Configuring Spring Security with Spring Boot

StackOverflow https://stackoverflow.com/questions/19530768

Question

I am new to configuring Spring Security using Java Config. I was trying to follow this posting. However, when I run my app, I get a Basic Auth challenge on all URLs, including /. Entering the either of the userid/pass combos below do not seem to work.

My Controller:

package com.xxx.web;

import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
@RequestMapping("/")
/**
 * Controller to handle basic "root" URLs
 * 
 * @author xxx
 * @version 0.1.0
 */
public class RootController {

    /**
     * Handles '/'
     * @param model
     * @return
     */
    @RequestMapping
    public String index(Model model) {
        return "index";
    }

    /**
     * Handles '/signup'
     * @param model
     * @return
     */
    @RequestMapping("/signup")
    public String signup(Model model) {
        return "signup";
    }

    /**
     * Handles '/about'
     * @param model
     * @return
     */
    @RequestMapping("/about")
    public String about(Model model) {
        return "about";
    }

    /**
     * Handles '/login'
     * @param model
     * @return
     */
    @RequestMapping("/login")
    public String login(Model model) {
        return "login";
    }

    /**
     * Handles '/admin'
     * @param model
     * @return
     */
    @RequestMapping("/admin")
    public String admin(Model model) {
        return "admin";
    }
}

Not sure what else to try. Just looking for some guidance as to why this isn't working.

Update

For completeness, here is the config class:

package com.xxx.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
/**
 * Configures the security for the application
 * 
 * @author XXX
 * @version 0.1.0
 *
 */
public class WebSecurityAppConfig extends WebSecurityConfigurerAdapter {
    @Override
    /**
     * @see org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#registerAuthentication(AuthenticationManagerBuilder)
     */
    protected void registerAuthentication(AuthenticationManagerBuilder auth)
            throws Exception {
        auth
          .inMemoryAuthentication()
            .withUser("user")  // #1
              .password("password")
              .roles("USER")
              .and()
            .withUser("admin") // #2
              .password("password")
              .roles("ADMIN","USER");
    }

    @Override
    /**
     * @see org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(WebSecurity)
     */
    public void configure(WebSecurity web) throws Exception {
        web
          .ignoring()
             .antMatchers("/resources/**"); // #3
    }

    @Override
    /**
     * @see org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(HttpSecurity)
     */
    protected void configure(HttpSecurity http) throws Exception {
        http
          .authorizeRequests()
            .antMatchers("/","/signup","/about").permitAll() // #4
            .antMatchers("/admin/**").hasRole("ADMIN") // #6
            .anyRequest().authenticated() // 7
            .and()
        .formLogin()  // #8
            .loginPage("/login") // #9
            .permitAll(); // #5
    }
}

And the WebApplicationInitializer:

package com.xxx.config;

import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;

/**
 * 
 * @author XXX
 * @version 0.1.0
 */
public class SpringWebMvcInitializer extends
        AbstractAnnotationConfigDispatcherServletInitializer {

    @Override
    /**
     * 
     */
    protected Class<?>[] getRootConfigClasses() {
        return new Class[] { WebSecurityAppConfig.class };
    }

    @Override
    /**
     * 
     */
    protected Class<?>[] getServletConfigClasses() {
        return null;
    }

    @Override
    /**
     * 
     */
    protected String[] getServletMappings() {
        return null;
    }

}

I didn't include these before because they are pretty much a copy-paste from the referenced blog posting.

Was it helpful?

Solution

The original question is probably best answered by just describing the options available. Some applications (services that only need basic HTTP authentication) can use the default settings in the actuator, others will need to specify security.* properties (see SecurityProperties for options) and/or an AuthenticationManager (for user account details). The next level of control comes from adding your own WebSecurityConfigurerAdapter, and you can see how to do that by looking at the "secure" sample in Spring Boot.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top