Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Authenticate only selected rest end points : spring boot

Tags:

java

spring

spring-boot

spring-security

I have a Spring Boot web application exposing few rest endpoints. I wanted to know how we can enable basic authentication only for selected rest endpoints. Let's say I want only /employee/{id} request to be authenticated and ignore all the other rest endpoints. I am using the following code. My question is will the antMatcher only authenticate the request specified? Currently its enabling authentication for all rest endpoints: 

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
         // How does it work will it only authenticate employee & 
         // ignore any other request?? Its authenticating all the requests currently. 
         http
            .authorizeRequests()
                 .antMatchers("/employee/*").authenticated()
            .and()
            .httpBasic()
            .and()
            .csrf()
                .disable();    
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("admin").password("admin").roles("USER");
    }
}
like image 629
Kalava Avatar asked Jul 15 '16 19:07

Kalava

People also ask

How do you restrict the endpoint of a spring boot?

Run the app using: ./gradlew bootRun . Navigate to the home endpoint, which is open: http://localhost:8080 . And the restricted endpoint, which requires authentication: http://localhost:8080/restricted . When Spring's login form appears, don't forget you can use the default credentials.

What is @API in spring boot?

It allows you to create REST APIs with minimal configurations. A few benefits of using Spring Boot for your REST APIs include: No requirement for complex XML configurations. Embedded Tomcat server to run Spring Boot applications.

1 Answers

By default Spring Boot will secure all endpoints when Spring Security is on the classpath.

You need to explicitly add an exclusion for all other endpoints to be permitted without authentication.

Example:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
               .antMatchers("/employee/*").authenticated()
               .anyRequest().permitAll()
             .and()
             .httpBasic()
             .and()
             .csrf().disable();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("admin").password("admin").roles("USER");
    }

}
like image 198
Kyle Anderson Avatar answered Oct 24 '22 12:10

Kyle Anderson
Sign in to Comment

Related questions

EnumSet serialization
Is there a way to use SecondaryTable to jump multiple tables?
error occured instantiating job to be executed in Quartz sheduler
How can I evaluate next statement when null was returned in Java?
GSON deserialization with generic types and generic field names
How to properly handle expected errors in Hystrix fallback?
What is the difference between ServerBootstrap.option() and ServerBootstrap.childOption() in netty 4.x
What is the meaning of @jls in javadoc?
Using grpc in maven
Register multiple Instances of a Spring Boot Eureka Client from a single host
How to access AuditReaderFactory in spring boot application?
Spring controller method called twice
why use JndiObjectFactoryBean to config JNDI datasource did not work?
How to capture thread dump programatically using JAVA Code?
SpringBoot, how to Authenticate with LDAP without using ldif?
Java 8 - Ternary operator returning function doesn't compile
Spring Data: Not an managed type: class java.lang.Object
java.lang.NoClassDefFoundError: ayc for InterstitialAd
Apache-camel: Enabling bridgeEndpoint on the http endpoint
How Spring Singleton Scope is Garbage Collected?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!