0

I am very new to Spring Security so to clear my concept I am developing an application which will send username and password to the Spring REST and Spring Security will use of UserDetailService to authenticate the user.

Up to now its ok I can understand, I configured the CORS filter to allow cross origin and I am getting correct response from Spring but I have some problem after that:

How I will store the cookie after authenticated by Spring Security? What I am thinking is if Spring Security successfully authenticate the user I will use $cookie in Angular and store the username and password of user and each time I will send the username and password to access my protected resource?

I know this is something very basic and not a good idea to send username and password again and again but I dont know how to achieve this by sending cookie to the Spring REST.

Please help me to understand end to end flow of this.

Spring Configuration:

protected void configure(HttpSecurity http) throws Exception {

      http.csrf().disable()
        .authorizeRequests()
        .antMatchers("/rest/open/**").permitAll().antMatchers("/rest/secure/**").hasRole("ADMIN")
        .and().httpBasic().realmName(REALM).authenticationEntryPoint(getBasicAuthEntryPoint())
        .and()
        .addFilterAfter(new CsrfHeadersFilter(), CsrfFilter.class)
     .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);//We don't need session.
    }
Beer Gupta
  • 67
  • 9
  • I made it stateless no I am not mentaining any session there – Beer Gupta Oct 22 '16 at 19:22
  • Simple http basic authentication with help of grant authorties and UserDetailsSerivce and I am using a filter which allow CORS nothing else. – Beer Gupta Oct 22 '16 at 19:38
  • Then you have to send HTTP authentication header (for HTTP Basic) with every request. You need no cookie. – dur Oct 22 '16 at 19:39
  • you mean I have to send username and password with each request ? – Beer Gupta Oct 22 '16 at 19:40
  • Yes, because your REST API is stateless and you have no session. – dur Oct 22 '16 at 19:49
  • Thanks dur , I need one clarification is it prevent csrf attack ,I disabled it so what should I do to enable it for csrf protection – Beer Gupta Oct 22 '16 at 19:51
  • 1
    If you use `stateless`, you cannot use Spring Security's CSRF protection, you have to build your own, see my question: http://stackoverflow.com/questions/33211562/is-it-necessary-to-protect-jax-rs-requests-against-csrf – dur Oct 22 '16 at 19:54

0 Answers0