Spring Security HTTP Basic for RESTFul and FormLogin (Cookies) for web - Annotations
30,585
Waited for 2 days and didn't get any help here. But my research provided me a solution :)
Solution
@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
private AuthenticationProvider authenticationProvider;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
@Configuration
@Order(1)
public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.antMatcher("/api/**")
.authorizeRequests()
.anyRequest().hasAnyRole("ADMIN", "API")
.and()
.httpBasic();
}
}
@Configuration
@Order(2)
public static class FormWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/css/**", "/js/**", "/img/**", "/lib/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable() //HTTP with Disable CSRF
.authorizeRequests() //Authorize Request Configuration
.antMatchers("/connect/**").permitAll()
.antMatchers("/", "/register").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
.and() //Login Form configuration for all others
.formLogin()
.loginPage("/login").permitAll()
.and() //Logout Form configuration
.logout().permitAll();
}
}
}
Comments
-
Faraj Farook over 3 years
In Specific
I want to have HTTP Basic authentication ONLY for a specific URL pattern.
In Detail
I'm creating an API interface for my application and that needs to be authenticated by simple HTTP basic authentication. But other web pages should not be using HTTP basic but rather a the normal form login.
Current Configuration - NOT Working
@Override protected void configure(HttpSecurity http) throws Exception { http //HTTP Security .csrf().disable() //Disable CSRF .authorizeRequests() //Authorize Request Configuration .antMatchers("/connect/**").permitAll() .antMatchers("/", "/register").permitAll() .antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/api/**").hasRole("API") .anyRequest().authenticated() .and() //HTTP basic Authentication only for API .antMatcher("/api/**").httpBasic() .and() //Login Form configuration for all others .formLogin().loginPage("/login").permitAll() .and() //Logout Form configuration .logout().permitAll(); }
-
89n3ur0n over 8 yearsHow can I remove that basic http auth popup. I have tried everything but unable to do so.
-
Faraj Farook over 8 yearsdon't use httpBasic, use formLogin.
-
89n3ur0n over 8 yearstried that with no success, I disabled it by httpBasic().disable() and used formLogin(), but does not seem to be fixed.
-
Faraj Farook over 8 yearsPost your code in a separate question and put the link. don't forget to put your config source code to it.
-
IllSc over 8 yearsWhy do you use @Order annotation?
-
BitExodus almost 8 yearsIf you don't use "Order" you will get an error like the following one: Order on WebSecurityConfigurers must be unique
-
Jireugi over 7 yearsThe
Order
annotation defines the order in which theWebSecurityConfigurerAdapter
classes get processed. -
Admin over 7 years@FarajFarook tell me please: Is it possible to use your approach to login to rest api by POST, returning 201 on successful and generating session ID ? Help me please, I am fightening with this a long time
-
Kanagavelu Sugumar over 6 yearsCould you please elaborate the mistakes and correction that made your expectation ..?