In my
previous post, I explained how to safe guard complete application using
spring-secure project.
In any
typical web application, there are public resources like home page, style
sheets, java script files, images etc., we no need to safe guard these resources
using spring-security.
How to
exclude some resources from safe guarding?
By extending WebSecurityConfigurerAdapter class
and overriding configure method, we can tell to spring security, which urls
should be excluded and which should be safe guarded.@Configuration @EnableWebSecurity public class ApplicationSecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity.csrf().disable().authorizeRequests().antMatchers("/", "/public/*", "/css/*", "/js/*").permitAll() .anyRequest().authenticated().and().httpBasic(); } }
Above
snippet disable csrf security and exclude the urls /, "/public/*",
"/css/*", "/js/*" from safe guarding and all other urls are
safe guarded by basic authentication.
Find the
below working application.
package com.sample.app.controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; @RestController public class HelloWorldController { @RequestMapping("/") public String homePage() { return "Welcome to Spring boot Application Development using Spring Security"; } @RequestMapping("/public/aboutme") public String aboutMe() { return "I am securied by spring security module"; } }
EmployeeController.java
package com.sample.app.controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RestController; @RestController @RequestMapping("employees/") public class EmployeeController { @RequestMapping(value = "registered/count", method = RequestMethod.GET) public String countEmps() { return "Total Registered Employees : "+ 1024; } }
ApplicationSecurityConfiguration.java
package com.sample.app.config; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration @EnableWebSecurity public class ApplicationSecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity.csrf().disable().authorizeRequests().antMatchers("/", "/public/*", "/css/*", "/js/*").permitAll() .anyRequest().authenticated().and().httpBasic(); } }
App.java
package com.sample.app; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; @SpringBootApplication public class App { public static void main(String[] args) { SpringApplication.run(App.class, args); } }
pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>springSecurity</groupId> <artifactId>springSecurity</artifactId> <version>1</version> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.1.6.RELEASE</version> </parent> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> </dependencies> </project>
Total
project structure looks like below.
Run
App.java, you can see below kind of messages in console.
. ____ _ __ _ _ /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \ ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \ \\/ ___)| |_)| | | | | || (_| | ) ) ) ) ' |____| .__|_| |_|_| |_\__, | / / / / =========|_|==============|___/=/_/_/_/ :: Spring Boot :: (v2.1.6.RELEASE) 2019-07-14 13:15:17.974 INFO 19933 --- [ main] com.sample.app.App : Starting App on C02X902SJGH5 with PID 19933 (/Users/krishna/Documents/EclipseWorkSpaces/Learnings/springSecurity/target/classes started by krishna in /Users/krishna/Documents/EclipseWorkSpaces/Learnings/springSecurity) 2019-07-14 13:15:17.976 INFO 19933 --- [ main] com.sample.app.App : No active profile set, falling back to default profiles: default 2019-07-14 13:15:18.942 INFO 19933 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8080 (http) 2019-07-14 13:15:18.971 INFO 19933 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat] 2019-07-14 13:15:18.972 INFO 19933 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.21] 2019-07-14 13:15:19.079 INFO 19933 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext 2019-07-14 13:15:19.080 INFO 19933 --- [ main] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 1052 ms 2019-07-14 13:15:19.294 INFO 19933 --- [ main] .s.s.UserDetailsServiceAutoConfiguration : Using generated security password: f4be2aa8-c4b3-4ab3-bef8-96ce4e196c81 2019-07-14 13:15:19.401 INFO 19933 --- [ main] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@4925f4f5, org.springframework.security.web.context.SecurityContextPersistenceFilter@40147317, org.springframework.security.web.header.HeaderWriterFilter@2577d6c8, org.springframework.security.web.authentication.logout.LogoutFilter@e044b4a, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@7f4037ed, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@19542407, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@76304b46, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1ad926d3, org.springframework.security.web.session.SessionManagementFilter@4c9e9fb8, org.springframework.security.web.access.ExceptionTranslationFilter@30cdae70, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@4aeaadc1] 2019-07-14 13:15:19.537 INFO 19933 --- [ main] o.s.s.concurrent.ThreadPoolTaskExecutor : Initializing ExecutorService 'applicationTaskExecutor' 2019-07-14 13:15:19.803 INFO 19933 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path '' 2019-07-14 13:15:19.806 INFO 19933 --- [ main] com.sample.app.App : Started App in 2.122 seconds (JVM running for 2.484)
Search for
string ‘password’ in console messages, you can see below kind of message.
Using
generated security password: f4be2aa8-c4b3-4ab3-bef8-96ce4e196c81
We require
above password to access the apis that are protected by spring security module.
This password change for every run of the application.
Open the url ‘http://localhost:8080/public/aboutme’, you can see below kind of screen.
Open the
url ‘http://localhost:8080/employees/registered/count’, then browser prompts
for the credentials to access the api.
Enter the
user name as ‘user’ and password as ‘f4be2aa8-c4b3-4ab3-bef8-96ce4e196c81’
(password should be taken from console messages).
After
click on OK button, you can see below kind of screen.
You can
download complete working application from this link.
No comments:
Post a Comment