{"id":3946,"date":"2020-09-29T03:52:15","date_gmt":"2020-09-29T03:52:15","guid":{"rendered":"https:\/\/codethataint.com\/blog\/?p=3946"},"modified":"2020-10-03T17:55:53","modified_gmt":"2020-10-03T17:55:53","slug":"spring-security-configuring-authentication","status":"publish","type":"post","link":"https:\/\/codethataint.com\/blog\/spring-security-configuring-authentication\/","title":{"rendered":"Spring Security Configuring Authentication and Authorization"},"content":{"rendered":"

ApplicationSecurityConfig.java<\/strong><\/p>\n

\r\n@Configuration\r\n@EnableWebSecurity\r\npublic class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {\r\n    @Override\r\n    protected void configure(HttpSecurity httpSecurity) throws Exception{\r\n        httpSecurity.authorizeRequests()\r\n                    .anyRequest()\r\n                    .authenticated()\r\n                    .and()\r\n                    .httpBasic();\r\n    }\r\n}\r\n<\/pre>\n
Whitelisting some URLs(index, js and CSS files)<\/strong><\/p>\n
\r\n@Configuration\r\n@EnableWebSecurity\r\npublic class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {\r\n    @Override\r\n    protected void configure(HttpSecurity httpSecurity) throws Exception{\r\n        httpSecurity.authorizeRequests()\r\n                    \/\/Whitelisting URLS\r\n                    .antMatchers("\/", "index", "\/css\/*", "\/js\/*").permitAll()\r\n                    .anyRequest()\r\n                    .authenticated()\r\n                    .and()\r\n                    .httpBasic();\r\n    }\r\n}\r\n<\/pre>\n
Authentication with password with no encryption<\/strong><\/p>\n
\r\n@Override\r\n@Bean\r\n protected UserDetailsService userDetailsService() {\r\n       UserDetails mugilUsrBuilder = User.builder()\r\n              .username("Mugil")\r\n              .password("{noop}password")\r\n              .roles("ADMIN")\r\n              .build();\r\n\r\n      return new InMemoryUserDetailsManager(mugilUsrBuilder);\r\n}\r\n<\/pre>\n
If {noop} is not used in password Spring security would throw an error asking to encode the password with password encoder as below.
\njava.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id “null”<\/em><\/p>\n
Using Password Simple Encoder<\/strong>
\nPasswordConfig.java<\/strong><\/p>\n
\r\n@Configuration\r\npublic class PasswordConfig {\r\n    @Bean\r\n    public PasswordEncoder passwordEncoder()\r\n    {\r\n        return new BCryptPasswordEncoder(10);\r\n    }\r\n}\r\n<\/pre>\n
ApplicationSecurityConfig.java<\/strong><\/p>\n
    \n
  1. Inject the passwordEncoder from PasswordConfig class to ApplicationSecurityConfig<\/li>\n
  2. Encode the password using instance of injected encoder in ApplicationSecurityConfig<\/li>\n<\/ol>\n
    \r\n @Autowired\r\n    private PasswordEncoder passwordEncoder;\r\n\r\n    @Autowired\r\n    public ApplicationSecurityConfig(PasswordEncoder passwordEncoder) {\r\n        this.passwordEncoder = passwordEncoder;\r\n    }\r\n\r\n    @Override\r\n    @Bean\r\n    protected UserDetailsService userDetailsService() {\r\n        UserDetails mugilUsrBuilder = User.builder()\r\n                .username("Mugil")\r\n                .password(this.passwordEncoder.encode("password"))\r\n                .roles("ADMIN")\r\n                .build();\r\n\r\n        return new InMemoryUserDetailsManager(mugilUsrBuilder);\r\n    }\r\n<\/pre>\n
    Allowing Access to API based on Role – Authorization<\/strong>
    \nApplicationSecurityConfig.java<\/strong><\/p>\n
    \r\n@Configuration\r\n@EnableWebSecurity\r\npublic class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {\r\n.\r\n.\r\n @Override\r\n    @Bean\r\n    \/\/Authentication\r\n    protected UserDetailsService userDetailsService() {\r\n        UserDetails adminUsrBuilder = User.builder()\r\n                .username("admin")\r\n                .password(this.passwordEncoder.encode("password"))\r\n                .roles("ADMIN")\r\n                .build();\r\n\r\n        UserDetails regularUsrBuilder = User.builder()\r\n                .username("user")\r\n                .password(this.passwordEncoder.encode("password"))\r\n                .roles("USER")\r\n                .build();\r\n\r\n        return new InMemoryUserDetailsManager(adminUsrBuilder, regularUsrBuilder);  \r\n    }\r\n\r\n    @Override\r\n    \/\/Authorization\r\n    protected void configure(HttpSecurity httpSecurity) throws Exception{\r\n        httpSecurity.authorizeRequests()\r\n                     \/\/Whitelisting URLS\r\n                    .antMatchers("\/", "index", "\/css\/*", "\/js\/*").permitAll()\r\n                    .antMatchers("\/api\/**").hasRole("ADMIN")\r\n                    .anyRequest()\r\n                    .authenticated()\r\n                    .and()\r\n                    .httpBasic();\r\n    }\r\n.\r\n.\r\n<\/pre>\n
