0

I am running a Spring Boot app wherein it runs a vuejs front end deployed as static resources and an API managed by Spring. I am setting up authentication and the scenario is as such.

The front end app sits at /app but / is redirected to /app by Spring anyway. I want a form based login for my app at '/login'. My app uses the API served by Spring and the API sits at /api. As such, I want the API to recognise the logged in session by the front end. But, I also want the API to be Basic authenticated. At the same time I don't want any route except /api to be basic authenticated, i.e. even if I am supplying an authentication header, it should still redirect me to /login. So,

  • /api Basic and Session based authentication
  • /** Only Session based authentication through a form

I am using the current code:

@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Value("${ldap.urls}")
    private String ldapUrls;

    @Value("${ldap.base.dn}")
    private String ldapBaseDn;

    @Value("${ldap.username}")
    private String ldapSecurityPrincipal;

    @Value("${ldap.password}")
    private String ldapPrincipalPassword;

    @Value("${ldap.user.dn.pattern}")
    private String ldapUserDnPattern;

    private AuthenticationEntryPoint authenticationEntryPoint;

    @Autowired
    public SecurityConfig(AuthenticationEntryPoint authenticationEntryPoint) {
        super();
        this.authenticationEntryPoint = authenticationEntryPoint;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .authorizeRequests()
                .antMatchers("/api/**").authenticated()
                .and()
            .httpBasic()
                .authenticationEntryPoint(authenticationEntryPoint)
                .and()
            .authorizeRequests()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login?logout")
                .invalidateHttpSession(true);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.ldapAuthentication()
                .contextSource()
                .url(ldapUrls + ldapBaseDn)
                .managerDn(ldapSecurityPrincipal)
                .managerPassword(ldapPrincipalPassword)
                .and()
                .userDnPatterns(ldapUserDnPattern);
    }
}

This is not working exactly as expected. My API is authenticated via Basic and Session tokens but so is my app. i.e. I can make a GET request in Postman along with the Basic Authentication headers and the HTML to my homepage is returned.

Along with that I don't think I have a good understanding of how the configuration setup is done especially with using and(). It would be great if someone could direct me to some resources which explains the nitty gritties of configuration.

dur
  • 15,689
  • 25
  • 79
  • 125
Sayak Mukhopadhyay
  • 1,332
  • 2
  • 19
  • 34
  • 1
    You have only one configuration, so all you configured are always applied. If you want two different configurations, you have to write two different configuration. Have a look at https://stackoverflow.com/a/41527591/5277820. – dur Apr 24 '18 at 15:21
  • Great! Putting this under 2 configuration blocks fixed this. But I don't really understand what's going on here? Why did I need 2 configuration blocks? Rather under what conditions would I need multiple configuration blocks? – Sayak Mukhopadhyay Apr 24 '18 at 17:11
  • 1
    In general you need more than one configuration, if you want to handle different requests in a different way (for example: authentication, CORS, CSRF, sessions, and a lot more). In some cases you could also handle it with one configuration, for example for CSRF you could add a ignoring path matcher. But in your case there is no way to say, basic authentication only for some sub paths. – dur Apr 24 '18 at 17:26
  • Ah! Good to know. If you would write an answer in this regard I would accept this as this has already solved my problem. – Sayak Mukhopadhyay Apr 24 '18 at 18:41

0 Answers0