1
1
.
.
3
3
.
.
6
6
V
V
a
a
l
l
i
i
d
d
a
a
t
t
e
e
C
C
r
r
e
e
d
d
e
e
n
n
t
t
i
i
a
a
l
l
s
s
-
-
R
R
e
e
q
q
u
u
e
e
s
s
t
t
-
-
P
P
O
O
S
S
T
T
I
I
n
n
f
f
o
o
[
[
G
G
]
]
This tutorial shows how to manually Authenticate User by providing User Credentials in HTTP Request Parameters.
Then we will compare provided User Credentials with stored Users on order to Authenticate User.
Authentication will only check if User exist but it will not Authenticate User in a sense to give him access to Endpoints.
User Object that is returned does not contain Property which says that User is Authenticated.
Instead Authenticated Users need to be placed in a special pool to allow them access to restricted Endpoint.
And we will not be ding that in this tutorial.
Application Schema [Results]
Spring Boot Starters
GROUP
DEPENDENCY
DESCRIPTION
Web
Spring Web
Enables @RequestMapping and Tomcat
Security
Spring Security
Enables Spring Security
Template Engines
Thyemeleaf
Enables Controller to return reference to HTML Page MyLogin.html
P
P
r
r
o
o
c
c
e
e
d
d
u
u
r
r
e
e
Create Project: springboot_security_request_post (add Spring Boot Starters from the table)
Create Package: controllers (inside main package)
– Create Class: MyController.java (inside controllers package)
Create Package: config (inside main package)
– Create Class: WebSecurityConfig.java (inside config package)
Create HTML File: MyLogin.html (inside directory resources/templates)
http://localhost:8080/MyLogin
Tomcat
Browser
myLogin()
http://localhost:8080/Authenticate
authenticate()
WebSecurityConfig.java
package com.ivoronline.springboot_security_request_post.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
//=================================================================
// USER DETAILS SERVICE
//=================================================================
@Bean
@Override
protected UserDetailsService userDetailsService() {
UserDetails user = User.withDefaultPasswordEncoder()
.username("myuser")
.password("mypassword")
.roles ("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
//=================================================================
// CONFIGURE
//=================================================================
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.authorizeRequests().antMatchers("/MyLogin", "/Authenticate").permitAll(); //ANONYMOUS ACCESS
httpSecurity.csrf().disable(); //Otherwise POST to Authenticate fails
}
//=================================================================
// AUTHENTICATION MANAGER BEAN
//=================================================================
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
MyController.java
package com.ivoronline.springboot_security_request_parameters.controllers;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
public class MyController {
@Autowired AuthenticationManager authenticationManager;
@Autowired private UserDetailsService userDetailsService;
@ResponseBody
@RequestMapping("/Authenticate")
public String authenticate(@RequestParam String username, @RequestParam String password) {
//CREATE TOKEN (FROM USERNAME & PASSWORD)
UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(username,
password);
//AUTHENTICATE
try { authenticationManager.authenticate(authToken); }
catch (BadCredentialsException e) { return "Invalid Credentials"; }
//GET USER OBJECT
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
System.out.println(userDetails);
//SUCCESSFUL AUTHENTICATION
return "Valid Credentials";
}
}
MyLogin.html
<title> MY LOGIN </title>
<style type="text/css">
div { display:flex; flex-direction:column; align-items:center; border: solid 1pt; margin: 10pt 50pt;
background-color: aliceblue }
</style>
<div>
<h2> MY LOGIN </h2>
<form method="POST" action="/Authenticate">
<p> <input type="text" name="username" placeholder="username" /> </p>
<p> <input type="text" name="password" placeholder="password" /> </p>
<p> <input type="submit" name="submit" value="submit" style="width:100%"/> </p>
</form>
</div>
R
R
e
e
s
s
u
u
l
l
t
t
s
s
http://localhost:8080/MyLogin
http://localhost:8080/Authenticate
Application Structure
pom.xml
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</group