2

I am developing my first Angular project. Now I have been asked to implement LDAP security in the application. So after I followup this and this, I can see the login screen and it does also validate against AD. But the problem is I am seeing a browser authentication popup. I am not sure if it is Angular or spring security configuration issue. Any please would be great! enter image description here

WebSecurityConfiguration.java

@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
    private static final Logger log = LoggerFactory.getLogger(WebSecurityConfiguration.class);
    LdapConfiguration ldapConfig;
    ActiveProfilesConfiguration activeProfiles;
    SecurityUserConfiguration securityUser;
    SimpleAuthenticationSuccessHandler authenticationSuccessHandler;

    public WebSecurityConfiguration(LdapConfiguration ldapConfig,
                                    ActiveProfilesConfiguration activeProfiles,
                                    SecurityUserConfiguration securityUser,
                                    SimpleAuthenticationSuccessHandler authenticationSuccessHandler) {
        this.ldapConfig = ldapConfig;
        this.activeProfiles = activeProfiles;
        this.securityUser = securityUser;
        this.authenticationSuccessHandler = authenticationSuccessHandler;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .httpBasic().and()
        .authorizeRequests()
      //  .antMatchers("/**").permitAll()
        .antMatchers("/index.html", "/", "/home", "/login").permitAll()
            .anyRequest().authenticated()
            .and()
        .csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());

app.module.ts

@Injectable()
export class XhrInterceptor implements HttpInterceptor {

  intercept(req: HttpRequest<any>, next: HttpHandler) {
    const xhr = req.clone({
      headers: req.headers.set('X-Requested-With', 'XMLHttpRequest')
    });
    return next.handle(xhr);
  }
}
SK.
  • 1,390
  • 2
  • 28
  • 59
  • This is Spring judging from it running on spring's default port 8080. – Phil Apr 27 '18 at 14:24
  • 1
    Spring security: 4.2 and Spring Boot: 1.5.3 – SK. Apr 27 '18 at 14:33
  • @Phil: Do you mean if I change the port to something else, there would be any popup? – SK. Apr 27 '18 at 15:15
  • Hey you asked me to have a look at this question because I answered a similar question for spring-boot and angular 1.x. unfortunately I'm not very familiar with later angular versions, but this answer looks like what you wanna do: https://stackoverflow.com/a/34465070/2576531 . It shows how to add a Header to every request. You could use your browser tools to verify that the request that gets the 401 response contains the X-REQUESTED-WITH header – Yannic Bürgmann Apr 28 '18 at 06:07
  • @dur: My home screen is a dashboard screen and I have navvar in dashboard as well. S I have login hyper link in navbar. On click of Login link, I see my Login page. But here my query is why the browser authentication is popping up? – SK. Apr 29 '18 at 01:29
  • 1
    1) Yes, my login page is from angular. 2) Yes, the popup appears first time when I load the page. Once I enter username/password, that browser popup doesn't come again. – SK. Apr 29 '18 at 14:06
  • @SK. You configured `.httpBasic()`, therefore you get the browser popup to enter username and password. If you want to load your page without authentication you have to `permitAll` your page. Or if you want authentication, you have to add the `Authentication` header to your request, see Yannic Klem's comment. – dur May 14 '18 at 20:09

0 Answers0