adding below security. properties : which makes applications ask for these credentials (Un safe as the credentials are in text file)
will ask for the credentials to see the boot application from now.
Step2 )
as exposing in text file as above is vulnerable, use spring security config
using. @EnableWebSecurity annotation and extend WebSeucirtyConfigurerAdapter class . Then implement global configureGlobal function with the credential details.
Update global credentials instead of placing in application properties file using AuthenticationManagerBuilder as above.
and create a new object by calling in the main Boot Class to create instance as below
This also enables Spring to generate an autogenerated Form which asks for credentials and the user is allowed only when the credentials are correct. (Unlike Step1 -> Where browser pop-up will come)
if the above POM file changes are not recognising and not giving the login form for application properties change, then
add the below one and check (also if not using Boot, you need to define the following dependencies)
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
</dependency>
3) Another way of doing this is to implement other than mentioning in properties file
@EnableWebSecurity
public class LssSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("{noop}password").roles("USER");
}}please observe that {noop} need to be mentioned along with the passwordotherwise, this will give below exceptionjava.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id "null" at org.springframework.security.crypto.password.DelegatingPasswordEncoder$UnmappedIdPasswordEncoder.matches(DelegatingPasswordEncoder.java:289) at org.springframework.security.crypto.password.DelegatingPasswordEncoder.matches(DelegatingPasswordEncoder.java:237) at org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$LazyPasswordEncoder.matches(AuthenticationConfiguration.java:313)
and to make URL level authentication in override Configure fucntion of WebSecurityCongirurerAdapteras below@EnableWebSecurity
public class LssSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("{noop}password").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
try {
http.authorizeRequests().anyRequest().
authenticated().
antMatchers("/delete/**").
hasAnyAuthority("ADMIN").and().formLogin();
http.httpBasic();
} catch (Exception e) {
e.printStackTrace();
}
}
}This makes for all Delete operations the user role should be of ADMIN type.
No comments:
Post a Comment