I am configuring endpoint access in Spring Security. What I want to accomplish:
Everyone has access to resources
Everyone can login/register
Only authenticated users can access logout and all other mapped endpoints
Here is my configuration, it fulfills firs two requirements and prevents access to /logout for non-logged users.
http.authorizeRequests()
.antMatchers("/register").permitAll()
.antMatchers("/register/*").permitAll()
.antMatchers("/favicon.ico").permitAll()
.antMatchers("**/*.html").permitAll()
.antMatchers("**/*.css").permitAll()
.antMatchers("**/*.js").permitAll()
.and()
.formLogin().loginPage("/login").failureUrl("/login-error").defaultSuccessUrl("/")
.usernameParameter("username").passwordParameter("password")
.and()
.logout().logoutSuccessUrl("/login").deleteCookies("JSESSIONID").logoutUrl("/logout");
to ensure that request to your application requires the user to be authenticated use
.anyRequest().authenticated()
Related
Application is based on Spring Boot and provides a web confgiuration gui.
By default, if a user is not authorized, he gets redirected to /login an gets redirected to the desired page on successful authorization.
Now I need to provide an API endpoint for intergration of a different software /cid.
I want to disable redirect to /login for this specific /cid/ endpoint but still require basic autorization header.
Right now I have the following and I understant this config as: "prevent all requests and redirect them to /login except /cid and all children of /js/ and /css/." and it seems that I am wrong.
http.authorizeRequests()
.antMatchers("/cid", "/js/**", "/css/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/")
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login");
How to configure Spring Security to "require authorization for /cid, require authorization and redirect to /login everything else"?
I really got lost in documentation of Spring.
I have two types of users: say, admins and users. Users are authenticated by http basic, and admins are authenticated by jwt.
So, I have such configurations in two #Configuration:
http.cors().and.csrf().disable().and().antMatcher("**/user/**")
.httpBasic();
and
http.cors().and().csrf().disable()
.antMatcher("**/admin/**")
.authorizeRequests(authorize -> authorize
.anyRequest().authenticated())
.and()
.oauth2ResourceServer().jwt();
But I have some endpoints (say, /data), which are need to be accessible(secured!) by users and administrators both. Is there a way to configure something like this, or do I need to divide /data endpoints?
You can configure filters for specific endpoints as well. You can write custom code in those filters and handle any custom logic. Other option would be to use AOP on api function itself and do custom handling there.
My friend and I are making a Java spring boot application for University practice. Its front is on Firebase, and the API is on Heroku
The problem is the following, I configured Spring Security as follows:
#Override
protected void configure(final HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
.authorizeRequests()
.antMatchers("/admin/**", "/bid/getBids", "/bid/{id}", "/purchase/create",
"/purchase/{id}", "/purchase/question/{questionId}/answer").hasAuthority("ROLE_ADMIN")
.antMatchers("/registration/**", "/registration").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.formLogin()
.permitAll()
.and()
.logout()
.logoutSuccessUrl("/").deleteCookies("JSESSIONID")
.invalidateHttpSession(true);
}
While I'm testing the API on Heroku via swagger/postman, everything works fine, including role restrictions.
But when it tries to set up authorization via the /login path, it redirects to the swagger-ui page, because that's how I set it up. I rewrote the redirect to its main page on Firebase, but the session doesn't work that way, apparently because cookies are saved to the address of my application on Heroku.
Please tell me how I can configure Spring Security so that its site saves user sessions during authorization, and the site works normally with my API?
I use a translator for some phrases, sorry about that
Your frontend and backend applications are served on different domains and HTTP cookie information is stored for only the specific domain. So I think you can easily serve your static page (or single page application resources) by putting under src/resources/static of your spring boot application. By doing this you can also restrict your front-end application and allow for only authorized users. If you want to serve the front-end application on firebase and backend on Heroku you should forward it to the upstream host by configuring rewrite rules in the firebase.json file (https://firebase.google.cn/docs/hosting/full-config?authuser=0#rewrites).
I have spring boot app with OAuth2. I want to open a few endpoints for anonymous access. I can do it using:
http
.authorizeRequests()
.antMatchers("/xyz/**").anonymous()
.and()
.authorizeRequests()
.anyRequest().authenticated();
but is there any way to do it more selectively and open only specific endpoints by putting some annotations there? I tried #PermitAll but it still requires authentication.
You can use antMatchers("/YOUR_ENDOINT/**").permitAll();
We're currently attempting to add SAML integration to our project and one of the requirements is that an administrator can use the system to add authentication to a part of the website.
For instance, if the app was hosted at "foo.com" then they would be able to specify that all pages that start with "foo.com/secret" should be authenticated using SAML.
I know how this can be done statically on system start up but I'm struggling to find any information on how to alter the Spring Security settings at runtime.
I'm currently trying to test this out on the example saml project which can be found here: https://github.com/vdenotaris/spring-boot-security-saml-sample
The configure method of the WebSecurityConfig class looks like the following:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.authenticationEntryPoint(samlEntryPoint());
http
.csrf()
.disable();
http
.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
.addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/error").permitAll()
.antMatchers("/saml/**").permitAll()
.anyRequest().authenticated();
http
.logout()
.logoutSuccessUrl("/");
}
I want to be able to add an additional antMatcher for a new URL that is authenticated. I've been able to change the http object at runtime but this has no effect on the security.