2

I need to access to my spring boot application using a url like this : https://username:password@IpServer/

I have already implemented the https protocol but the problem here is how to add user and pass through the url

Normally i access my application with the url below : https://@IpServer/

I need help from any body who faced this topic please

Y.H
  • 53
  • 2
  • 8
  • 1
    and how would you go about coding your service to recognize that? not to mention the fact that anybody standing near would be able to read your username AND password. – Stultuske Jul 16 '19 at 12:10
  • 2
    it is bad practice to add username and password in the url. But when sending like that it is considered as basic authentication. But remember password will end up in all logs! https://stackoverflow.com/questions/4980912/username-and-password-in-https-url/4980956#4980956 – Toerktumlare Jul 16 '19 at 12:18
  • the idea is to secure the protocol to download and upload files, the connection with the backend even if it's in the url but its internally secured – Y.H Jul 16 '19 at 17:47

1 Answers1

1

I finally notice that Spring boot integrate this apache option you should add Security dependencies for spring security after that you modify your application properties like this (it's also for https protocol) : 

# Define a custom port instead of the default 8080
server.port=443

#Define http server
#http.port=8080

# Tell Spring Security (if used) to require requests over HTTPS
security.require-ssl=true

# The format used for the keystore 
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=classpath:keystore.p12
# The password used to generate the certificate
server.ssl.key-store-password=keycertifpass
# The alias mapped to the certificate
server.ssl.key-alias=tomcat

After that you add Basic authentication in a new class, this kind of authentication is the responsible for adding user and pass through URL :

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;


import com.project.exception.CustomAuthenticationEntryPoint;

@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {


    @Autowired
    private CustomAuthenticationEntryPoint unauthorizedHandler;

    /** Use Basic Authentication **/

    @Override
    public void configure(HttpSecurity http) throws Exception
    {
        http.httpBasic().realmName("user").and().authorizeRequests()
        .antMatchers("/**").hasRole("user")
        .and()
        .csrf().disable()
        .exceptionHandling().authenticationEntryPoint(unauthorizedHandler); 
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth)
            throws Exception
    {
        auth.inMemoryAuthentication()
        .withUser("user").password(passwordEncoder().encode("pass")).roles("user");
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

}

For me i have customized the Error Handling for authenticationEntryPoint you can add it if you want or leave it without customization, you are free.

I wish with this answer to help people who faced the same problem.

Thanks everyone.

Y.H
  • 53
  • 2
  • 8