How to get past the Authentication Required Spring-boot Security

Question

I have put in the password which is "root" and it keeps popping back up. How can I suppress this or get rid of it. I am using spring boot and spring security.

application.properties

spring.datasource.driverClassName=com.mysql.jdbc.Driver
spring.datasource.url=jdbc:mysql://localhost:3306/springbootpractice
spring.datasource.username=root


spring.jpa.database = MYSQL
spring.jpa.show-sql = true

# Hibernate
hibernate.dialect: org.hibernate.dialect.MySQL5Dialect
hibernate.show_sql: true
hibernate.hbm2ddl.auto: update
entitymanager.packagesToScan: /

I am using intellij 14 if that matters.

----Update 1-----

@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/", "/index").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginPage("/index")
                .permitAll()
                .and()
                .logout()
                .permitAll();
    } 

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .authorizeRequests()
                    .antMatchers("/", "/index").permitAll()
                    .anyRequest().authenticated()
                    .and()
                    .formLogin()
                    .loginPage("/index")
                    .permitAll()
                    .and()
                    .logout()
                    .permitAll();
        }

        @Autowired
        public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth
                    .inMemoryAuthentication()
                    .withUser("user").password("password").roles("USER");
        }
    }

This may be helpful. https://stackoverflow.com/questions/26655875/spring-boot-redirect-http-to-https/45166608#45166608 — rogue lad, Jul 18 '17 at 12:24

score 31 · Answer 1 · answered Aug 08 '15 at 20:14

31

This class has to be in a parent package of all other packages: WebSecurityConfig. Also in application.properties set:

security.basic.enabled=false

answered Aug 08 '15 at 20:14

ACV

9,964
5
76
81

1

I was trying to run the sample examples coming along with spring-boot, the `application.properties` file is located under folder `src/main/resources`, adding `security.basic.enabled=false` is the only thing that i need to do. – B.Mr.W. Jun 30 '16 at 03:56

score 18 · Answer 2 · edited Jun 20 '20 at 09:12

ACV's answer is probably the easiest way to turn off the authentication completely by adding security.basic.enabled=false to the application.properties file which is usually located under src/main/resources folder.

or you just type in the password :)

1. use default password

When you run your spring application, there is usually a whole bunch of logging printed, which people usually don't read. The password is actually generated and printed to the screen at the startup. and the username is simply user. If you are testing using a browser and it probably only need you enter it once and caches it, so once for all, you should be securely logged in without authenticating every time. (however, every time you restart your app, it will generate a new password)

2. customize your password

Add the following properties to your application.properties if you want to customize your username and password:

security.user.name=myuser
security.user.password=mypassword

And here is how it looks like with your own username and password

Reference:

score 3 · Answer 3 · answered May 25 '17 at 11:02

You can bypass this spring boot security mechanism. See an example below for this:

@SpringBootApplication
@EnableAutoConfiguration(exclude = {SecurityAutoConfiguration.class})
public class SampleSpringBootApplication {

    public static void main(String[] args) {
        SpringApplication.run(SampleSpringBootApplication.class, args);
    }
}

Sanjay · Answer 4 · 2016-04-24T08:48:13.300

2

When Spring Security is in the classpath, Spring Boot by default secures all your pages with Basic authentication. That's why you are being asked for userid and password.

You will need to configure the security. To do so, commonly people would extend a WebSecurityConfigurerAdapter, like this:

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()
                .and()
            ...

Refer this Spring Security guide for more details.

edited Apr 24 '16 at 08:48

answered Aug 08 '15 at 10:49

Sanjay

8,755
7
46
62

please see update 1. I have read spring.io and I am unable to solve the issue which is why I posted here. – Mike3355 Aug 08 '15 at 11:18
Hope your WebSecurityConfig class is properly annotated. Just to confirm, as it's not seen in your sample above. – Sanjay Aug 08 '15 at 11:23
Yes, sorry... Updated – Mike3355 Aug 08 '15 at 11:28
I put in root as the user name and nothing for the password and I have put user and the username and password as the password and it does not work. I cannot get past it! – Mike3355 Aug 08 '15 at 12:11
I'm as well unable to see any issues. Strange. Did you try out the Spring security guide step by step? – Sanjay Aug 08 '15 at 12:13
Yes. I am wondering if it is a backend issue with mySQL workbench. I am just not sure how to tackle it. I look all over the workbench and looked at documentation with no luck. – Mike3355 Aug 08 '15 at 12:46
I'm pretty sure it's not related to MySQL or any backend issue. Backend issues would not pop up a login in the front-end. It must be web security related issue. – Sanjay Aug 08 '15 at 12:51
I am lost on what than. – Mike3355 Aug 08 '15 at 13:03
If I uploaded it on GIT would you be willing to replicate the issue on your end? – Mike3355 Aug 08 '15 at 13:12
If you create a minimal sample project, let's say by following the guide at https://spring.io/guides/gs/securing-web/, I can give a look after a few hours. – Sanjay Aug 08 '15 at 13:17
Maybe your app is throwing some error causing your browser to redirect to /error. That being a restricted page, you are prompted to login. Trying permitAll() instead of antMatcher... Could then give more insight. – Sanjay Aug 08 '15 at 13:46
OK. I'll be trying that in a few hours. Meanwhile, if it gets sloved, just let me know. – Sanjay Aug 08 '15 at 13:54
My development env is giving some maven update error, so I have not been able to try the project yet. Did you try to remove the restriction from all pages [remove the .antMatchers("/", "/index") line and change the next line to .anyRequest().permitAll()]? See my earlier comment. Maybe because in application.properties you have not provided the database password, which could be redirecting the browser to /error, which is now restricted, causing the error. Looking at your log would give you more details also. Let me know. – Sanjay Aug 08 '15 at 15:25
I did not set up a password for the database. I left it as root and if I try to add spring.datasource.password= with nothing filled in I get the same error. I am connecting to the database but I cannot access my application because the above picture that I posted keeps popping up. I have been at this for HOURS! – Mike3355 Aug 08 '15 at 15:36
My development env started working. I see that your SpringSecurityDemoApplication class is in the demo package, and WebSecurityConfig is in the security package. Instead, it should be in the same demo package or in a sub-package of demo. (Otherwise you will have to use @ComponentScan ...) – Sanjay Aug 08 '15 at 15:53
Your other classes, e.g. controllers are also in sibling packages. All should lie in sub-packages of the main class annotated with @SpringBootApplication -> See http://docs.spring.io/spring-boot/docs/current/reference/html/using-boot-structuring-your-code.html – Sanjay Aug 09 '15 at 01:33

Mike3355 · Accepted Answer · 2015-08-09T23:38:44.990

0

Here was the issues

(1) .loginPage("/index") was saying my login page was at index, however I just wanted to use spring's default login page.

(2) had to to move the security package inside the demo package (the main package). Thanks to @Sanjay for suggesting that. I tried to use @ComponantScan but it could not get it to work.

edited Aug 09 '15 at 23:38

answered Aug 09 '15 at 08:59

Mike3355

11,305
24
96
184

How to get past the Authentication Required Spring-boot Security

5 Answers5

or you just type in the password :)

1. use default password

2. customize your password

Linked