1
1
.
.
3
3
.
.
5
5
V
V
a
a
l
l
i
i
d
d
a
a
t
t
e
e
C
C
r
r
e
e
d
d
e
e
n
n
t
t
i
i
a
a
l
l
s
s
-
-
R
R
e
e
q
q
u
u
e
e
s
s
t
t
-
-
G
G
E
E
T
T
I
I
n
n
f
f
o
o
[
[
G
G
]
]
This tutorial shows how to manually Authenticate User by providing User Credentials in HTTP Request Parameters.
Then we will compare provided User Credentials with stored Users on order to Authenticate User.
Authentication will only check if User exist but it will not Authenticate User in a sense to give him access to Endpoints.
User Object that is returned does not contain Property which says that User is Authenticated.
Instead Authenticated Users need to be placed in a special pool to allow them access to restricted Endpoint.
And we will not be ding that in this tutorial.
Application Schema [Results]
Spring Boot Starters
GROUP
DEPENDENCY
DESCRIPTION
Web
Spring Web
Enables @RequestMapping and Tomcat
Security
Spring Security
Enables Spring Security
http://localhost:8080/Authenticate
Tomcat
Browser
MyController
authenticate()
WebSecurityConfig
P
P
r
r
o
o
c
c
e
e
d
d
u
u
r
r
e
e
Create Project: springboot_security_request_parameters (add Spring Boot Starters from the table)
Create Package: controllers (inside main package)
– Create Class: MyController.java (inside controllers package)
Create Package: config (inside main package)
– Create Class: WebSecurityConfig.java (inside config package)
WebSecurityConfig.java
package com.ivoronline.springbot_security_request_parameters.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
//=================================================================
// USER DETAILS SERVICE
//=================================================================
@Bean
@Override
protected UserDetailsService userDetailsService() {
UserDetails user = User.withDefaultPasswordEncoder()
.username("myuser")
.password("mypassword")
.roles ("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
//=================================================================
// CONFIGURE
//=================================================================
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.authorizeRequests().antMatchers("/Authenticate").permitAll(); //ANONYMOUS ACCESS (NO LOGIN)
}
//=================================================================
// AUTHENTICATION MANAGER BEAN
//=================================================================
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
MyController.java
package com.ivoronline.springboot_security_request_parameters.controllers;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
public class MyController {
@Autowired AuthenticationManager authenticationManager;
@Autowired private UserDetailsService userDetailsService;
@ResponseBody
@RequestMapping("/Authenticate")
public String authenticate(@RequestParam String username, @RequestParam String password) {
//CREATE TOKEN (FROM USERNAME & PASSWORD)
UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(username,
password);
//AUTHENTICATE
try { authenticationManager.authenticate(authToken); }
catch (BadCredentialsException e) { return "Invalid Credentials"; }
//GET USER OBJECT
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
System.out.println(userDetails);
//SUCCESSFUL AUTHENTICATION
return "Valid Credentials";
}
}
R
R
e
e
s
s
u
u
l
l
t
t
s
s
http://localhost:8080/Authenticate?username=myuser&password=mypassword
http://localhost:8080/Authenticate?username=myuser&password=mypassword123
pom.xml
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>
