1
1
.
.
3
3
.
.
7
7
V
V
a
a
l
l
i
i
d
d
a
a
t
t
e
e
C
C
r
r
e
e
d
d
e
e
n
n
t
t
i
i
a
a
l
l
s
s
-
-
R
R
e
e
q
q
u
u
e
e
s
s
t
t
-
-
P
P
O
O
S
S
T
T
-
-
J
J
S
S
O
O
N
N
I
I
n
n
f
f
o
o
[
[
G
G
]
]
This tutorial shows how to manually Authenticate User by providing User Credentials in HTTP Request Parameters.
Then we will compare provided User Credentials with stored Users on order to Authenticate User.
Authentication will only check if User exist but it will not Authenticate User in a sense to give him access to Endpoints.
User Object that is returned does not contain Property which says that User is Authenticated.
Instead Authenticated Users need to be placed in a special pool to allow them access to restricted Endpoint.
And we will not be ding that in this tutorial.
Application Schema [Results]
Spring Boot Starters
GROUP
DEPENDENCY
DESCRIPTION
Web
Spring Web
Enables @RequestMapping and Tomcat
Security
Spring Security
Enables Spring Security
P
P
r
r
o
o
c
c
e
e
d
d
u
u
r
r
e
e
Create Project: springboot_security_request_post (add Spring Boot Starters from the table)
Create Package: controllers (inside main package)
– Create Class: MyController.java (inside controllers package)
Create Package: config (inside main package)
– Create Class: WebSecurityConfig.java (inside config package)
http://localhost:8080/MyLogin
Tomcat
Browser
MyController
myLogin()
WebSecurityConfig
http://localhost:8080/Authenticate
authenticate()
MyLogin.html
WebSecurityConfig.java
package com.ivoronline.springboot_security_request_post.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
//=================================================================
// USER DETAILS SERVICE
//=================================================================
@Bean
@Override
protected UserDetailsService userDetailsService() {
UserDetails user = User.withDefaultPasswordEncoder()
.username("myuser")
.password("mypassword")
.roles ("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
//=================================================================
// CONFIGURE
//=================================================================
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.authorizeRequests().antMatchers(, "/Authenticate").permitAll(); //ANONYMOUS ACCESS
httpSecurity.csrf().disable(); //Otherwise POST to Authenticate fails
}
//=================================================================
// AUTHENTICATION MANAGER BEAN
//=================================================================
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
MyController.java
package com.ivoronline.springboot_security_request_post_json.controllers;
import com.ivoronline.springboot_security_request_post_json.DTO.CredentialsDTO;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
public class MyController {
@Autowired AuthenticationManager authenticationManager;
@Autowired private UserDetailsService userDetailsService;
@ResponseBody
@RequestMapping("/Authenticate")
public String authenticate(@RequestBody CredentialsDTO credentialsDTO) {
//CREATE TOKEN (FROM USERNAME & PASSWORD)
String username = credentialsDTO.username;
String password = credentialsDTO.password;
UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(username,
password);
//AUTHENTICATE
try { authenticationManager.authenticate(authToken); }
catch (BadCredentialsException e) { return "Invalid Credentials"; }
//GET USER OBJECT
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
System.out.println(userDetails);
//SUCCESSFUL AUTHENTICATION
return "Valid Credentials";
}
}
pom.xml
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-secur ity</artifactId>
</dependency>
</dependencies>
