Skip to main content

Spring Security part 1 - Configuration

-

 Spring Security is a well made and powerful authentication and authorization framework used for securing Spring-based applications. The underlying value is how quickly and easily it can be configured and extended to meet most business requirements. However, because it’s so configurable it can be daunting to set up and understand how to quickly get it running for your application. This 5 part series will take you through a real-world example from start to finish.

Other Articles

Prerequistes

This series on Spring Security uses Spring 6. Enable Spring Security by adding the following dependency into your pom.xml.

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>

HomeController

We’re going to need something to secure. Create a simple web controller.

@Controller
public class HomeController {

	@GetMapping("/")
	public ResponseEntity<String> home(Model model) {
	
		return new ResponseEntity<String>("Hello World", HttpStatus.OK);
	}
	
	@GetMapping(value = "/user/view", produces = MediaType.TEXT_PLAIN_VALUE)
	public ResponseEntity<String> userTest(Model model) {
	
		return new ResponseEntity<String>("Hello User", HttpStatus.OK);
	}	
}

Security Configuration

Create a new base class and give it meaningful name. You’ll need to annotate it with @Configuration so Spring knows this class contains configuration for your application.

You’ll need to annotate it with @EnableWebSecurity to have the Spring Security configuration defined by exposing a SecurityFilterChain bean.

@Configuration
@EnableWebSecurity
public class SecurityConfig  {

}

Immediately after bringing in the Spring Security dependencies, without any configuration, you’ll notice your web application forward you to a login page for all requests. With a little configuration we can allow some requests to go through without authentication.

Login Page

When we added @EnableWebSecurity, it automatically enables CSRF protection. This is activated by default when using EnableWebSecurity’s default constructor. This also populates the CsrfFilter.

You can disable CSRF with this code:

  http.csrf().disable()

Basic configuration

Let’s configure the / mapping so its avaiable to everyone and configure the /user mapping so only authenticated users can view it. The authorizeHttpRequests() method enables the requestMatchers which allows us to easily configure each mapping. Keep in mind, order will matter here. When a filter matches it will stop processing the remaining ones. If you have requestMatchers("/**") above the user mapping, it will allow everyone to see both URLs.

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    	
    	http
    		.authorizeHttpRequests()
    		.requestMatchers("/user/**").authenticated()
    		.requestMatchers("/**").permitAll()
    		.and()
    		.formLogin();
    	
    	return http.build();
    }

Set up users & in-memory database

To keep things simple we will use an in-memory database and clear text password. In a production environment you’ll want to use a PasswordEncoder that encrypts the password.

    @Bean
    public static PasswordEncoder passwordEncoder() {
        return NoOpPasswordEncoder.getInstance();
    }
    
    @Bean
    public UserDetailsService users() {
    	
    	UserDetails user = User.builder()
    		.username("user")
    		.password("user")
    		.roles("USER")
    		.build();
    	UserDetails admin = User.builder()
    		.username("admin")
    		.password("admin")
    		.roles("USER", "ADMIN")
    		.build();
    	return new InMemoryUserDetailsManager(user, admin, user2);
    }

Comments

Post a Comment

Popular posts from this blog

Max Upload File Size in Spring Framework

-
  Spring framework comes preconfigured with default upload file size and max request size. You can modify the sizes with application settings. Settings max-file-size  specifies the maximum size permitted for uploaded files. The default is 1MB max-request-size  specifies the maximum size allowed for multipart/form-data requests. The default is 10MB. Error exceeding max file size Java with Spring 6 will throw a  MaxUploadSizeExceededException  exception when the max size is exceeded. threw exception [ Request processing failed: org . springframework . web . multipart . MaxUploadSizeExceededException : Maximum upload size exceeded ] with root cause org . apache . tomcat . util . http . fileupload . impl . FileSizeLimitExceededException : The field image exceeds its maximum permitted size of 1048576 bytes . at org . apache . tomcat . util . http . fileupload . impl . FileItemStreamImpl $ 1 . raiseError ( FileItemStreamImpl . java : 117 )...
Read more

Use Java Enums with JPA

-
Java Persistence API (JPA) is a widely used standard for object-relational mapping (ORM) in Java applications. One of the common challenges when working with JPA is mapping database columns to Java enums. This can be especially challenging if the database column is not a string, such as when using an integer or a byte as the database column type. In this article, we will explore how to use Java enums with JPA. Mapping Java enums to database columns Before we dive into the details of how to use Java enums with JPA, let's first discuss how JPA maps Java enums to database columns. JPA provides two basic ways to map Java enums to database columns: Ordinal-based mapping : This maps the enum's ordinal value (the position of each enum value in the enum declaration) to the database column. For example, if we have an enum named Status with values ACTIVE, INACTIVE, and SUSPENDED, ACTIVE will have an ordinal value of 0, INACTIVE will have an ordinal value of 1, and so on. Name-based mappi...
Read more

Spring Security part 3 - OidcUser

-
  In the last article, I showed you how to return your own   UserDetails   object via a bean interface for username/password authentication. But what if you want to use OAuth authentication too? Spring Security works differently with OAuth but with a little engineering we can bring it all together into a cohesive solution. Other Articles Architecture -  Spring Security Architecture Part 1 -  Security configuration Part 2 -  How to handle UserDetails gracefully Part 3 -  UserDetails for OAuth authentication Part 4 -  Handling GrantedAuthorities with custom roles/permissions Part 5 -  Security tags for Freemarker If you’re new to Spring, you should take a look at  Getting started with Spring Framework for Web Apps OidcUser You’ve already learned about  UserDetails  but do you know about its cousin [OidcUser](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/oauth2/core/oidc/user/OidcUser.ht...
Read more