9

I am trying to provide security to the REST endpoints. I am following instructions from this page. In my case I don't have view hence I haven't created controller to specify the views and haven't added viewResolver in my AppConfig.java

After implementation it correctly shows the access denied error upon calling a secured REST endpoint. But even though I specify username/password in the request header I get the access denied error. I am testing in postman setting username/password in Basic Auth. What am I missing any idea?

Kaizar Laxmidhar
  • 859
  • 1
  • 17
  • 38
  • You might start with posting the debug logs for the request that is failing and the HTTP request you are submitting – Rob Winch Dec 10 '15 at 22:57
  • Can you please post parts of your code? – xhadon Dec 15 '15 at 07:47
  • @Milkyway For security reason I am reluctant to publish the code but for test purpose the code can be used from the link I have mentioned, UI related code has to be ignored in that article. – Kaizar Laxmidhar Dec 15 '15 at 11:13

1 Answers1

6

The example you have followed is implementing a form-based authentication. In order to change it to http auth (which is more suitable for REST services) you need to look for the following form-login tag in your security.xml:

<form-login 
        login-page="/login" 
        default-target-url="/welcome" 
        authentication-failure-url="/login?error" 
        username-parameter="username"
        password-parameter="password" />

And just change it to an empty http-basic tag:

<http-basic />

If you did not change anything else, then it supposed to work perfectly. You can also test your setup from your browser, by trying to access your page. If you configured everything properly you will get a popup this time, not a form. That will be HTTP-basic authentication welcoming you.

Since likely you are using the Java-based configuration, the equivalent of this change would be to replace:

  http.authorizeRequests()
    .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
    .antMatchers("/dba/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')")
    .and().formLogin();

with:

  http.authorizeRequests()
    .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
    .antMatchers("/dba/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')")
    .and().httpBasic();
Gergely Bacso
  • 14,243
  • 2
  • 44
  • 64
  • 1
    While your answer is correct, it might be more helpful to tell him to replace the .formLogin() in the SecurityConfig.java file with .httpBasic(), as he is using JavaConfig and not xml-s. – Matjaž Pečan Dec 16 '15 at 10:13
  • You are right. I guess its pretty obvious addition, but for the sake of clarity I put it there. – Gergely Bacso Dec 16 '15 at 11:12
  • Hello . How I can do this same thing in spring boot.? , Since I don't have any configuration file. Only using annotations.Can you tell that how I can do in spring boot? Please refer the question - https://stackoverflow.com/questions/49728473/rest-end-point-is-not-accessing-after-implementation-of-spring-security-in-sprin – Mr.DevEng Apr 09 '18 at 09:57