What is the right way to supply user and password for jdbc auth?

Question

I'm trying to develop a Server Backend that can used with a REST API. I want to provide an endpoint where the user sends username and password via request. The userdata is looked up in the data base and if the user is valid, a JWT Token is created and send to the client via the response.

For the lookup i want to use jdbc Authentication that comes with spring security. What is the right way to supply the data for the jdbc authentication? Do i have to write username and password in the request header? Or can http basic auth used for this?

Edit: My current approach is the following. I've configured jdbc authentication and http basic auth. I try to test this with an integration test. The test responds wit a 401 Status while i would expect a 200 Status. I've tested the sql queries solo. They work.

Can anyone give me a hint of what i'm doing wrong?

Security Config: (Thats an inner class)

@Configuration
@Import(DaoConfig.class)
@Order(2)
public static class HttpBasicAuthConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private DataSource dataSource;
    @Autowired
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
        .jdbcAuthentication()
        .dataSource(dataSource)
        .usersByUsernameQuery("select username, password, 1 from account where username=?")
        .authoritiesByUsernameQuery("select username, 'user' from account where username=?")
        .rolePrefix("");
    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/auth/login")
        .authorizeRequests()
        .anyRequest().hasAuthority("user")
        .and().httpBasic()
        .and().csrf().disable();
    }
}

The Testcode:

@Autowired
private FilterChainProxy springSecurityFilterChain;

private MockMvc securityMockMvc;

@Before
public void SetupContext() {
    securityMockMvc = MockMvcBuilders
    .webAppContextSetup(wac)
    .addFilters(springSecurityFilterChain)
    .apply(springSecurity()).build();
}

@Test
public void testLoginHttpBasic() throws Exception {
    MockHttpServletRequestBuilder post = post("/auth/login").with(httpBasic("frank","password"));
    securityMockMvc.perform(post).andExpect(status().isOk());
}

This is not the answer to your question. But this may be worth looking at. http://stackoverflow.com/a/10864088/6785908 — so-random-dude, Oct 19 '16 at 03:35

score 0 · Answer 1 · answered Oct 18 '16 at 21:48

0

From the docs, it looks like you can either supply it as a form body, or basic auth, whichever you prefer:

http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-form-and-basic

answered Oct 18 '16 at 21:48

Daniel Scott

7,418
5
39
58

What is the right way to supply user and password for jdbc auth?

1 Answers1