      \n
    1. In the above code we have added two roles – ADMIN and USER<\/li>\n
    2. Both were authenticated to access the application.But to access the API the role should be ADMIN\n
      \r\n  antMatchers(\"\/api\/**\").hasRole(\"ADMIN\")\r\n<\/pre>\n<\/li>\n
    3. If the user with Role USER try to access API then it would end up in 403 – Forbidden Error<\/li>\n<\/ol>\n
      Access Allowed<\/strong>
      \n\"\"<\/p>\n
      Forbidden Access<\/strong>
      \n\"\"<\/p>\n
      Allowing Access based on 2 Different Role <\/strong>
      \nApplicationSecurityConfig.java<\/strong><\/p>\n
      \r\n@Configuration\r\n@EnableWebSecurity\r\npublic class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {\r\n.\r\n.\r\n\r\n    @Override\r\n    @Bean\r\n    protected UserDetailsService userDetailsService() {\r\n        UserDetails adminUsrBuilder = User.builder()\r\n                .username("admin")\r\n                .password(this.passwordEncoder.encode("password"))\r\n                .roles("ADMIN")\r\n                .build();\r\n\r\n        UserDetails regularUsrBuilder = User.builder()\r\n                .username("user")\r\n                .password(this.passwordEncoder.encode("password"))\r\n                .roles("USER")\r\n                .build();\r\n\r\n        return new InMemoryUserDetailsManager(adminUsrBuilder, regularUsrBuilder);\r\n    }\r\n\r\n    @Override\r\n    protected void configure(HttpSecurity httpSecurity) throws Exception{\r\n        httpSecurity.csrf().disable()\r\n                     .authorizeRequests()\r\n                     \/\/Whitelisting URLS\r\n                    .antMatchers("\/", "index", "\/css\/*", "\/js\/*").permitAll()\r\n                    .antMatchers(HttpMethod.GET,"\/api\/**").permitAll()\r\n                    .antMatchers(HttpMethod.DELETE,"\/api\/**").hasRole("ADMIN")\r\n                    .antMatchers(HttpMethod.PUT,"\/api\/**").hasRole("ADMIN")\r\n                    .antMatchers(HttpMethod.POST,"\/api\/**").hasRole("ADMIN")\r\n                    .anyRequest()\r\n                    .authenticated()\r\n                    .and()\r\n                    .httpBasic();\r\n    }\r\n}\r\n<\/pre>\n
        \n
      1. In the above piece of code we have defined two roles ADMIN and USER<\/li>\n
      2. Those with USER role can access the API with HTTP Get Method. That means both ADMIN and USER role could access all the API using GET method\n
        \r\n.\r\n.antMatchers(HttpMethod.GET,\"\/api\/**\").permitAll()\r\n.\r\n<\/pre>\n<\/li>\n
      3. \nThose with ADMIN role can access the API with HTTP POST, DELETE and PUT Method which corresponds to Create, Delete and Update as per Open API Specifiaction. <\/p>\n
        \r\n.\r\n.antMatchers(HttpMethod.DELETE,\"\/api\/**\").hasRole(\"ADMIN\")\r\n.antMatchers(HttpMethod.PUT,\"\/api\/**\").hasRole(\"ADMIN\")\r\n.antMatchers(HttpMethod.POST,\"\/api\/**\").hasRole(\"ADMIN\")\r\n.\r\n<\/pre>\n<\/li>\n
      4. The above could be cross checked by changing postman call with HttpMethods and Credentials<\/li>\n<\/ol>\n
        StudentsService.java<\/strong><\/p>\n
        \r\n@RestController\r\n@RequestMapping("\/api\/v1\/students")\r\npublic class StudentsService {\r\n    @Autowired\r\n    StudentRepo studentRepo;\r\n\r\n    @GetMapping(path="{studentId}")\r\n    public Student getStudentById(@PathVariable("studentId") String studentId){\r\n        return studentRepo.getStudentById(studentId);\r\n    }\r\n\r\n    @GetMapping\r\n    public List<Student> getStudentList(){\r\n        return studentRepo.getStudentsList();\r\n    }\r\n\r\n    @PutMapping\r\n    public String updateStudent(@RequestBody Student student){\r\n        return studentRepo.updateStudent(student);\r\n    }\r\n\r\n    @PostMapping\r\n    public String addStudent(@RequestBody Student student){\r\n        if(studentRepo.addStudents(student))\r\n            return  "Student with Id " + student.getStudentId() + " added successfully";\r\n        else\r\n            return  "Error:Unable to create Student";\r\n    }\r\n\r\n    @DeleteMapping(path="{studentId}")\r\n    public String deleteStudent(@PathVariable("studentId") String studentId){\r\n        studentRepo.deleteStudent(studentId);\r\n        return "Student Deleted Successfully";\r\n    }\r\n}\r\n<\/pre>\n
