I have a rest api MyRestApi.war which is a spring boot and spring mvc project.
There is another web project A.war which is a normal spring project.
Its front-end such as javascript and back-end such as java code need
to call MyRestApi. User need to log in A.war to use it.
I don't need to do permission control for MyRestApi, only users login to A.war can access MyRestApi via front-end and back-end of A.war
There are some solutions, e.g. API key, jwt, OAuth.
I want to try these three approaches then pick one.
But when I search something like api key authentication, they all use spring security to do that.
So how can I secure MyRestApi with api key without spring security.
You can write your own filter if you don't want to use spring security. This filter will interecept all the URLs. In this filter you can check for the API key in the headers and validate. If it's validate, let the chain continue else throw some meaningful error to the user/application.