTTP status code should be used, and so on.

In next entry post i will write how to deal with authorization since there are a couple of tricky things to have in mind there.

Happy coding!!

#coding #java #spring #spring-security

•18+ Adults Only

Watch Anya Live on Cam

Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.

✓ Live Streaming✓ Interactive Chat✓ Private Shows✓ HD Quality

Anya is LIVE right now

FREE

Free to watch • No registration required • HD streaming

Caveheats performing authorization on spring data rest endpoints

While doing some proof of concept using Spring Data Rest i realized about one tricky thing related securization of endpoints in Spring Data Rest.

Spring Data Rest has done a great job, and securization is easily implemented using usual @Secured, @PreAuthorize, @PostAuthorize, @PreFilter, and @PostFilter. Using these annotations aside with expression language linked with Spring ACL allows to access a very powerful securization mechanism (look for more in documentation).

As usual, these annotations can be used at class level and method level, and is in this second scenario where you must be careful. It is very important for you to understand the hierarchy of your repository since there are plenty overloaded methods and, some times, you can end with unexpected situations if you are not aware of this.

For exmple consider the scenario where you try to securize your “get all” endpoint. In this case it is easy to understand that you must work on “findAll” method. However if your repository extends PagingAndSortingRepository there are four different “findAll” method so you must review your repository hierarchy and be sure you are controlling all access points to your data.

#java #spring #spring-security #spring-data-rest

Hello world spring-boot project (Part 4)

After having simple username and password protection, we want to extend the system to allow more apps accessing our resources. In Part 4, we try to implement simple OAuth 2 in our system.

When a client send a request to a resource endpoint (Resource Server), the client need to send together a HTTP Authorization header:

Authorization: Bearer $TOKEN

The $TOKEN is obtained from an Authorization Server.

Therefore, we first build the Authorization Server with spring framework first.

We first add some dependency to our build.gradle file:-

compile("org.springframework.security.oauth:spring-security-oauth2:2.0.7.RELEASE")

Then, we add a Java class to create the Authorization Server.

package hello;

import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer; import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer; import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;

@Configuration @EnableAuthorizationServer class OAuth2Config extends AuthorizationServerConfigurerAdapter {

public static final String RESOURCE_ID = "hello_resource";

@Autowired private AuthenticationManager authenticationManager;

@Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.authenticationManager(authenticationManager); }

@Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { // @formatter:off clients.inMemory() .withClient("client-with-registered-redirect") .authorizedGrantTypes("authorization_code") .authorities("ROLE_CLIENT") .scopes("read", "trust") .resourceIds(RESOURCE_ID) .redirectUris("http://anywhere?key=value") .secret("secret123") .and() .withClient("my-client-with-secret") .authorizedGrantTypes("client_credentials", "password") .authorities("ROLE_CLIENT") .scopes("read") .resourceIds(RESOURCE_ID) .secret("secret"); // @formatter:on } }

The Authorization Server has the following default endpoint.

"{[/oauth/authorize]}": { "bean": "oauth2EndpointHandlerMapping", "method": "public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(java.util.Map<java.lang.String, java.lang.Object>,java.util.Map<java.lang.String, java.lang.String>,org.springframework.web.bind.support.SessionStatus,java.security.Principal)" }, "{[/oauth/authorize],methods=[POST],params=[user_oauth_approval]}": { "bean": "oauth2EndpointHandlerMapping", "method": "public org.springframework.web.servlet.View org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.approveOrDeny(java.util.Map<java.lang.String, java.lang.String>,java.util.Map<java.lang.String, ?>,org.springframework.web.bind.support.SessionStatus,java.security.Principal)" }, "{[/oauth/token],methods=[GET]}": { "bean": "oauth2EndpointHandlerMapping", "method": "public org.springframework.http.ResponseEntity<org.springframework.security.oauth2.common.OAuth2AccessToken> org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.getAccessToken(java.security.Principal,java.util.Map<java.lang.String, java.lang.String>) throws org.springframework.web.HttpRequestMethodNotSupportedException" }, "{[/oauth/token],methods=[POST]}": { "bean": "oauth2EndpointHandlerMapping", "method": "public org.springframework.http.ResponseEntity<org.springframework.security.oauth2.common.OAuth2AccessToken> org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.postAccessToken(java.security.Principal,java.util.Map<java.lang.String, java.lang.String>) throws org.springframework.web.HttpRequestMethodNotSupportedException" }, "{[/oauth/check_token]}": { "bean": "oauth2EndpointHandlerMapping", "method": "public java.util.Map<java.lang.String, ?> org.springframework.security.oauth2.provider.endpoint.CheckTokenEndpoint.checkToken(java.lang.String)" }, "{[/oauth/confirm_access]}": { "bean": "oauth2EndpointHandlerMapping", "method": "public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.WhitelabelApprovalEndpoint.getAccessConfirmation(java.util.Map<java.lang.String, java.lang.Object>,javax.servlet.http.HttpServletRequest) throws java.lang.Exception" }, "{[/oauth/error]}": { "bean": "oauth2EndpointHandlerMapping", "method": "public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.WhitelabelErrorEndpoint.handleError(javax.servlet.http.HttpServletRequest)" },

Authroization Code Grant Summary in our implementation

1. Authorization Server authenticates the User

The user need to login to the authorization server using the login name and password. In this case, we use HTTP Basic, so the spring default username is user and the password is generated in the boot log.

