I am trying use basic spring security with normal user and admin feature. I am following this article. but I am kept on getting 401 unauthorize error, I tried with postman as well as curl command but no help.
below is my spring config file.
package com.ebi.uk.config;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password("{noop}password").roles("USER")
.and()
.withUser("admin").password("{noop}password").roles("USER", "ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
//HTTP Basic authentication
.httpBasic()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/persons/all").hasRole("ADMIN")
.antMatchers(HttpMethod.POST, "/persons/create").hasRole("USER")
.antMatchers(HttpMethod.DELETE, "/persons/delete/**").hasRole("ADMIN")
.antMatchers(HttpMethod.PUT, "/persons/update/**").hasRole("ADMIN")
.and()
.csrf().disable()
.formLogin().disable();
}
}
below is my pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.4.2</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.ebi.uk</groupId>
<artifactId>ebiProjectJava</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>ebiProjectJava</name>
<description>Project for EBI UK</description>
<properties>
<java.version>1.8</java.version>
<testcontainers.version>1.15.1</testcontainers.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<!-- <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<scope>provided</scope>
</dependency> -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<!-- spring security test -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.testcontainers</groupId>
<artifactId>junit-jupiter</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.testcontainers</groupId>
<artifactId>mysql</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.testcontainers</groupId>
<artifactId>testcontainers-bom</artifactId>
<version>${testcontainers.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
below is my SS for when I am trying to call from postman. and below is my exception message. 2
021-02-13 14:53:27.308 DEBUG 17240 --- [nio-8080-exec-6] o.a.c.authenticator.AuthenticatorBase : Security checking request GET /persons/all
2021-02-13 14:53:27.308 DEBUG 17240 --- [nio-8080-exec-6] org.apache.catalina.realm.RealmBase : No applicable constraints defined
2021-02-13 14:53:27.309 DEBUG 17240 --- [nio-8080-exec-6] o.a.c.authenticator.AuthenticatorBase : Not subject to any constraint
2021-02-13 14:53:27.309 DEBUG 17240 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy : Securing GET /persons/all
2021-02-13 14:53:27.309 DEBUG 17240 --- [nio-8080-exec-6] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2021-02-13 14:53:27.678 DEBUG 17240 --- [nio-8080-exec-6] o.s.s.a.dao.DaoAuthenticationProvider : Failed to find user 'admin'
2021-02-13 14:53:27.680 DEBUG 17240 --- [nio-8080-exec-6] o.s.s.w.a.www.BasicAuthenticationFilter : Failed to process authentication request
org.springframework.security.authentication.BadCredentialsException: Bad credentials
at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:141) ~[spring-security-core-5.4.2.jar:5.4.2]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-5.4.2.jar:5.4.2]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:201) ~[spring-security-core-5.4.2.jar:5.4.2]
The problem here is that you did not decorate the your SpringSecurityConfig.java with the annotation @Configuration, as the example does, and therefore ignored. In this case your app is secured with BASIC authentication, but the password is randomly generated and prompted somewhere to the logs in the console. In your case, just add @Configuration to the class as I have already mentioned.