In Specific
I want to have HTTP Basic authentication ONLY for a specific URL pattern.
In Detail
I'm creating an API interface for my application and that needs to be authenticated by simple HTTP basic authentication. But other web pages should not be using HTTP basic but rather a the normal form login.
Current Configuration - NOT Working
@Override protected void configure(HttpSecurity http) throws Exception { http //HTTP Security .csrf().disable() //Disable CSRF .authorizeRequests() //Authorize Request Configuration .antMatchers("/connect/**").permitAll() .antMatchers("/", "/register").permitAll() .antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/api/**").hasRole("API") .anyRequest().authenticated() .and() //HTTP basic Authentication only for API .antMatcher("/api/**").httpBasic() .and() //Login Form configuration for all others .formLogin().loginPage("/login").permitAll() .and() //Logout Form configuration .logout().permitAll(); }
If we don't specify this, Spring Security will generate a very basic Login Form at the /login URL. 8.2. The POST URL for Login The default URL where the Spring Login will POST to trigger the authentication process is /login, which used to be /j_spring_security_check before Spring Security 4.
Similarly, we can use the XML configuration: If we don't specify this, Spring Security will generate a very basic Login Form at the /login URL. 8.2. The POST URL for Login The default URL where the Spring Login will POST to trigger the authentication process is /login, which used to be /j_spring_security_check before Spring Security 4.
With two steps, you can enable the Basic Authentication in Spring Security Configuration. 1. Configure httpBasic : Configures HTTP Basic authentication. [ http-basic in XML] 2.
By default, the BasicAuthenticationEntryPoint provisioned by Spring Security returns a full page for a 401 Unauthorized response back to the client. This HTML representation of the error renders well in a browser, but it not well suited for other scenarios, such as a REST API where a json representation may be preferred.
Waited for 2 days and didn't get any help here. But my research provided me a solution :)
Solution
@Configuration @EnableWebMvcSecurity @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, proxyTargetClass = true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter{ @Autowired private AuthenticationProvider authenticationProvider; @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(authenticationProvider); } @Configuration @Order(1) public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{ @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() .antMatcher("/api/**") .authorizeRequests() .anyRequest().hasAnyRole("ADMIN", "API") .and() .httpBasic(); } } @Configuration @Order(2) public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter{ @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/css/**", "/js/**", "/img/**", "/lib/**"); } @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() //HTTP with Disable CSRF .authorizeRequests() //Authorize Request Configuration .antMatchers("/connect/**").permitAll() .antMatchers("/", "/register").permitAll() .antMatchers("/admin/**").hasRole("ADMIN") .anyRequest().authenticated() .and() //Login Form configuration for all others .formLogin() .loginPage("/login").permitAll() .and() //Logout Form configuration .logout().permitAll(); } } }
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With