        Allowing Access based on 2 Different Authority(or)Permission<\/strong><\/p>\n
          \n
        1. In the below code instead of using ROLES to authorize users to do something we use AUTHORITIES to allow user<\/li>\n
        2. There are two ways to do this. One is by using hasAuthority<\/em> in configure(HttpSecurity httpSecurity)<\/em> method as below  <\/li>\n
        3. \n
          \r\n.\r\n@EnableGlobalMethodSecurity(prePostEnabled = true)\r\n.\r\n.antMatchers(HttpMethod.POST,\"\/api\/v1\/students\/\").hasAuthority(\"WRITE\")\r\n.antMatchers(HttpMethod.DELETE,\"\/api\/v1\/students\/**\").hasAuthority(\"WRITE\")\r\n.antMatchers(HttpMethod.PUT,\"\/api\/v1\/students\/\").hasAuthority(\"WRITE\")\r\n.\r\n<\/pre>\n<\/li>\n
        4. Other is by using @preauthorize annotation to decide the methods
          \nwhich could be allowed access to<\/p>\n
          \r\n.\r\n.\r\n@PreAuthorize(\"hasAuthority('READ')\")\r\npublic List getStudentList(){\r\n.\r\n\r\n@PreAuthorize(\"hasAuthority('WRITE')\")\r\npublic String updateStudent(@RequestBody Student student){\r\n.\r\n.\r\n<\/pre>\n<\/li>\n<\/ol>\n
          ApplicationSecurityConfig.java<\/strong>
          \nUsing hasAuthority<\/em><\/p>\n
          \r\n@Configuration\r\n@EnableWebSecurity\r\npublic class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {\r\n\r\n    @Autowired\r\n    private PasswordEncoder passwordEncoder;\r\n\r\n    @Autowired\r\n    public ApplicationSecurityConfig(PasswordEncoder passwordEncoder) {\r\n        this.passwordEncoder = passwordEncoder;\r\n    }\r\n\r\n    @Override\r\n    @Bean\r\n    protected UserDetailsService userDetailsService() {\r\n        GrantedAuthority[] arrGrantedAuthAdmin = {new SimpleGrantedAuthority("READ"), new SimpleGrantedAuthority("WRITE")};\r\n        GrantedAuthority[] arrGrantedAuthUser = {new SimpleGrantedAuthority("READ")};\r\n\r\n        UserDetails adminUsrBuilder = User.builder()\r\n                .username("admin")\r\n                .password(this.passwordEncoder.encode("password"))\r\n                .authorities("READ", "WRITE")\r\n                .build();\r\n\r\n        UserDetails regularUsrBuilder = User.builder()\r\n                .username("user")\r\n                .password(this.passwordEncoder.encode("password"))\r\n                .authorities("READ")\r\n                .build();\r\n\r\n        return new InMemoryUserDetailsManager(adminUsrBuilder, regularUsrBuilder);\r\n    }\r\n\r\n    @Override\r\n    protected void configure(HttpSecurity httpSecurity) throws Exception{\r\n        httpSecurity.csrf().disable()\r\n                     .authorizeRequests()\r\n                     .antMatchers("\/", "index", "\/css\/*", "\/js\/*").permitAll()\r\n                    .antMatchers(HttpMethod.POST,"\/api\/v1\/students\/").hasAuthority("WRITE")\r\n                    .antMatchers(HttpMethod.DELETE,"\/api\/v1\/students\/**").hasAuthority("WRITE")\r\n                    .antMatchers(HttpMethod.PUT,"\/api\/v1\/students\/").hasAuthority("WRITE")\r\n                    .anyRequest()\r\n                    .authenticated()\r\n                    .and()\r\n                    .httpBasic();\r\n    }\r\n}\r\n<\/pre>\n
          ApplicationSecurityConfig.java<\/strong>
          \nUsing @PreAuthorize and EnableGlobalMethodSecurity<\/em><\/p>\n
