Spring-boot setup basic auth on one web application path?

Question

Spring-boot setup basic auth on one web application path?

I am trying to configure one path (/ basic) in my MVC-based spring-boot spring application to be the main auth protected. I'm just going to configure this using my own configuration options, so the username and password are just “admin” and “admin”.

This currently works for the / main path (they prompt me and can log in correctly). The problem is that logging out does not work (and I'm not sure why), as well as other paths (like the others shown) are being requested for basic credentials (before always failing).

static class MyApplicationSecurity extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/open").permitAll();
        http.authorizeRequests().antMatchers("/other").denyAll(); // Block it for now
         http.authorizeRequests().antMatchers("/basic").authenticated().and().httpBasic().and().logout().logoutUrl("/basic/logout").invalidateHttpSession(true).logoutSuccessUrl("/");
    }
}

I expected / other to always fail, but I don’t understand why basic auth./open works for it, it works as expected. I also do not understand why / basic / logout does not log me out (it also does not generate error messages). I have a simple bit of code as a placeholder for the exit endpoint, but if I don’t have it, then I get 404. The "home" view is my root web application, so I just want to send the user there after logging out.

@RequestMapping("/logout")
public ModelAndView logout() {
    // should be handled by spring security
    return new ModelAndView("home");
}

UPDATE: Here is a solution that seemed to work at the end (except for the part of the exit from the system still not working):

@Configuration
@Order(1) // HIGHEST
public static class OAuthSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/oauth").authorizeRequests().anyRequest().denyAll();
    }
}

@Configuration
public static class BasicAuthConfigurationAdapter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/basic").authorizeRequests().anyRequest().authenticated().and().httpBasic();
        http.logout().permitAll().logoutUrl("/logout").logoutSuccessUrl("/").invalidateHttpSession(true);
        //.and().logout().logoutUrl("/basic/logout").invalidateHttpSession(true).logoutSuccessUrl("/");
    }
}

+4

java spring-boot spring-mvc spring-security basic-authentication

Aaron zeckoski Jul 9 '14 at 15:50

source share

1 answer

Chris DaMour · Accepted Answer · 2014-07-10T01:33:12+0000

, , , . , , http basic. @Order (1).. , .

@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig {
    private static final Logger LOG = LoggerFactory.getLogger(SecurityConfig.class);

    @Autowired
    public void registerAuthentication(AuthenticationManagerBuilder auth, Config appConfig) throws Exception {
        auth.inMemoryAuthentication()
            .withUser(appConfig.getString(APIConfig.CONFIG_KEY_MANAGEMENT_USER_NAME))
            .password(appConfig.getString(APIConfig.CONFIG_KEY_MANAGEMENT_USER_PASS))
            .roles(HyperAPIRoles.DEFAULT, HyperAPIRoles.ADMIN);        
    }



    /**
     * Following Multiple HttpSecurity approach:
     * http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity 
     */
    @Configuration
    @Order(1)
    public static class ManagerEndpointsSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
            .antMatcher("/management/**").authorizeRequests().anyRequest().hasRole(HyperAPIRoles.ADMIN).and()
            .httpBasic();
        }
    }

    /**
     * Following Multiple HttpSecurity approach:
     * http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity 
     */
    @Configuration
    public static class ResourceEndpointsSecurityConfig extends WebSecurityConfigurerAdapter {        



       @Override
       protected void configure(HttpSecurity http) throws Exception {                  

            http
            //fyi: This adds it to the spring security proxy filter chain
            .addFilterBefore(createBBAuthenticationFilter(), BasicAuthenticationFilter.class)
            ;      
       }
    }
}

, -, / auth, . ( ), -... , ( ).

,

Spring-boot setup basic auth on one web application path?

More articles: