Virat
Reputation: 581
Adding password protection to a particular url
I have my spring security configuration file like,
package com.wi;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpStatus;
import com.wi.HttpAuthenticationEntryPoint;
import com.wi.filter.AuthenticationFilter;
import com.wi.HttpLogoutSuccessHandler;
import com.wi.LogOutHandler;
/**
* Web security configuration class
*/
@Configuration
@EnableWebSecurity
@Order( SecurityProperties.ACCESS_OVERRIDE_ORDER )
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final Logger logger = LoggerFactory.getLogger(WebSecurityConfig.class);
@Autowired
private HttpAuthenticationEntryPoint authenticationEntryPoint;
@Autowired
private HttpLogoutSuccessHandler logoutSuccessHandler;
@Autowired
private MessageBundleResource messageBundle;
@Autowired
private LogOutHandler logoutHandler;
@Override
protected void configure( final HttpSecurity http ) throws DataException
{
try
{
http.csrf().disable().exceptionHandling().authenticationEntryPoint(authenticationEntryPoint).and().headers()
.cacheControl().and()
.addHeaderWriter(
new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
.and().authorizeRequests()
// Allow anonymous resource requests
.antMatchers("/").permitAll().antMatchers("/login").permitAll().antMatchers("/pages/**").permitAll()
// Allow anonymous logins
.antMatchers("/auth/**").permitAll()
// Allow test rest
.antMatchers("/rest-test/**").permitAll()
// Allow invite admin
.antMatchers("/rest/user/inviteAdmin").permitAll()
// Allow activate user
.antMatchers("/rest/user/activateUser").permitAll()
// Allow activate admin
.antMatchers("/rest/user/activateAdmin").permitAll()
// Allow check domain availability
.antMatchers("/rest/user/checkDomainAvailability").permitAll()
// Allow check company and email active
.antMatchers("/rest/company/checkEmailAndCompanyIsActive").permitAll()
// Allow check domain by email
.antMatchers("/rest/user/getDomainByEmail").permitAll()
// Allow reset password
.antMatchers("/rest/user/resetPassword").permitAll()
// Allow to get messages
.antMatchers("/rest/kat/getMessages").permitAll()
// upload
.antMatchers("/rest/file/upload").permitAll()
// Allow get user details
.antMatchers("/rest/user/getUserDetails").permitAll()
// Allow to get password pattern
.antMatchers("/rest/config/getPasswordPattern").permitAll()
.antMatchers("/rest/task/getCategories").permitAll()
// Allow to get config messages
.antMatchers("/rest/config/getTooltip").permitAll()
// Allow to get webhook
.antMatchers("/rest/integration/jiraWebHook").permitAll()
// Allow to get global navigation
.antMatchers("/rest/config/getGlobalNavigation").permitAll()
.antMatchers("/rest/task/updateTaskDetail").permitAll()
.antMatchers("/rest/task/updateTask").permitAll().antMatchers("/error/**").permitAll()
// All other request need to be authenticated
.antMatchers("/rest/**").authenticated().and().formLogin().loginPage("/login").permitAll().and()
.logout().addLogoutHandler(logoutHandler).invalidateHttpSession(true)
.logoutSuccessHandler(logoutSuccessHandler).logoutUrl("/rest/session/logout").and()
// Custom Token based authentication based on the header
// previously given to the client
.addFilterBefore(new AuthenticationFilter(authenticationManager()),
BasicAuthenticationFilter.class);
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED).sessionFixation()
.changeSessionId();
}
catch( final Exception e )
{
logger.error("Error", e);
throw new DataException(StringConstants.EXCEPTION,
messageBundle.getMessage("kat.error.something.went.wrong"), HttpStatus.INTERNAL_SERVER_ERROR);
}
}
/**
*
* @param auth
*/
@Autowired
public void configureGlobal( final AuthenticationManagerBuilder auth )
{
auth.authenticationProvider(domainUsernamePasswordAuthenticationProvider());
}
/**
*
* @return
*/
@Bean
public AuthenticationProvider domainUsernamePasswordAuthenticationProvider()
{
return new UsernamePasswordAuthProvider();
}
}
How to make a user prompted for user id and password when he hits the url http://localhost:8080/swagger-ui.html. The URL's which has a call permitAll() will be directly accessed by all. But, when a user hits http://localhost:8080/swagger-ui.html, I want spring to ask him for user id and password. How to do that?
Upvotes: 0
Views: 486
Answers (1)
Moshe Arad
Reputation: 3733
You have a lot of configurations there. basically, every ant matcher that is not ignored or not permitted to all will be protected under security, if you applied httpBasic or formLogin security.
For example from spring documentations:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests() 1
.antMatchers("/resources/**", "/signup", "/about").permitAll() 2
.antMatchers("/admin/**").hasRole("ADMIN") 3
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") 4
.anyRequest().authenticated() 5
.and()
// ...
.formLogin();
}
any user can access a request if the URL starts with "/resources/", equals "/signup", or equals "/about"
any other path will trigger formLogin authentication
Upvotes: 1
Related Questions
- How to disable spring security for particular url
- Allow all URLs but one in Spring security
- How to secure some URLS while keeping others without authentication?
- How to authenticate some URL and ignore anything else
- Spring Security authorization for certain URL and deny all others
- how to secure only one url with spring security and permit all
- Spring Security authentication via URL
- Spring Security disable security for requests made FROM a certain url
- How to secure URLs using Spring security?
- Spring Security: Ignore login page by using a special URL parameter