          \r\n@Configuration\r\n@EnableWebSecurity\r\n@EnableGlobalMethodSecurity(prePostEnabled = true)\r\npublic class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {\r\n\r\n    @Autowired\r\n    private PasswordEncoder passwordEncoder;\r\n\r\n    @Autowired\r\n    public ApplicationSecurityConfig(PasswordEncoder passwordEncoder) {\r\n        this.passwordEncoder = passwordEncoder;\r\n    }\r\n\r\n    @Override\r\n    @Bean\r\n    protected UserDetailsService userDetailsService() {\r\n        GrantedAuthority[] arrGrantedAuthAdmin = {new SimpleGrantedAuthority("READ"), new SimpleGrantedAuthority("WRITE")};\r\n        GrantedAuthority[] arrGrantedAuthUser = {new SimpleGrantedAuthority("READ")};\r\n\r\n        UserDetails adminUsrBuilder = User.builder()\r\n                .username("admin")\r\n                .password(this.passwordEncoder.encode("password"))\r\n                .authorities("READ", "WRITE")\r\n                .build();\r\n\r\n        UserDetails regularUsrBuilder = User.builder()\r\n                .username("user")\r\n                .password(this.passwordEncoder.encode("password"))\r\n                .authorities("READ")\r\n                .build();\r\n\r\n        return new InMemoryUserDetailsManager(adminUsrBuilder, regularUsrBuilder);\r\n    }\r\n\r\n    @Override\r\n    protected void configure(HttpSecurity httpSecurity) throws Exception{\r\n        httpSecurity.csrf().disable()\r\n                     .authorizeRequests()\r\n                    .antMatchers("\/", "index", "\/css\/*", "\/js\/*").permitAll()\r\n                    .anyRequest()\r\n                    .authenticated()\r\n                    .and()\r\n                    .httpBasic();\r\n    }\r\n}\r\n<\/pre>\n
          StudentsService.java<\/strong><\/p>\n
          \r\n@RestController\r\n@RequestMapping("\/api\/v1\/students")\r\npublic class StudentsService {\r\n    @Autowired\r\n    StudentRepo studentRepo;\r\n\r\n    @GetMapping(path="{studentId}")\r\n    public Student getStudentById(@PathVariable("studentId") String studentId){\r\n        return studentRepo.getStudentById(studentId);\r\n    }\r\n\r\n    @GetMapping\r\n    @PreAuthorize("hasAuthority('READ')")\r\n    public List<Student> getStudentList(){\r\n        return studentRepo.getStudentsList();\r\n    }\r\n\r\n    @PutMapping\r\n    @PreAuthorize("hasAuthority('WRITE')")\r\n    public String updateStudent(@RequestBody Student student){\r\n        return studentRepo.updateStudent(student);\r\n    }\r\n\r\n    @PostMapping\r\n    @PreAuthorize("hasAuthority('WRITE')")\r\n    public String addStudent(@RequestBody Student student){\r\n        if(studentRepo.addStudents(student))\r\n            return  "Student with Id " + student.getStudentId() + " added successfully";\r\n        else\r\n            return  "Error:Unable to create Student";\r\n    }\r\n\r\n    @DeleteMapping(path="{studentId}")\r\n    @PreAuthorize("hasAuthority('WRITE')")\r\n    public String deleteStudent(@PathVariable("studentId") String studentId){\r\n        studentRepo.deleteStudent(studentId);\r\n        return "Student Deleted Successfully";\r\n    }\r\n}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
          ApplicationSecurityConfig.java @Configuration @EnableWebSecurity public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity httpSecurity) throws Exception{ httpSecurity.authorizeRequests() .anyRequest() .authenticated() .and() .httpBasic(); } } Whitelisting some URLs(index, js and CSS files) @Configuration @EnableWebSecurity public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity httpSecurity) throws Exception{ httpSecurity.authorizeRequests() \/\/Whitelisting URLS .antMatchers("\/", "index", "\/css\/*", "\/js\/*").permitAll() .anyRequest() .authenticated() .and()… Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[325],"tags":[],"class_list":["post-3946","post","type-post","status-publish","format-standard","hentry","category-spring-security"],"_links":{"self":[{"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/posts\/3946","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/comments?post=3946"}],"version-history":[{"count":5,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/posts\/3946\/revisions"}],"predecessor-version":[{"id":3963,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/posts\/3946\/revisions\/3963"}],"wp:attachment":[{"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/media?parent=3946"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/categories?post=3946"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/codethataint.com\/blog\/wp-json\/wp\/v2\/tags?post=3946"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}