0

I've set up the WebSecurityConfigurerAdapter so that it redirects everything to the /login URL, however now I'm confused to as to how to grant authentication? I have a User.java, UserRepository.java and a UserService.java

I've read multiple articles on how to do basic authentication with Spring Boot. The only thing that they have in common is that they use WebSecurityConfigurerAdapter to redirect users to a login page. It seems there are various ways to implement logging in, I just want to use basic UserController -> UserService -> UserRepo way to retrieve a user along with his/her data. This is the code I have so far.

Web security config 

 package com.flashcards.flashcard; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.provisioning.InMemoryUserDetailsManager; @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .permitAll() .and() .logout() .permitAll(); } }

User.java

 package com.flashcards.flashcard; import lombok.Data; import java.util.List; import javax.persistence.Entity; import javax.persistence.GeneratedValue; import javax.persistence.Id; import javax.persistence.OneToMany; @Data @Entity class User{ private @Id @GeneratedValue long id; private String userName; private String password; private String passwordConfirm; @OneToMany private List<FlashCard> flashCards; User(String user, String pass, String passwordConfirm){ this.userName = user; this.password = pass; this.passwordConfirm = passwordConfirm; } void appendCard(FlashCard card){ flashCards.add(card); } }

UserServiceImpl.java

 package com.flashcards.flashcard; public class UserServiceImpl implements UserService{ public User getUser(String name, String p){} public void updateUser(){} public void deleteUser(){} }

LoadDatabase.java, initializes data for the web application.

 package com.flashcards.flashcard; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.CommandLineRunner; import org.springframework.stereotype.Component; @Component public class LoadDatabase implements CommandLineRunner { private final FlashCardRepository flashcardRepository; private final UserRepository userRepository; @Autowired public LoadDatabase(FlashCardRepository flashcardRepository, UserRepository userRepository) { this.flashcardRepository = flashcardRepository; this.userRepository = userRepository; } @Override public void run(String... strings) throws Exception { this.userRepository.save(new User("user", "password", "password")); } }
Improve this question
1
  • 2
    tbh if you really want to understand authentication and authorization in spring security i really, really recommend the technical overview documentation. This will give you a really good understanding of the spring security classes and their role. docs.spring.io/spring-security/site/docs/current/reference/… Commented Jul 13, 2019 at 0:57

1 Answer 1

Reset to default
1

You can use configure(HttpSecurity http) to secure your endPoints. Consider that you have some endPoint as below.

/admin/newuser --> endPoint which can be access only by user with ROLE_ADMIN /admin/users --> endPoint which can be access only by user with ROLE_ADMIN /user/profile --> endPoint which can be access by user with ROLE_USER, ROLE_ADMIN

To achieve this you have to add role field in your model which is saved in the database as ROLE_ADMIN, ROLE_USER (ROLE_ROLETYPE avoid small letters while saving it to database to avoid further error). You can add it as below in configure(). 

.antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/user/**").hasAnyRole("ADMIN","USER") 
@Override protected void configure(HttpSecurity http) throws Exception{ http .csrf().disable() .authorizeRequests() .antMatchers("/login","/logout").permitAll() .antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/user/**").hasAnyRole("ADMIN","USER") .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .loginProcessingUrl("/login"); }

you can change .anyRequest().authenticated() to .anyRequest().permitAll() if you don't want to authenticated User for endPoints otherthan mentimed in .antMatchers()

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.