2. Client starts the authorization flow and obtain User’s approval

The owner need to authorize the 3rd party to use its resource by

GET http://localhost:8080/oauth/authorize?response_type=code&client_id=client-with-registered-redirect&redirect_url=http://client_host?key=value&scope=read

3. Authorization Server issues an authorization code (opaque one-time token)

The authorization end point will redirect the user to the registered redirect uri with a code (authorization code) for the 3rd party to access the resource.

http://anywhere/?key=value&code=H3aJ6s

4. Client exchanges the authorization code for an access token

Then, the 3rd party can obtain an access token from the Authorization Server using the code.

We try to do this using Postman to illustrate the result.

The 3rd party POST the authorization code (i.e. H3aJ6s) to the Authorization Server with a grant type authorization_code. The HTTP request need to be HTTP-Basic authenticated using the client_id (i.e. client-with-registered-redirect) as username and secret (i.e. secret123) as the password to the default OAuth2 Token end point.

POST http://localhost:8080/oauth/token

Finally, the server returns an access_token ($TOKEN) to the 3rd party for accessing the Resource Server!

O! Wait, how about the Resource Server? How to implement it using Spring?

package hello;

import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;

@Configuration @EnableResourceServer class ResourceServer extends ResourceServerConfigurerAdapter { public static final String RESOURCE_ID = "hello_resource"; @Override public void configure(HttpSecurity http) throws Exception { // @formatter:off http .requestMatchers().antMatchers("/people").and() .authorizeRequests() .anyRequest().access("#oauth2.hasScope('read')"); // @formatter:on }

@Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { resources.resourceId(RESOURCE_ID); } }

By substituting the $TOKEN in the introduction when accessing the /people resource, we can obtain the JSON response we get in previous parts. Cool!

References:-

http://www.slideshare.net/SpringCentral/syer-microservicesecurity

https://github.com/spring-projects/spring-security-oauth/tree/master/tests/annotation

https://raymondhlee.wordpress.com/2014/12/21/implementing-oauth2-with-spring-security/

https://github.com/spring-projects/spring-security-javaconfig/tree/master/samples

#spring-boot #spring-oauth2 #spring-security

Hello world spring-boot project (Part 3)

We have our spring boot JPA rest project prepared in Part 2. However, it is not secure to let anyone to call the REST api. Let's secure our web service.

In our build.grade file, add a single line of config:

compile("org.springframework.boot:spring-boot-starter-security")

After including the spring-boot-starter-security library, we re-run our application again. In the startup console, there will be a line:

Using default security password: b0bd95d0-7c62-4718-af46-380b9d05b1b7

This is the a spring-boot generated password for a default user.

If we try to call the people api defined in Part 2 without authentication, we will encounter HTTP Error 401 Unauthorized. As you can see, spring-boot automatically secure most URI for us.

So, we need to configure Postman to use HTTP Basic Authentication to obtain our result. In Postman,

Go to Authorization. Select Basic Auth. Enter Username: user, Password: <the generated password>

However, you probably do not want to use the generated password and do want to define your own set of users. Let’s create our own.

Surfing all the blogs posts, this is the most simple sample for reference:

https://github.com/spring-projects/spring-data-examples/tree/master/rest/security

We create a configuration class to create our own set of security related setting.

package hello;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration @EnableGlobalMethodSecurity(prePostEnabled = true) @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser("user").password("password").roles("USER").and() .withUser("admin").password("password").roles("USER", "ADMIN"); }

@Override protected void configure(HttpSecurity http) throws Exception {

http.httpBasic().and().csrf().disable(); }

}

To keep it short, we define two users.

1. admin:password with role user and admin

2. user:password with role user

Besides, we enabled the @PreAuthorize annotation in our repository service using @EnableGlobalMethodSecurity(prePostEnabled = true).

We also need to ask spring to use httpBasic() always and disable the CSRF security here. If you do not know what is CSRF, just disable it at this moment for development purpose.

Then, we set some permission stuff in our PersonRepository defined in Part 2.

@RepositoryRestResource(collectionResourceRel = "people", path = "people") @PreAuthorize("hasRole('ROLE_USER')") public interface PersonRepository extends PagingAndSortingRepository<Person, Long> {

List<Person> findByLastName(@Param("name") String name);

@PreAuthorize("hasRole('ROLE_ADMIN')") @Override Person save(Person p);

@PreAuthorize("hasRole('ROLE_ADMIN')") @Override void delete(Long aLong);

}

We allow PersonRepository interface to be accessible by default with the role USER only. We further override permission of the method save and delete to allow the role ADMIN to modify the records in our database.

Try verifying this in Postman! Have fun!

#spring-boot #spring-security #spring-rest