Spring boot ServeletInitializer and Spring Security

I have 2 configuration files. One is the Spring Boot application

@SpringBootApplication
public class Application extends SpringBootServletInitializer {

    public static void main(String[] args) {
        ApplicationContext ctx = SpringApplication.run(Application.class, args);
    }

    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application.sources(Application.class);
    }
    ...
   }

And the Spring Security Config. it appears it isn’t working. whenever I access localhost:8080 it asks for my username and password. Which I believe I configured in the auth.inMemoryAuthentication().withUser("user").password("password").roles("USER")

@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter{
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
            .withUser("user").password("password").roles("USER");
    }
}

but it displays invalid credentials, is there anyway to validate this?

EDIT: I am trying to convert this xml configuration to JavaConfig based but still no avail.

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:context="http://www.springframework.org/schema/context"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security.xsd
           http://www.springframework.org/schema/context
    http://www.springframework.org/schema/context/spring-context.xsd">

    <context:component-scan base-package="org.app.genesis.client.auth"/>

    <http pattern="/resources/**" security="none"/>
    <http pattern="/index.jsp" security="none"/>

    <http>
        <intercept-url pattern="/api/*" requires-channel="https"/>
        <!--TODO Add RESOURCE PATTERN checker -->
        <form-login login-page="/index.jsp" default-target-url="/dashboard"/>
        <logout />
    </http>

    <!-- Test Login values -->
    <authentication-manager>
        <!--use inMemoryUserDetailsService for faux auth -->
        <authentication-provider ref="customAuthenticationProvider"/>
    </authentication-manager>
</beans:beans>

and here’s my new SecurityConfig

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {


    @Autowired
    private TenantDetailsService tenantUserDetailsService;

    @Autowired
    private PasswordEncryptionService passwordEncoder;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(tenantUserDetailsService).passwordEncoder(passwordEncoder);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.formLogin().loginPage("/index.jsp").defaultSuccessUrl("/dashboard");
    }
}

security-config.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:context="http://www.springframework.org/schema/context"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security.xsd
           http://www.springframework.org/schema/context
    http://www.springframework.org/schema/context/spring-context.xsd">

    <context:component-scan base-package="org.brightworks.genesis.client.auth"/>

    <http pattern="/resources/**" security="none"/>
    <http pattern="/index.jsp" security="none"/>

    <http>
        <intercept-url pattern="/api/*" requires-channel="https"/>
        <!--TODO Add RESOURCE PATTERN checker -->
        <form-login login-page="/index.jsp" default-target-url="/dashboard"/>
        <logout />
    </http>

    <!-- Test Login values -->
    <authentication-manager>
        <!--use inMemoryUserDetailsService for faux auth -->
        <authentication-provider ref="customAuthenticationProvider"/>
    </authentication-manager>
</beans:beans>

Answer

If you wanted to use your own version of Authentication. You start first by disabling spring boots spring security configurations. add this on your application.properties.

security.basic.enabled=false

and changed your http configuration to this.

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .antMatchers("/**")
            .hasAnyRole("ROLE1","ROLE2")
            .and()
            .formLogin()
            .loginPage("/login")
            .loginProcessingUrl("/j_spring_security_check")
            .defaultSuccessUrl("/product/search", true)
            .permitAll()
            .and()
            .csrf()
            .disable()
            .logout()
            .logoutUrl("/j_spring_security_logout")
            .logoutSuccessUrl("/login");
    }

Match the said configurations with this login form

<form class="form-signin"name="f" action="${pageContext.request.contextPath}/j_spring_security_check" method="POST">
    <fieldset>
            <input class="form-control form-group" type="text" name="username" placeholder="Username">
            <input class="form-control" type="password" name="password" placeholder="Password" >
            <a class="forgot pull-right" href="#">Forgot password?</a>
            <button name="submit" class="btn btn-block btn-primary" type="submit">Sign in</button>
    </fieldset>
</form>

Assuming the page login page is it “/login” the one you said the POST request to is j_spring_security_check. Hence, the loginProcessingUrl is set to

j_spring_security_check

Leave a Reply

Your email address will not be published. Required fields are marked *