I have a similar issue with this post that I get status 404 instead of index page by adding context path. I doubt that I did something wrong like put the #EnableWebSecurity in the WebSecurityConfig file or in the Controller.
Here is the spring-boot config
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers(
"/registration**",
"/js/**",
"/css/**",
"/img/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/bad-404")
.defaultSuccessUrl("/")
.usernameParameter("email") //needed, if custom login page
.passwordParameter("password") //needed, if custom login page
.permitAll()
.and()
.logout()
.invalidateHttpSession(true)
.clearAuthentication(true)
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login?logout")
.permitAll();
}
Here is the main class to run the app
public static void main(String[] args) {
System.setProperty("server.servlet.context-path", "/index");
SpringApplication.run(SmartcardApplication.class, args);
}
Here is the Controller class
#Controller
public class MainController {
#GetMapping("/login")
public String login() {
return "login";
}
#GetMapping("/")
public String home(){
return "index";
}
}
Related
#Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable().exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
.authorizeRequests()
.antMatchers("/", "/favicon.ico", "/**/*.png", "/**/*.gif", "/**/*.svg", "/**/*.jpg",/**/*.html","/**/*.css", "/**/*.js")
.permitAll()
.antMatchers("/v2/api-docs", "/configuration/ui", "/configuration/security","/webjars/**")
.permitAll().antMatchers("/swagger-resources","/swagger-resources/configuration/ui","/swagger-ui.html").hasRole("SWAG").anyRequest().authenticated()
.antMatchers("/api/all/**").permitAll().antMatchers("/api/Service/**").permitAll()
.antMatchers("/api/Service/Package/**").permitAll()
.antMatchers("api/public/customer/**").hasRole("CUSTOMER1")
.antMatchers(HttpMethod.OPTIONS).permitAll().anyRequest().authenticated().and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.invalidateHttpSession(true)
.clearAuthentication(true)
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login?logout")
.permitAll()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.addFilterBefore(authTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
}
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider);
auth.inMemoryAuthentication()
.withUser("user").password("{noop}password").roles("USER")
.and()
.withUser("manager").password("{noop}password").roles("MANAGER");
}
#Controller
public class HomeController {
#GetMapping("/")
public String root() {
return "index";
}
#GetMapping("/user")
public String userIndex() {
return "swagger-ui.html";
}
#GetMapping("/login")
public String login() {
return "login";
}
#GetMapping("/access-denied")
public String accessDenied() {
return "/error/access-denied";
}
}
so iam trying to authenticate /swagger-ui.html like a simple popup login using inmemory in order to access the api by certain users
when i do with this code i got the following output of the attached image
when i login there is no redirection for authentication
>
I have a simple WebSecurityConfiguration configuration class that defines how my application works on a security level.
#Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.antMatcher("/**")
.authorizeRequests()
.antMatchers("/register", "/login").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error")
.passwordParameter("password")
.usernameParameter("emailAddress")
.successHandler(authenticationSuccessHandler())
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/")
.permitAll()
.and()
.httpBasic();
}
#Bean
public SavedRequestAwareAuthenticationSuccessHandler authenticationSuccessHandler() {
return new SavedRequestAwareAuthenticationSuccessHandler();
}
}
I also have a #Controller which defined two simple endpoints
#Controller
public class HomeController {
#RequestMapping(value = "/", method = RequestMethod.GET)
public String getHome() {
return "home";
}
#RequestMapping(value = "/test", method = RequestMethod.GET)
public void testEndpoint() throws CreateException {
return "test";
}
}
When load up the application and navigate to localhost:8080/test I am redirected to the login form as expected. However when I navigate to localhost:8080/ or localhost:8080 (no forwardslash) I am shown the "home" page where I would have expected to have been redirected to localhost:8080/login.
I have tried changing the .antMatcher("/**") to .antMatcher("**") but this doesn't have the desired effect either.
The issue is that one the .formLogin() and .logout() they have been ended with a .permitAll(). This allowed the root localhost:8080 to pass through without being authenticated.
By removing them it has solved the issue.
I want to change the HTTP post login address.
Right now the default "/login" is set and works but I want to change it to "/users/login"
This is my HttpSecurity configuration.
#Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable().authorizeRequests()
.antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/users/login")
.permitAll()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager()))
.addFilter(new JWTAuthorizationFilter(authenticationManager()))
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
The application class is nothing special.
package com.auth0.samples.authapi;
import..
#SpringBootApplication
public class Application {
#Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
I would like to disable security for a specific endpoint so that I can make a call to the Controller. Unfortunately, as I perform a call, I get a 304 (I see it in Chrome's developer tools) and I am redirected to the React frontend, ignoring my controller's endpoint
#EnableWebSecurity
#Configuration
#EnableOAuth2Sso
#EnableRedisHttpSession
public class MyWebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/login*").permitAll()
.and().anonymous()
.disable()
.exceptionHandling()
.defaultAuthenticationEntryPointFor(new Http401AuthenticationEntryPoint(""), new AntPathRequestMatcher("/api/ **"))
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.logout()
.logoutUrl("/logout")
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.invalidateHttpSession(true)
.logoutSuccessUrl(ssoLogoutUrl)
.and()
.csrf()
.csrfTokenRepository(withHttpOnlyFalse());
}
}
#SpringBootApplication
#EnableZuulProxy
#EnableDiscoveryClient
#Import({AuthUserDetailService.class, GatewayWebSecurityConfig.class, VccLoginController.class})
public class GatewayApplication {
public static void main(String[] args) {
new SpringApplicationBuilder(GatewayApplication.class).run(args);
}
}
#Controller
public class LoginController {
#RequestMapping("/login")
public String login(Model model) {
return "login.html";
}
}
Try with something like this:
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers("/login/**").permitAll()
.anyRequest().authenticated();
Notice that I've allowed options request in for every endpoint (since react exploits them before POST and PUT requests) and I've changed the login path regex to /login/**.
The following code is working as expected without any issue in Spring Boot 1.5.3 but not in 2.0.0-BUILD-SNAPSHOT.
Can any one tell me how to call redirect in Spring Boot 2.0.0?
Main class:
#SpringBootApplication
public class SpringBootExampleApplication {
public static void main(String[] args) {
// TODO: Auto-generated method stub
SpringApplication.run(SpringBootExampleApplication.class, args);
}
}
Controller:
#RequestMapping(value = "/validateUser", method = RequestMethod.POST)
public String forawar(Model model) {
// Validate before authentication
return "redirect:/login";
}
WebSecurityConfigurerAdapter:
#Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
// httpSecurity.httpBasic().and().authorizeRequests().anyRequest().authenticated().and().csrf().disable();
httpSecurity
.authorizeRequests()
.antMatchers("/", "/index", "/validateUser").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/loginError")
.defaultSuccessUrl("/dashBoardHome")
.permitAll()
.and()
.csrf().disable()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/index")
.permitAll();
}