How I can implement a custom authentication?

you can use Spring Security. The flow is the following. You authenticate against the Security token service. A cookie containing the authentication token is written to your browser. This token is sent on each subsequent request against the server.

On the rest server you will use Srping Security and more specifily you need to use AbstractPreAuthenticatedProcessingFilter in its implementation you will extract the token and associate it With the Security Context.

Here is example configuration of your spring Security

@Configuration@EnableWebSecuritypublic class SecurityConfig extends WebSecurityConfigurerAdapter {  @Bean  public AuthenticationManager authenticationManagerBean() throws Exception {    // TODO Auto-generated method stub    return super.authenticationManagerBean();  }  public void configure(WebSecurity web) throws Exception {        // do some configuration here  }  @Override  public void configure(HttpSecurity http) throws Exception {       // configure your Security here        // you can add your implementation of AbstractPreAuthenticatedProcessingFilter here  }}

Here is your additional configuration

@Configurationpublic class ExampleSpringSecurityConfig{    @Bean    public AuthenticationManager authenticationManager() {        return authentication -> authProvider().authenticate(authentication);    }    private AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> userdetailsService() {       // Construct your AuthenticationUserDetailsService here   }    @Bean    public PreAuthenticatedAuthenticationProvider authProvider() {        PreAuthenticatedAuthenticationProvider authProvider = new PreAuthenticatedAuthenticationProvider();        authProvider.setPreAuthenticatedUserDetailsService(userdetailsService());        return authProvider;    }}

Yes, you can use Spring Oauth2. You have to implement the Resource Owner Password Credentials Grant Oauth2 flow. You have to create a login page for end user and your client app will send the user's credentials as well as your client system credentials (use HTTP Basic Authentication for client system credentials) to authorization server to get the token.

There are two ways to implement it-

1. Using client system id and password - When calling the token endpoint using the this grant type, you need to pass in the client ID and secret (using basic auth).

curl -u 972.344.780-00:123456 "http://example.com/webapi/api/web/token?grant_type=password&username=addEndUserNameHere&password=addEndUserPasswordHere"

• Using Client system ID only (no client system password) - Authorization Server should have a client setup to support this flow without any password-

Child class of AuthorizationServerConfigurerAdapter should have below code-

@Overridepublic void configure(ClientDetailsServiceConfigurer clients) throws Exception {            clients.inMemory()            .withClient("clientId")            .authorizedGrantTypes("password")            .authorities("ROLE_CLIENT")            .scopes("read");    } }@Overridepublic void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {    oauthServer.allowFormAuthenticationForClients();}

Now you can use below-

POST http://example.com/webapi/api/web/token?grant_type=password&client_id=my-trusted-client&scope=trust&username=addEndUserNameHere&password=addEndUserPasswordHere

Note - This flow is less secure than other Oauth2 flows and recommended for trusted client app only because user has to provide credentials to client app.

See here example

Using JWT with Spring Security OAuth2 with Angular

In this tutorial, we’ll discuss how to get our Spring Security OAuth2 implementation to make use of JSON Web Tokens.

http://www.baeldung.com/spring-security-oauth-jwt

@Configuration@EnableAuthorizationServerpublic class OAuth2AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {    @Override    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {        endpoints.tokenStore(tokenStore())                 .accessTokenConverter(accessTokenConverter())                 .authenticationManager(authenticationManager);    }    @Bean    public TokenStore tokenStore() {        return new JwtTokenStore(accessTokenConverter());    }    @Bean    public JwtAccessTokenConverter accessTokenConverter() {        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();        converter.setSigningKey("123");        return converter;    }    @Bean    @Primary    public DefaultTokenServices tokenServices() {        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();        defaultTokenServices.setTokenStore(tokenStore());        defaultTokenServices.setSupportRefreshToken(true);        return defaultTokenServices;    }}