SpringSecurity - SecurityConfiguration.java - HttpSecurity - not working

Question

I am trying to implement Spring Security to my MVC Maven based project with already included Spring Boot.

I have working front-end and back-end but until now I was using fake login - I was simply scoping user data such as username and password via JS and AngularJS and sending it to the back-end controller where data from DB was retrieved via DAO layer and compared to the scoped info after witch response was sent - and if it was "OK" I forwarded user to the User Home Page and vice versa. This means that if I run my app and type directly to the browser bar localhost:8080/#/user (page that only user that is loged in is supposed to see) I can access it without any problems.

Now when business logic layer testing is finished the time has come to implement Spring Security.

I am still trying to understand Spring Security and trying to properly write SecurityConfiguration.java file - to have it set so it wont let no one access book.html and user.html pages, and, eventually, redirect such user to login.html.

This is my SecurityConfiguration.java file:

@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Resource
    private DataSource dataSource;

    @Bean
    public BCryptPasswordEncoder PasseordEncoder() {
        return new BCryptPasswordEncoder();
    }

    protected void configureGlobal(AuthenticationManagerBuilder auth)
            throws Exception {
        JdbcUserDetailsManager userDetailsService = new JdbcUserDetailsManager();
        userDetailsService.setDataSource(dataSource);
        PasswordEncoder encoder = new BCryptPasswordEncoder();

        auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
        auth.jdbcAuthentication().dataSource(dataSource);

        if (!userDetailsService.userExists("user")) {
            List authorities = new ArrayList();
            authorities.add(new SimpleGrantedAuthority("USER"));
            User userDetails = new User("user", encoder.encode("password"),
                    authorities);

            userDetailsService.createUser(userDetails);
        }

    }

    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/user").access("hasRole('USER')")
                .antMatchers("/book").access("hasRole('USER')");
    }

}

But when I run the app and try to access for example /user it allows me to! Can someone help me understand what am I to do, and how to fix this and pass the first step?

Serge Ballesta · Accepted Answer

I think you forgot to declare an entry point for authentication. As you noted in your comment, you need to add .and().formLogin().loginPa‌ge("collections/login") to your http.authorizeRequests().

But, you also need to authorize unauthenticated access to the login page to avoid the redirect loop : ask page -> need authentication -> redirect to login page -> need authentication -> redirect ...

You should simply have followed the following example of the reference manual about Java Configuration and Form Login :

protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("/login") 
            .permitAll();        
}

With your code, it gives :

protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        .antMatchers("/user").access("hasRole('USER')")
        .antMatchers("/book").access("hasRole('USER')")
        .and().formLogin().loginPage("/collections/login").permitAll();
}

Last remark : note the / in front of login URL. Always use absolute path if you want your login page to be found from any page other than / !

SpringSecurity - SecurityConfiguration.java - HttpSecurity - not working

Answers (2)

Related Questions