Home > Mobile >  Spring Boot security application is not reading in memory authentication
Spring Boot security application is not reading in memory authentication

Time:09-30

I am new to spring boot. I am trying to implement a simple spring boot security in-memory authentication with hardcoded username and password in Spring Tool Suite(STS). But even after configuring inMemoryAuthentication, spring is still generating the security password and not taking the hardcoded values.

Below is the controller I used:

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class HomeController {

    @GetMapping("/")
    public String home() {
        return("<h1>Welcome</h1>");
    }
    
    @GetMapping("/user")
    public String user() {
        return("<h1>Welcome user</h1>");
    }
}

And the Web security configuration code:

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@EnableWebSecurity
public class AppSecureConfig extends WebSecurityConfigurerAdapter {
    
    @Autowired
    protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("pass");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
         http.authorizeRequests()
         .antMatchers("/user").hasRole("USER")
         .antMatchers("/").permitAll()
         .and().formLogin()
         .and().logout().permitAll();
    }

    @Bean
    public PasswordEncoder getPasswordEncoder() {
        return NoOpPasswordEncoder.getInstance();
    }
    
}

I gave all the required dependencies in pom.xml.

when I try to run the application, spring is still generating security password.

2021-09-29 11:35:06.416  INFO 22496 --- [           main] .s.s.UserDetailsServiceAutoConfiguration : 

Using generated security password: 34abfe4e-05a5-4b2c-a768-77cae5e982ee

2021-09-29 11:35:06.540  INFO 22496 --- [           main] o.s.s.web.DefaultSecurityFilterChain     : Will secure any request with [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@4fba8eec, org.springframework.security.web.context.SecurityContextPersistenceFilter@2b44d6d0, org.springframework.security.web.header.HeaderWriterFilter@39b626e5, org.springframework.security.web.csrf.CsrfFilter@5fdfe8cf, org.springframework.security.web.authentication.logout.LogoutFilter@747835f5, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@31acfd4e, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@21e45a6f, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@52bd9a27, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@1d15c0a1, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@196624bf, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@5934153e, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@611e5819, org.springframework.security.web.session.SessionManagementFilter@2e71240b, org.springframework.security.web.access.ExceptionTranslationFilter@69a024a0, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@49cd946c]

I am using Spring tool suite(STS) to run this project. Can some one point out what am I doing wrong here?

CodePudding user response:

Do not exclude the entire SecurityAutoConfiguration, instead if you want you should just exclude the org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration.

Alternatively, you can expose a UserDetailsService bean that will do the same for you, and you can get rid of the configureGlobal method, like so:

@Bean
public UserDetailsService userDetailsService() {
    UserDetails user = User.builder()
            .username("user")
            .password("password")
            .roles("USER")
            .build();
    return new InMemoryUserDetailsManager(user);
}

CodePudding user response:

Add this to your application.properties

spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration

And your class will look like this:

  1. Add @Configuration to the class (as suggested by M. Deinum)
  2. Specify the role for the user, otherwise you will get java.lang.IllegalArgumentException: Cannot pass a null GrantedAuthority collection
@Configuration
@EnableWebSecurity
public class AppSecureConfig extends WebSecurityConfigurerAdapter {
    
    @Autowired
    protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("{noop}" "pass").roles("USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
         http.authorizeRequests()
         .antMatchers("/user").hasRole("USER")
         .antMatchers("/").permitAll()
         .and().formLogin()
         .and().logout().permitAll();
    }

}

Page link:https//www.codepudding.com/Mobile/133148.html

Prev:Spring Security: explicit credentials doesnt log me in, says bad credentials
Next:Spring WebFlux - How to print response as String instead of object using WebClient
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding