3

I have looked up articles about using Spring Security, but they do not quite answer my need. They usually deal with in-memory users and plaintext passwords.

What I want to achieve:

Clients authenticate using Basic Authentication.

Secured Controller methods look like this: 

  @RequestMapping(value = "/test")
  public ResponseEntity test(@AuthenticationPrincipal MyUser user){
      // Logic
  }

I want the controller method to get a MyUser object in its parameters if the given user is authenticated or null if not.

I am storing hashed password and salt of a user in a database, and I have a service which authenticates given username-password pair and returns a User object or null if authentication succeeded or failed, respectively.

All that needs to happen now is to intercept every request, look at the basic authentication header, pass the info to my custom authentication service and then pass its result into the controller method. Unfortunately I haven't been able to do that.

I read on using custom UserDetailsService, but that only seems to handle fetching user data from database, and not any authentication. I cannot figure out how to plug all the components together.

Can you point me in the right direction how to get this rather simple workflow working?

EDIT

I am not using XML config and the only security related config I have is:

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/**").csrf().disable();

        http.authorizeRequests()
                .antMatchers("/user").permitAll()
                .antMatchers("/user/**").permitAll()
                .anyRequest().authenticated();
    }
}
Martin Melka
  • 7,177
  • 16
  • 79
  • 138
  • Basically, what you're looking for is to add `` into the `` tag (if you're using XML style config). For a more specific answer, can you add some details about your configuration to your post? For example, the configuration files / classes and the `web.xml` (if you have any) – Stefano Cazzola Apr 09 '16 at 09:12
  • I am not using xml config, I have it in-code. There is not much to it though. I added it to the question – Martin Melka Apr 09 '16 at 10:09

2 Answers2

5

Basic authentication you can do in 3 different ways -

1 - Just add spring-security maven dependency 

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Automatically enable basic authentication like username - "user" and password you can find out in console using default security password - "bdd42ed9-635d-422b-9430-ce463625fd2e"

2 - create one configuration class for security like below code

@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationEntryPoint authEntryPoint;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().httpBasic();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
    }
}

3 - one more way to do this add default username and password in application.properties file like below

security.user.name=user
security.user.password=password

and create config class like below code 

@Configuration
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().httpBasic();
    }
}

still have some doubt then click on below link and watch this video

Basic Authentication

Jeet Singh Parmar
  • 707
  • 10
  • 5
3

I think this article will be helpful, as i understand this is what you are trying to do http://www.baeldung.com/spring-security-authentication-provider

eWizard
  • 91
  • 2
  • That does look promising, I will have a look at it – Martin Melka Apr 09 '16 at 10:14
  • 1
    Please refrain from answering questions with _only_ a link: http://meta.stackexchange.com/q/8231 To improve the quality of your answer, include relevant portions of the link in your answer. – JesperB Apr 09 '16 at 10:15
  • This partially helped, but led to another problem - http://stackoverflow.com/questions/36515895/custom-authenticationprovider-is-not-called – Martin Melka Apr 09 '16 at 11:02