I am quite new to Spring, so sorry if my question sounds silly.
I am trying to add basic HTTP Auth to my Spring based REST API.
I have been following quite a few tutorials and reference documentations for now, but they all seem to indicate the same thing so it seems obvious I must be missing something.
What I want is to define a simple configuration where every request is behind HTTP Auth by default, but then we can define method level security as needed using @PreAuthorize, or by modifying the HttpSecurity configuration.
I have defined a very simple configuration as such:
@Configuration
@EnableWebMvc
@EnableWebSecurity
@ComponentScan(basePackages = "com.app.rest")
public class RESTConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().hasAnyRole("USER")
.and()
.httpBasic();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
}
I then have a very simple controller (no service, nothing fancy).
Here is a very basic overview:
@RestController
@RequestMapping("/images")
public class ImagesController {
@JsonView(View.Basic.class)
@RequestMapping(value = "/{id}", method = RequestMethod.GET)
public ObjectXvo getImageByID(@PathVariable String id) throws IOException {
ObjectXvo result = doThings();
return result;
}
}
The only noticeable difference compared to all the online tutorials is the way we load this API. Because we already have a Jetty container running other things, we have decided to reuse it instead of using a WebAppInitializer like most do online.
Here is an extract of how the REST API is defined:
// Creating REST Servlet
ServletContextHandler restHandler = new ServletContextHandler(ServletContextHandler.SESSIONS);
restHandler.setErrorHandler(null);
restHandler.setContextPath("/rest");
AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext();
context.setConfigLocation("com.app.test");
WebApplicationContext webAppContext = context;
DispatcherServlet dispatcherServlet = new DispatcherServlet(webAppContext);
ServletHolder springServletHolder = new ServletHolder("REST dispatcher", dispatcherServlet);
restHandler.addServlet(springServletHolder, "/");
restHandler.addEventListener(new ContextLoaderListener(webAppContext));
// Creating handler collection
ContextHandlerCollection handlerCollection = new ContextHandlerCollection();
handlerCollection.addHandler(anotherHandler);
handlerCollection.addHandler(restHandler);
handlerCollection.addHandler(yetAnotherHandler);
// Setting server context
server.setHandler(handlerCollection);
The thing is, when running the app, is that I can still access all URLs like if I had not setup any security scheme.
When debugging the application, I can see that the RESTConfiguration is being processed as breakpoints inside my configure methods are definitely being hit.
We are quite set on avoiding the usage of XML files as long as we can, as we think annotations are better so far.
Can anyone point me in the right direction as to why this security configuration is not being activated?
EDIT:
Not sure how relevant that is, but if I try to add a @PreAuthorize to a REST method, I get the following error:
HTTP ERROR: 500
Problem accessing /rest/images/I147. Reason:
An Authentication object was not found in the SecurityContext
There is plenty of info on the internet on how to fix this, but I am wondering if this is not related.
