Skip to content

Custom Basic Spring Security#

Default Spring Security Configuration#

  • In Spring Security Library the class WebSecurityConfigurerAdapter will contain all default configuration of spring security. This is the most important class in the Spring Security Framework that we have to extend it for any custom spring security configuration.
  • If you look inside WebSecurityConfigurerAdapter class, you will see there is an method configure(HttpSecurity http) as below:
ProjectSecurityConfig.java
1
2
3
4
5
6
7
8
    protected void configure(HttpSecurity http) throws Exception {
            this.logger.debug("Using default configure(HttpSecurity). If subclassed this will potentially override subclass configure(HttpSecurity).");
            http.authorizeRequests((requests) -> {
                    ((AuthorizedUrl)requests.anyRequest()).authenticated(); //any come to application will be authenticated
            }); 
            http.formLogin();
            http.httpBasic();
    }
  • This method contain the default security configuration of Spring Security Framework. As you can see the configure requests.anyRequest()).authenticated() means that any request that come to your application has to be authenticated. Authenticated means that requests have to be validated by credentials.
  • Then you and see http.formLogin() this configure indicate that all requests that come to the application from browser can be authenticated by using form login.
  • Then the configuration http.httpBasic() indicate that all requests that come to your application by back-end Apis, like other Spring Boot services that using Rest template or Postman.
  • In conclusion, the default security will secure all the request to all apis of your application.

Custom Default Spring Security Configure#

Prepare#

To do the example with custom default spring security framework, we need to create 6 rest controllers which contain sample apis as below:

Apis Description Need Security
/v1/contact This api should accept the details from the Contact Us page in the UI and save to the DB. No
/v1/notice This api should send the notice details from the DB to the NOTOCES page in the UI. No
/v1/account/{username} This api should send the account details for the logged in use from the DB to the UI. Yes
/v1/balance This api should send the balance and transaction details of the logged in use from the DB to the UI. Yes
/v1/loan This service should send the loan details of the logged in user from the DB to the UI. Yes
/v1/card This service should send the card details of the logged in use from the DB to the UI. Yes

Create Configuration Class#

  • Then we will create a class named ProjectSecurityConfig which will extend class WebSecurityConfigurerAdapter . Then we will ovveride the method configure(HttpSecurity http) to set authenticated and non-authenticated for apis that we want. See the code below:
ProjectSecurityConfig.java
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
package com.springboot.security.custom.basic.spring.security.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class ProjectSecurityConfig extends WebSecurityConfigurerAdapter {

    /**
     *
     * contact: Not Secure
     * notice: Not Secure
     * balance: Secure
     * Card: Secure
     * Loan: Secure
     * Account: Secure
     *
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/v1/accounts/**").authenticated()
                .antMatchers("/v1/balance").authenticated()
                .antMatchers("/v1/loan").authenticated()
                .antMatchers("/v1/card").authenticated()
                .antMatchers("/v1/contact").permitAll()
                .antMatchers("/v1/notice").permitAll()
                .and().formLogin()
                .and().httpBasic();
    }
}
  • The method antMatchers() allow us to configure which apis should be authenticated(), permitAll() or denyAll().
  • As you can see the method permitAll() means that all request that come to the api will be permitted without any security associated.
  • Then the method denyAll() means that all request that come to the api will be denied with status 403 forbidden.

Testing#

  • Now, let's start your application and use post man to call /v1/contact and /v1/notice apis without username/password input because these are public apis. Then you should see the result as below:

#zoom #zoom

  • Then if you call to other apis as /v1/balance, /v1/accounts/**, /v1/loan and /v1/card without username/password credentials then you will get the error 401 as below

#zoom

  • Then when you put the username/password and call again, you will get 200 result.

#zoom

  • It happens the same for /v1/balance, /v1/accounts/** and /v1/card apis.

See Also#

References#