0

I am new to spring security and I was following this example on configuring spring security : https://spring.io/blog/2013/07/03/spring-security-java-config-preview-web-security/. So I saw that they use this method to let the spring know for the configuration.

public class SpringWebMvcInitializer extends
   AbstractAnnotationConfigDispatcherServletInitializer {

  @Override
  protected Class<?>[] getRootConfigClasses() {
    return new Class[] { HelloWebSecurityConfiguration.class };
  }
  ...
}

But I have app initialization like this:

public class AppInit implements WebApplicationInitializer{

    public void onStartup(ServletContext servletContext) throws ServletException {
        // TODO Auto-generated method stub

        AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext();
        context.register(AppConfiguration.class);

        ServletRegistration.Dynamic registration = 
                servletContext.addServlet("dispatcher", new DispatcherServlet(context));
        registration.setLoadOnStartup(1);
        registration.addMapping("/services/rest/*");

    }

}

And I want to include my spring security configuration there, as without it I get message in browser: Your login attempt was not successful, try again.

Reason: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken

wdc
  • 2,623
  • 1
  • 28
  • 41
  • 1
    Regarding Spring Security: see [my question & answer](https://stackoverflow.com/questions/44977972/how-to-enable-bearer-authentication-on-spring-boot-application/44978587#44978587); it demonstrates a working implementation of OAuth2 authentication using Bearer tokens and a resource server. I've not included build.gradle, nor have I included the SQL schema & dataset. But hopefully you'll find that code to be a useful reference / starting point. – Birchlabs Jul 19 '17 at 09:24

2 Answers2

1

Extend from AbstractAnnotationConfigDispatcherServletInitializer is a way to make spring to load the security config, but I don't use it. A more convinient way to accomplish this can be like this(decalare the dependency of spring security in pom.xml first):

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception{
        auth.inMemoryAuthentication().withUser("user").password("user").roles("USER")
                .and().withUser("admin").password("admin").roles("USER","ADMIN");
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.authorizeRequests()
                .antMatchers("/").hasRole("USER")
                .antMatchers("/index").hasRole("USER")
                .antMatchers("/message/*").hasRole("USER")
                .anyRequest().permitAll()
                .and().formLogin().loginPage("/login").defaultSuccessUrl("/index").failureUrl("/login?error").permitAll()
                .and().rememberMe().tokenValiditySeconds(60*60*7).key("message")
                .and().logout().logoutUrl("/logout").logoutSuccessUrl("/login").permitAll();
        // define your action here.
    }

}

Spring will load this config automatically on startup for you, this is enough for spring security to work. As you see, you should define the rules in configure(HttpSecurity http) to tell spring security what to do when a request is coming.

Dave Pateral
  • 1,415
  • 1
  • 14
  • 21
0

You can just register your security config in your AppInit class by changing the line

context.register(AppConfiguration.class);

to

context.register({HelloWebSecurityConfiguration.class, AppConfiguration.class});
Plog
  • 9,164
  • 5
  • 41
  • 66
  • Well, that didn't solve my authentication and authorization problem, but I guess that is what I've asked for. – wdc Jul 19 '17 at 09:05