Geek Answers Handbook

REST endpoint protection with spring security

I am trying to ensure the security of REST endpoints. I follow the instructions on this page . In my case, I have no view, so I did not create a controller to specify the views and did not add viewResolver to my AppConfig.java

After implementation, it correctly displays an access denied error when invoking a secure REST endpoint. But even if I provide the username / password in the request header, I get an access denied error. I am testing a mailer by setting a username / password in Basic Auth. What am I missing?

+7
spring-security authorization restful-authentication ws-security rest-security
source share
1 answer

The following example implements form-based authentication. . To change it to http auth (which is more suitable for REST services), you need to look for the following form-login in your security.xml:

 <form-login login-page="/login" default-target-url="/welcome" authentication-failure-url="/login?error" username-parameter="username" password-parameter="password" />

And just change it to an empty http-basic tag:

 <http-basic />

If you haven’t changed anything, then it should work perfectly. You can also check your settings in your browser, trying to access your page. If you configured everything correctly, this time you will get a popup, not a form. This will be the HTTP basic authentication that greets you.

Since you are probably using a Java based configuration, the equivalent of this change should replace:

  http.authorizeRequests() .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')") .antMatchers("/dba/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')") .and().formLogin();

from:

  http.authorizeRequests() .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')") .antMatchers("/dba/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')") .and().httpBasic();
+4
source share

More articles:


All Articles