Reputation: 1474
How do I add HTTP basic auth for a specific endpoint with spring security?
I have a Spring Boot application with Spring Security. A new endpoint /health is to be configured so it is accessible via basic HTTP authentication. The current HttpSecurity configuration is as follows:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
.antMatchers(HttpMethod.OPTIONS, "/**")
.and()
.csrf()
.disable()
.authorizeRequests()
.anyRequest()
.permitAll()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
How do I add base auth for /health? I figure I need something like this, but I don't think this is completely correct, and I don't really understand where exactly to add it:
.authorizeRequests()
.antMatchers(
// Health status
"/health",
"/health/"
)
.hasRole(HEALTH_CHECK_ROLE)
.and()
.httpBasic()
.realmName(REALM_NAME)
.authenticationEntryPoint(getBasicAuthEntryPoint())
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
I found these resources to be helpful, but not sufficient:
- http://www.baeldung.com/spring-security-basic-authentication
- http://websystique.com/spring-security/secure-spring-rest-api-using-basic-authentication/
Upvotes: 29
Views: 36511
Answers (3)
Reputation: 311
@Autowired
private BasicAuthEntryPoint basicAuthEntryPoint;
private static final String[] AUTH_WHITELIST = {
"/",
"/users/signup",
"/reviews/create-review",
"/auth/login",
"/v3/api-docs/**",
"/swagger-ui/**",
"/products/**",
"/docs/**",
};
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.formLogin(form -> form
.loginPage("/auth/login"))
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers(AUTH_WHITELIST).permitAll()
.anyRequest().authenticated())
.httpBasic(httpSecurityHttpBasicConfigurer -> {
httpSecurityHttpBasicConfigurer.authenticationEntryPoint(basicAuthEntryPoint);
})
// .exceptionHandling(ex -> ex.authenticationEntryPoint(basicAuthEntryPoint)
.sessionManagement(sess -> sess.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
return http.build();
}
Upvotes: 0
Reputation: 17066
Using Spring Boot 3 with Spring Security 6:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests().requestMatchers("/health/**").authenticated().and().httpBasic()
.and()
.authorizeHttpRequests().requestMatchers("/**").permitAll()
.and()
.build();
}
This will authenticate only the endpoints under /health but leave all other endpoints exposed. You need to explicitly permitAll() on the endpoints not covered by security.
Upvotes: 5
Reputation: 1474
The solution is to implement multiple configurations, as explained here: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#multiple-httpsecurity
EDIT 2021-12-11:
archive link of reference: https://web.archive.org/web/20210126145444/https://docs.spring.io/spring-security/site/docs/current/reference/html5/#multiple-httpsecurity
A similar question linking to an example is here: https://stackoverflow.com/a/18864786/1568224
Upvotes: 14
Related Questions
- How to enable OAuth on a specific endpoint using spring security
- Spring boot: How to skip basic-auth for particular endpoint
- Set basic auth on server side
- Spring Security Conditional Basic Auth
- Spring Security HTTP Basic Authentication
- Spring REST Security : Enable Basic Authentication only on a specific endpoint
- Spring - Http Basic Auth - Mark endpoint as public
- Authentication for REST-Service with spring-security and Basic Auth
- How to set up basic auth in spring security without the HTTP tag?
- Spring-Security http-basic auth in addition to other authentication types