Hey guys in this post, we will discuss customizing the spring security to permit and deny the specific requests. This is the continuation of the previous post, make sure to check the previous post before proceeding.
Table of Contents
Complete example
Let’s create a step-by-step spring boot project and add spring security to the application
Create spring boot project
There are many different ways to create a spring boot application, you can follow the below articles to create one –
>> Create spring boot application using Spring initializer
>> Create spring boot application in Spring tool suite [STS]
>> Create spring boot application in IntelliJ IDEA
Add maven dependencies
Open pom.xml
and add the following dependencies –
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.4.5</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>in.bushansirgur</groupId>
<artifactId>springsecurityproject</artifactId>
<version>v1</version>
<name>springsecurityproject</name>
<description>Spring security project</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
spring-boot-starter-web
dependency for building web applications using Spring MVC. It uses the tomcat as the default embedded container. spring-boot-starter-security
dependency, which will help to implement spring security.
Change the username and password
Spring Security also provides an option to change the default username and password with the help of the application.properties
file
spring.security.user.name=b2tech
spring.security.user.password=b2tech
inside the properties file, we are adding our own username and password to access the URIs instead of the one provided by spring security. By adding these two properties, now we have customized the username and password of the spring security framework.
Once we added these two properties, spring-security will no longer generate the password inside the console when we run the app.
Create a Rest controller
Create HomeController.java
inside the in.bushansirgur.springboot.controller
package and add the following content
package in.bushansirgur.springboot.controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class HomeController {
@RequestMapping("/home")
public String showHomePage () {
return "displaying the home page contents";
}
@RequestMapping("/protected")
public String protectedPage () {
return "displying the protected page contents";
}
}
We have created two handler methods showHomePage()
, which is mapped to /home
, anyone can access this URI and protectedPage()
, which is mapped to /protected
, only authorized users can access this URI.
Create a configuration class
Let’s customize the spring security to permit and deny the specific URIs based on the requirement. Create ProjectSecurityConfig.java
inside the in.bushansirgur.springboot.config
package and add the following content.
package in.bushansirgur.springboot.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@Configuration
public class ProjectSecurityconfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/protected").authenticated()
.antMatchers("/home").permitAll()
.and()
.formLogin()
.and()
.httpBasic();
}
}
So anytime if we want to customize the spring security then we need to extend the configuration class with WebSecurityConfigurerAdapter
which will provide specific methods which will override in the configuration class based on the requirement
Here we are overriding the configure(HttpSecurity http)
method, which takes HttpSecurity
as an argument. We can authenticate the specific URIs with authenticated()
method and permitAll()
method will allow the requests to access the specific URIs without authenticated. We can specify the URIs using antMatchers()
method. With this in place, now we can run our application.
Run the app
Run the application using the below maven command –
mvn spring-boot:run
Open the browser and enter the following URL –
http://localhost:8080/protected
Once the user enters the correct credentials, then the user can see the contents.
That’s it for this post, if you like this post, consider sharing this with your friends and colleagues or you can share it on any of the social media. Thank you, I will see you in the next post.