0

I have a RestController working and I want to learn how to enable Basic Auth with Spring Security.

I've created a class that extends WebSecurityConfigurerAdapter and for what I understand, it should be enough. Sadly I can call the resources without providing credentials.

Here is my code:

Configurer Adapter

package es.ieci.test.security;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    public static final String REALM = "TEST_REALM";

    @Override
    protected void configure(HttpSecurity http) throws Exception{

        http
            .csrf().disable()
            .authorizeRequests().antMatchers("/services/**").hasRole("ADMIN").and()
            .httpBasic().realmName(REALM).authenticationEntryPoint(getBasicAuthEntryPoint()).and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    }

    @Bean
    public CustomBasicAuthenticationEntryPoint getBasicAuthEntryPoint(){
        return new CustomBasicAuthenticationEntryPoint();
    }   
}

Spring Config file

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context   
        http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">

    <mvc:annotation-driven />
    <context:component-scan base-package="es.ieci.test.security, es.ieci.test.controller, es.ieci.test.services, es.ieci.test.utils" />            

</beans>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    id="WebApp_ID" version="2.5">
    <display-name>TestRestSpring</display-name> 

    <servlet>
        <servlet-name>springrest</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>springrest</servlet-name>
        <url-pattern>/services/*</url-pattern>
    </servlet-mapping>      

</web-app>

And my pom file

<dependencies>

        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>javax.servlet-api</artifactId>
            <version>3.1.0</version>
        </dependency>


        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>4.2.0.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>4.2.0.RELEASE</version>
        </dependency>   
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-core</artifactId>
            <version>4.3.3.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-webmvc</artifactId>
            <version>4.3.3.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-databind</artifactId>
            <version>2.4.1</version>
        </dependency>

        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-core</artifactId>
            <version>2.7</version>
        </dependency>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-web</artifactId>
            <version>2.7</version>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-slf4j-impl</artifactId>
            <version>2.7</version>
        </dependency>

        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>4.11</version>
            <scope>test</scope>
        </dependency>
  </dependencies>

I'm using a Tomcat v6.0m and the server logs looks good:

nov 17, 2016 2:00:32 PM org.springframework.security.web.DefaultSecurityFilterChain INFORMACIÓN: Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@f671723, org.springframework.security.web.context.SecurityContextPersistenceFilter@2b8af779, org.springframework.security.web.header.HeaderWriterFilter@49d0b86, org.springframework.security.web.authentication.logout.LogoutFilter@6f7b847c, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@3b022cae, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@1eebd4a2, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@4cb106be, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@392002bb, org.springframework.security.web.session.SessionManagementFilter@e13b2fb, org.springframework.security.web.access.ExceptionTranslationFilter@6b4187ba, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@241377b6]

But if I call to

http://localhost:8383/TestRestSpring/services/echo

Without providing user credentials the server response is 200 instead of the expected Auth error

Marco A. Hernandez
  • 791
  • 4
  • 15

2 Answers2

0

I've been able to get 401 code adding a filter to web.xml

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

But I'm not sure if this is the right way.

Marco A. Hernandez
  • 791
  • 4
  • 15
-1

It seems you missed to add context config file in your web.xml,so component scanning of security configuration is not done.

 <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring-dispatcher-servlet.xml</param-value>
 </context-param> 
 <listener>
        <listener-class>
                 org.springframework.web.context.ContextLoaderListener
         </listener-class>
</listener>
Sunil Kumar
  • 5,477
  • 4
  • 31
  • 38