0

In my setup, I've an upstream system that sends Http requests to my system. These Http requests contains basicAuth token in its header.

I'm using Spring-boot & an external tomcat.

How can I configure my application to check, if the username/password is correct then follow normal flow, otherwise print exception in logs?

In my application there is no UI, so I do not want to show any login page/error page. The examples I've found like one here are based on UI, which is not my requirement.

Also, if the solution requires to configure tomcat, like in this example, how can I do it without web.xml, as I'm using Springboot.

Improve this question
4
  • do your app just an spring core app or micro service provider like rest api? Commented Mar 7, 2017 at 5:07
  • @SSingh, right now its just a spring core app Commented Mar 7, 2017 at 5:11
  • Have you Just Tried It™? IIRC, Boot will automatically content-negotiate error conditions. "Login pages" for Basic just mean returning a 401. Commented Mar 7, 2017 at 5:14
  • Why are using an external tomacat, when you have a Spring boot app? If you don't have any UI and you only accept basicAuth token, I would assume, you don't need to check the username and password, you only check the token. I don't know if you have any session management in your system, which means you need to authenticate every request. If this is the case, is it possible to authenticate this token with your upstream system. So you send a request to the upstream system to check the token. Commented Mar 7, 2017 at 5:37

2 Answers 2

Reset to default
1

If you use Tomcat Basic Authentication then your Application will be tied to Tomcat Web Container.

I think since your app is Spring Boot based you can use Spring Security and Enable Basic Authentication in it.

Follow this post where the Author shows how to secure using Spring Security.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

So the implementation mentioned in this blog will work in tomcat as well as other web servers, like weblogic, without making any changes. Am I right?
0

OAUTH2 Server Config

 import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer; import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer; import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer; import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter; public class AuthserverApplication extends WebMvcConfigurerAdapter { @Configuration @EnableResourceServer protected static class ResourceServer extends ResourceServerConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) .and() .requestMatchers().antMatchers("/user/**","/api/v1/user") .and() .authorizeRequests() .antMatchers("/user/**").authenticated() .antMatchers("/api/v1/user").permitAll(); } @Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { resources.resourceId("sparklr").stateless(false); } } @Configuration @EnableAuthorizationServer protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter { @Autowired private AuthenticationManager authenticationManager; @Autowired private UserDetailsService userDetailsService; @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.authenticationManager(authenticationManager).userDetailsService(userDetailsService); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory().withClient("act_client").authorizedGrantTypes("password", "refresh_token").scopes("read", "write", "trust"); } } }

UserDetailsService implementation

import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service; import com.flasher.entity.AuthorityM; import com.flasher.entity.User; import com.flasher.repository.UserRepository; import java.util.HashSet; import java.util.Set; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; @Service public class UserDetailsInfo implements UserDetailsService { @Autowired UserRepository userRepository; @Override public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException { User user = userRepository.findByUsername(userName); Set<AuthorityM> authorityMs = user.getAuthorityMs(); Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>(); authorityMs.stream().forEach(authorityM -> { authorities.add(new SimpleGrantedAuthority(authorityM.getRole())); }); return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), authorities); } }

Implement "org.springframework.security.core.userdetails.UserDetailsService" to initialize and return "org.springframework.security.core.userdetails.User" instance to do authentication by OAUTH server

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.