Develop Reference

Where did sessionManagement go in webflux

In spring web I can use sessionManagement as show below. However in webflux im not able to find any information on how to do this type of session management.
#Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.NEWER)
}
My question is how do I do the following setup in webflux???

disable basic auth on static content using spring security

I have an angular app being served as a static content from a spring boot app. The angular app is inside target/classes/static/index.html of spring boot app. I also have a rest api served from spring boot and it needs to have basic auth enabled. I have configured my security config as below
#Configuration
#EnableWebSecurity
public class SecrityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private AuthenticationEntryPoint authEntryPoint;
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("john123").password("password").roles("USER");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.anyRequest().authenticated()
.and().httpBasic()
.authenticationEntryPoint(authEntryPoint);
}}
The basic auth is working as expected for the rest endpoint. But when I try to load the angular app from localhost:8080/springbootappname/ it's prompting credentials. When I give the credentials that I have configured, the angular app is being loaded.
So, I need help disabling this basic auth for angular app that is being unpacked into classes/static/

You can manage it couple of way to server static contents.
You can override Security for static content.
#Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/target/classes/static/**");
}
You can even manage it in http security override with matching antmacher.
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers("/target/classes/static/**").permitAll()
.anyRequest().authenticated()
.and().httpBasic()
.authenticationEntryPoint(authEntryPoint);
}
Better to manage your static content from resources.please see link
https://spring.io/blog/2013/12/19/serving-static-web-content-with-spring-boot

Spring Security with OAuth2 and anonymous access

I have my Spring REST API secured with Spring Security and OAuth2, I can successfully retrieve a token and access my APIs. My App defines the OAuth2 client itsself.
Now I want users to have anonymous access on some resources. The use case is really simple: I want my app to be usable without login - but if they are logged in, I want to have access to that principal.
Here is my WebSecurityConfigurerAdapter so far:
#Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api1").anonymous().and()
.authorizeRequests().antMatchers("/ap2**").permitAll();
}
As soon as I add a second antMatcher/anonymous, it fails to work though, and it doesn't really express my intent either - e.g. I wan't to have anonymous access on api1 GETs, but authenticated on POSTs (easy to do with #PreAuthorize).
How can I make the OAuth2 authentication optional?

I dropped my #EnableWebSecurity and used a ResourceServerConfigurerAdapter like so:
#Configuration
#EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/api/api1", "/api/api2").permitAll()
.and().authorizeRequests()
.anyRequest().authenticated();
}
#Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("my-resource-id");
}
}
/api/api1 may now be called with or without authentication.

Spring Security Java Configuration: How to combine requirements via logical or?

I have a webapplication based on spring boot that should be secured via http basic auth except the request is send from a specific IP address.
I am able to set-up both configurations for themselves but not combined via or.
IP Filter
private String allowedIp = "123.456.789.123/32";
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests()
.anyRequest().hasIpAddress(allowedIp);
or
HTTP Basic Auth
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests()
.anyRequest().authenticated().and().httpBasic().authenticationEntryPoint(cncAuthEntryPoint);
}
How can I combine these two configurations?
I am using
Spring 5.0.4,
Spring Boot 2.0.0, and
Spring Security 5.0.3.
Do you need any addtional information?

Securing a REST application in SpringBoot and accessing it from a Rest Client

I am pretty new to Springboot. I have developed a rest server but I was wondering how to perform Basic authentication from a client and how to configure the spring boot server to authenticate request. The tutorials I saw online didn't include a restful client. Would be great if you can show some code including both the client request and server authentication process with springboot rest.

On the client side since you are using Jersey Client you need to do something like the following:
Client c = Client.create();
c.addFilter(new HTTPBasicAuthFilter(user, password));
One the server side you need to enable Spring Security and set Basic Authentication for it which would look something like the following (this is the simplest possible case).
#Configuration
#EnableWebSecurity
public class RootConfig extends WebSecurityConfigurerAdapter {
#Override
protected void registerAuthentication(AuthenticationManagerBuilder auth) throws Exception
{
auth.inMemoryAuthentication()
.withUser("tester").password("passwd").roles("USER");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeUrls()
.anyRequest().authenticated()
.and()
.httpBasic();
}
}