How to use anotation instead of HttpSecurity? - java

I have spring boot app with OAuth2. I want to open a few endpoints for anonymous access. I can do it using:
http
.authorizeRequests()
.antMatchers("/xyz/**").anonymous()
.and()
.authorizeRequests()
.anyRequest().authenticated();
but is there any way to do it more selectively and open only specific endpoints by putting some annotations there? I tried #PermitAll but it still requires authentication.

You can use antMatchers("/YOUR_ENDOINT/**").permitAll();

Related

Disable login page redirect for specific url but still require it's authentication

Application is based on Spring Boot and provides a web confgiuration gui.
By default, if a user is not authorized, he gets redirected to /login an gets redirected to the desired page on successful authorization.
Now I need to provide an API endpoint for intergration of a different software /cid.
I want to disable redirect to /login for this specific /cid/ endpoint but still require basic autorization header.
Right now I have the following and I understant this config as: "prevent all requests and redirect them to /login except /cid and all children of /js/ and /css/." and it seems that I am wrong.
http.authorizeRequests()
.antMatchers("/cid", "/js/**", "/css/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/")
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login");
How to configure Spring Security to "require authorization for /cid, require authorization and redirect to /login everything else"?
I really got lost in documentation of Spring.

Spring Security session domain

My friend and I are making a Java spring boot application for University practice. Its front is on Firebase, and the API is on Heroku
The problem is the following, I configured Spring Security as follows:
#Override
protected void configure(final HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
.authorizeRequests()
.antMatchers("/admin/**", "/bid/getBids", "/bid/{id}", "/purchase/create",
"/purchase/{id}", "/purchase/question/{questionId}/answer").hasAuthority("ROLE_ADMIN")
.antMatchers("/registration/**", "/registration").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.formLogin()
.permitAll()
.and()
.logout()
.logoutSuccessUrl("/").deleteCookies("JSESSIONID")
.invalidateHttpSession(true);
}
While I'm testing the API on Heroku via swagger/postman, everything works fine, including role restrictions.
But when it tries to set up authorization via the /login path, it redirects to the swagger-ui page, because that's how I set it up. I rewrote the redirect to its main page on Firebase, but the session doesn't work that way, apparently because cookies are saved to the address of my application on Heroku.
Please tell me how I can configure Spring Security so that its site saves user sessions during authorization, and the site works normally with my API?
I use a translator for some phrases, sorry about that
Your frontend and backend applications are served on different domains and HTTP cookie information is stored for only the specific domain. So I think you can easily serve your static page (or single page application resources) by putting under src/resources/static of your spring boot application. By doing this you can also restrict your front-end application and allow for only authorized users. If you want to serve the front-end application on firebase and backend on Heroku you should forward it to the upstream host by configuring rewrite rules in the firebase.json file (https://firebase.google.cn/docs/hosting/full-config?authuser=0#rewrites).

Spring Security using filter and not Controller

Trying to setup login authentication with Spring Boot starter 2.3.0 and Spring Security 5.3.2
My loginController was working initially a /login POST request
Then I added Spring Security and a UsernamePasswordAuthenticationFilter, and other classes to authenticate that I copied from other apps and it works.
It's going out and authenticating the username and password but it doesn't go through the Controller /login method. It seems to just skip it (sysout logs aren't showing). But if I remove the method then it doesn't work (so it's like it has to be there but doesn't go into it).
#Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.cors()
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().authorizeRequests()
.antMatchers(SecurityConstant.PUBLIC_URLS).permitAll()
.anyRequest().authenticated()
.and()
.addFilterBefore(
// authenticationFilter(),
jwtAuthorizationFilter,
UsernamePasswordAuthenticationFilter.class);
Has anyone experienced anything like this before? Thanks, appreciate any help, trying to learn Spring Security

Spring security configure access

I am configuring endpoint access in Spring Security. What I want to accomplish:
Everyone has access to resources
Everyone can login/register
Only authenticated users can access logout and all other mapped endpoints
Here is my configuration, it fulfills firs two requirements and prevents access to /logout for non-logged users.
http.authorizeRequests()
.antMatchers("/register").permitAll()
.antMatchers("/register/*").permitAll()
.antMatchers("/favicon.ico").permitAll()
.antMatchers("**/*.html").permitAll()
.antMatchers("**/*.css").permitAll()
.antMatchers("**/*.js").permitAll()
.and()
.formLogin().loginPage("/login").failureUrl("/login-error").defaultSuccessUrl("/")
.usernameParameter("username").passwordParameter("password")
.and()
.logout().logoutSuccessUrl("/login").deleteCookies("JSESSIONID").logoutUrl("/logout");
to ensure that request to your application requires the user to be authenticated use
.anyRequest().authenticated()

Is it posible to add URLs to be authenticated using SAML (via Spring Security) at runtime?

We're currently attempting to add SAML integration to our project and one of the requirements is that an administrator can use the system to add authentication to a part of the website.
For instance, if the app was hosted at "foo.com" then they would be able to specify that all pages that start with "foo.com/secret" should be authenticated using SAML.
I know how this can be done statically on system start up but I'm struggling to find any information on how to alter the Spring Security settings at runtime.
I'm currently trying to test this out on the example saml project which can be found here: https://github.com/vdenotaris/spring-boot-security-saml-sample
The configure method of the WebSecurityConfig class looks like the following:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.authenticationEntryPoint(samlEntryPoint());
http
.csrf()
.disable();
http
.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
.addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/error").permitAll()
.antMatchers("/saml/**").permitAll()
.anyRequest().authenticated();
http
.logout()
.logoutSuccessUrl("/");
}
I want to be able to add an additional antMatcher for a new URL that is authenticated. I've been able to change the http object at runtime but this has no effect on the security.

Categories