Reputation: 7789
Secure Spring Boot REST app with basic authentication
I have looked up articles about using Spring Security, but they do not quite answer my need. They usually deal with in-memory users and plaintext passwords.
What I want to achieve:
Clients authenticate using Basic Authentication.
Secured Controller methods look like this:
@RequestMapping(value = "/test")
public ResponseEntity test(@AuthenticationPrincipal MyUser user){
// Logic
}
I want the controller method to get a MyUser object in its parameters if the given user is authenticated or null if not.
I am storing hashed password and salt of a user in a database, and I have a service which authenticates given username-password pair and returns a User object or null if authentication succeeded or failed, respectively.
All that needs to happen now is to intercept every request, look at the basic authentication header, pass the info to my custom authentication service and then pass its result into the controller method. Unfortunately I haven't been able to do that.
I read on using custom UserDetailsService, but that only seems to handle fetching user data from database, and not any authentication. I cannot figure out how to plug all the components together.
Can you point me in the right direction how to get this rather simple workflow working?
EDIT
I am not using XML config and the only security related config I have is:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/**").csrf().disable();
http.authorizeRequests()
.antMatchers("/user").permitAll()
.antMatchers("/user/**").permitAll()
.anyRequest().authenticated();
}
}
Upvotes: 3
Views: 14494
Answers (2)
Reputation: 727
Basic authentication you can do in 3 different ways -
1 - Just add spring-security maven dependency
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Automatically enable basic authentication like username - "user" and password you can find out in console using default security password - "bdd42ed9-635d-422b-9430-ce463625fd2e"
2 - create one configuration class for security like below code
@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationEntryPoint authEntryPoint;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().httpBasic();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
}
3 - one more way to do this add default username and password in application.properties file like below
security.user.name=user
security.user.password=password
and create config class like below code
@Configuration
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().httpBasic();
}
}
still have some doubt then click on below link and watch this video
Upvotes: 5
Reputation: 91
I think this article will be helpful, as i understand this is what you are trying to do http://www.baeldung.com/spring-security-authentication-provider
Upvotes: 3
Related Questions
- How to configure port for a Spring Boot application
- Unit testing with Spring Security
- Null @AuthenticationPrincipal with Spring-Boot / Security
- Customize Spring Security for trusted space
- Security configuration with Spring-boot
- How Spring Security Filter Chain works
- Spring boot security consider case insensitive username check for login