Spring security - 0.001 :)

spring. boot-starter-security-> allows defining credentials in application properties. 

Add below in pom . application for boot applicatoins

adding below security.  properties : which makes applications ask for these credentials (Un safe as the credentials are in text file)

will ask for the credentials to see the boot application from now.

Step2 ) 

as exposing in text file as above is vulnerable, use spring security config

using. @EnableWebSecurity annotation and extend WebSeucirtyConfigurerAdapter class . Then implement global configureGlobal function with the credential details.

Update global credentials instead of placing in application properties file using AuthenticationManagerBuilder as above.

and create a new object by calling in the main Boot Class to create instance as below

This also enables Spring to generate an autogenerated Form which asks for credentials and the user is allowed only when the credentials are correct. (Unlike Step1 -> Where browser pop-up will come)

if the above POM file changes are not recognising and not giving the login form for application properties change, then 

add the below one and check (also if not using Boot, you need to define the following dependencies)

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-web</artifactId>
</dependency>

3) Another way of doing this is to implement other than mentioning in properties file

@EnableWebSecurity
public class LssSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("{noop}password").roles("USER");
    }
}

please observe that {noop} need to be mentioned along with the password 
otherwise, this will give below exception 
java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id "null"
	at org.springframework.security.crypto.password.DelegatingPasswordEncoder$UnmappedIdPasswordEncoder.matches(DelegatingPasswordEncoder.java:289)
	at org.springframework.security.crypto.password.DelegatingPasswordEncoder.matches(DelegatingPasswordEncoder.java:237)
	at org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$LazyPasswordEncoder.matches(AuthenticationConfiguration.java:313)


and to make URL level authentication in override Configure fucntion of WebSecurityCongirurerAdapter

as below
@EnableWebSecurity
public class LssSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("{noop}password").roles("USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

            try {
                http.authorizeRequests().anyRequest().
                        authenticated().
                        antMatchers("/delete/**").
                        hasAnyAuthority("ADMIN").and().formLogin();
                http.httpBasic();
            } catch (Exception e) {
                e.printStackTrace();
            }
    }
}

This makes for all Delete operations the user role should be of ADMIN type.