Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Securing REST endpoint using spring security

I am trying to provide security to the REST endpoints. I am following instructions from this page. In my case I don't have view hence I haven't created controller to specify the views and haven't added viewResolver in my AppConfig.java

After implementation it correctly shows the access denied error upon calling a secured REST endpoint. But even though I specify username/password in the request header I get the access denied error. I am testing in postman setting username/password in Basic Auth. What am I missing any idea?

like image 258
Kaizar Laxmidhar Avatar asked Nov 30 '15 16:11

Kaizar Laxmidhar


People also ask

Can we use Spring Security for REST API?

Add Spring Security to Your REST API Since you have added Spring Security, it automatically secured your resources. Now, you need to configure Spring Security so you can properly authenticate the requests. NOTE: If you are struggling, you can check the modifications in Git branch step-1-security-dependencies .


1 Answers

The example you have followed is implementing a form-based authentication. In order to change it to http auth (which is more suitable for REST services) you need to look for the following form-login tag in your security.xml:

<form-login 
        login-page="/login" 
        default-target-url="/welcome" 
        authentication-failure-url="/login?error" 
        username-parameter="username"
        password-parameter="password" />

And just change it to an empty http-basic tag:

<http-basic />

If you did not change anything else, then it supposed to work perfectly. You can also test your setup from your browser, by trying to access your page. If you configured everything properly you will get a popup this time, not a form. That will be HTTP-basic authentication welcoming you.

Since likely you are using the Java-based configuration, the equivalent of this change would be to replace:

  http.authorizeRequests()
    .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
    .antMatchers("/dba/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')")
    .and().formLogin();

with:

  http.authorizeRequests()
    .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
    .antMatchers("/dba/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')")
    .and().httpBasic();
like image 106
Gergely Bacso Avatar answered Oct 25 '22 20:10

Gergely Bacso