0

I am having trouble getting authenticated on a rest API I just put together using Spring Boot and maven. I just cannot get authenticated at all.

Here is my current security configuration : 

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/", "/person/getAll").permitAll()
            .anyRequest().authenticated();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("user").password("password").roles("USER");
    }
}

and here is that "/person/getAll" endpoint...

@RequestMapping("/getAll")
List<Person> getAllPeople()
{
    log.info("Getting all users in system.");
    return repository.findAll();
}

Now, what I have here, is an endpoint that actually works - but it is unauthenticated (Because I have it listed in the perminAll section of the security configuration) -

But now I want to make this so I have to have the "ROLE_USER" role - in order to get back my list of people.

I've tried removing it from the permit all, and adding @PreAuthorise("hasRole('ROLE_USER')") above the method - but that just results in a 403 response - which I wasn't really expecting at all. I figured that would allow me to run either of the following curl commands and see data :

curl --user user:password localhost:8080/person/getAll

or

curl user:password@localhost:8080/person/getAll

For everyone's sanity - when I use the code as listed in this question currently (I get data back - even if the password is wrong, haha)

Long term, my goal is actually to remove this in memory stuff and do the usual queries to get credentials, but I just want to make sure my stuff works for now.

MickeyThreeSheds
  • 986
  • 4
  • 23
  • 42
  • here is a post that might help. you're going to want to put the `.antMatchers("/person/getAll").hasRole("ROLE_USER")` before the `antMatchers("/").permitAll()` the order of your antMatchers matter http://stackoverflow.com/questions/43052745/how-to-fix-role-in-spring-security/43055173#43055173 – Jason White Apr 09 '17 at 22:24

1 Answers1

0

I am having trouble getting authenticated on a rest API I just put together using Spring Boot and maven. I just cannot get authenticated at all.

I believe that you are not able to authenticate at all because you didn't specify in your Spring Security Configuration file which kind of security you would want to have to take place when visiting your page.

For example: you can choose to have httpBasic or formLogin security.

Now, what I have here, is an endpoint that actually works - but it is unauthenticated (Because I have it listed in the perminAll section of the security configuration) -

For Example if you'll add httpBasic in your Spring Security Configuration file you'll get http basic authentication, but when you don't specify any security method, you wouldn't get any authentication

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.httpBasic()
        .and()
        .authorizeRequests()
        .antMatchers("/", "/person/getAll").permitAll()
        .anyRequest().authenticated();
}
Moshe Arad
  • 3,587
  • 4
  • 18
  • 33