Hey guys in this post, we will discuss configuring multiple users using inMemoryAuthentication in Spring security. This is the continuation of the previous post, please follow the previous post for better understanding.
So far in our Spring security discussion, we configured single user inside the property file but what if i want to configure multiple users? That’s exactly what we are going to learn in this post.
Table of Contents
Complete example
Let’s create a step-by-step spring boot project and add spring security to the application
Create spring boot project
There are many different ways to create a spring boot application, you can follow the below articles to create one –
>> Create spring boot application using Spring initializer
>> Create spring boot application in Spring tool suite [STS]
>> Create spring boot application in IntelliJ IDEA
Add maven dependencies
Open pom.xml and add the following dependencies –
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.4.5</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>in.bushansirgur</groupId>
<artifactId>springsecurityproject</artifactId>
<version>v1</version>
<name>springsecurityproject</name>
<description>Spring security project</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
spring-boot-starter-web dependency for building web applications using Spring MVC. It uses the tomcat as the default embedded container. spring-boot-starter-security dependency, which will help to implement spring security.
Create a Rest controller
Create HomeController.java inside the in.bushansirgur.springboot.controller package and add the following content
package in.bushansirgur.springboot.controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class HomeController {
@RequestMapping("/home")
public String showHomePage () {
return "displaying the home page contents";
}
@RequestMapping("/protected")
public String protectedPage () {
return "displying the protected page contents";
}
}
We have created two handler methods showHomePage(), which is mapped to /home, anyone can access this URI and protectedPage(), which is mapped to /protected, only authorized users can access this URI.
Create a configuration class
Let’s customize the spring security to deny all the URIs. Create ProjectSecurityConfig.java inside the in.bushansirgur.springboot.config package and add the following content.
package in.bushansirgur.springsecurity.securityConfig;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("admin").password("admin").authorities("admin")
.and()
.withUser("user").password("12345").authorities("read")
.and()
.passwordEncoder(NoOpPasswordEncoder.getInstance());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/home").permitAll()
.antMatchers("/protected").authenticated()
.and()
.formLogin()
.and()
.httpBasic();
}
}
So anytime if we want to configure users in the Spring security then we should override configure(AuthenticationManagerBuilder auth) method from WebSecurityConfigurerAdapter class.
This will takes AuthenticationManagerBuilder as agurment, using this we can configure the users. So inMemoryAuthentication(), helps us to configure users inside the Spring container. We will call withUser(), password() and authorities() methods to configure username, password and roles. To configure multiple users, we can use and() method, then we can call the same methods to configure multiple users.
So anytime if we want to configure users then Spring security should expect to configure the password encoder. We will call passwordEncoder() to configure no password encoding is done inside the application.
Note that, this is not recommended for the production ready applications. We should always encode the passwords inside the application.
Run the app
Run the application using the below maven command –
mvn spring-boot:runOpen the browser and enter the following URL –
http://localhost:8080/home
http://localhost:8080/protected
Enter the username and password which we configured inside our application. Spring security will authenticate and allow the user to see the contents.
That’s it for this post, if you like this post, share this with your friends and colleagues or you can share this within your social media platform. Thanks i will see you in our next post.
