0

I trying to write Web REST backend with api. Now I can authorization with any request which send user data something like this: enter image description here

But I don't like this, I want to use only one resource for authorization /api/user/login

I have this CustomWebSecurityConfigurerAdapter.java:

@Configuration
@EnableWebSecurity
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Autowired
    private DataSource dataSource;

    @Autowired
    private AuthenticationEntryPoint authenticationEntryPoint;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication().dataSource(dataSource)
                .usersByUsernameQuery(
                        "select username, password, true from users where username=?")
                .authoritiesByUsernameQuery(
                        "select username, role from users where username=?")
                .passwordEncoder(new BCryptPasswordEncoder());
    }

    @Override
    public void configure(WebSecurity web) {
        web.ignoring()
                .antMatchers("/api/test/getting")
                .antMatchers("/api/user/register")
                .antMatchers("/webjars/**")
                .antMatchers("/api/swagger-resources/configuration/ui")
                .antMatchers("/swagger-ui.html*");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .httpBasic()
                .authenticationEntryPoint(authenticationEntryPoint);
    }
}

Can you explain me how it works?

TiiRiiX
  • 133
  • 1
  • 9
  • If I understand you correctly, you want to have an authentication endpoint instead of using basic auth? If yes, you first need to decide what the result of calling /api/user/login should be, i.e. what kind of authentication mechanism you want to establish? There are a couple of popular options, please have a look at this post for some options: https://stackoverflow.com/questions/319530/restful-authentication – AlexLiesenfeld Jul 08 '18 at 10:17

1 Answers1

1

This is a security layer from Spring Security. All the requests has to go through it.

The below section overrides the method in WebSecurityConfigurerAdapter to configure authentication
for every request except the few urls (/api/test/getting, /api/user/register, /webjars/**, /api/swagger-resources/configuration/ui,/swagger-ui.html*) as these are mentioned as ignored in method public void configure(WebSecurity web)

all the request come with basic auth token(encrypted) and the value will get validated from DB tables(User and Role). if User credential is valid and has valid role then it will go to next step otherwise it will give 401 HTTP response. In DB tab;le pass has to be encoded and saved as we are using 

.passwordEncoder(new BCryptPasswordEncoder())

Code section:

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.jdbcAuthentication().dataSource(dataSource)
            .usersByUsernameQuery(
                    "select username, password, true from users where username=?")
            .authoritiesByUsernameQuery(
                    "select username, role from users where username=?")
            .passwordEncoder(new BCryptPasswordEncoder());
}

the below section is for telling the application that all request are HTTP request and all has to be authenticated by Basic Authenication (.httpBasic())

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .httpBasic()
            .authenticationEntryPoint(authenticationEntryPoint);
}
TheSprinter
  • 1,523
  • 17
  • 30