Hello world spring-boot project (Part 3)
We have our spring boot JPA rest project prepared in Part 2. However, it is not secure to let anyone to call the REST api. Let's secure our web service.
In our build.grade file, add a single line of config:
compile("org.springframework.boot:spring-boot-starter-security")
After including the spring-boot-starter-security library, we re-run our application again. In the startup console, there will be a line:
Using default security password: b0bd95d0-7c62-4718-af46-380b9d05b1b7
This is the a spring-boot generated password for a default user.
If we try to call the people api defined in Part 2 without authentication, we will encounter HTTP Error 401 Unauthorized. As you can see, spring-boot automatically secure most URI for us.
So, we need to configure Postman to use HTTP Basic Authentication to obtain our result. In Postman,
Go to Authorization. Select Basic Auth. Enter Username: user, Password: <the generated password>
However, you probably do not want to use the generated password and do want to define your own set of users. Let’s create our own.
Surfing all the blogs posts, this is the most simple sample for reference:
https://github.com/spring-projects/spring-data-examples/tree/master/rest/security
We create a configuration class to create our own set of security related setting.
package hello;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration @EnableGlobalMethodSecurity(prePostEnabled = true) @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser("user").password("password").roles("USER").and() .withUser("admin").password("password").roles("USER", "ADMIN"); }
@Override protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and().csrf().disable(); }
}
To keep it short, we define two users.
1. admin:password with role user and admin
2. user:password with role user
Besides, we enabled the @PreAuthorize annotation in our repository service using @EnableGlobalMethodSecurity(prePostEnabled = true).
We also need to ask spring to use httpBasic() always and disable the CSRF security here. If you do not know what is CSRF, just disable it at this moment for development purpose.
Then, we set some permission stuff in our PersonRepository defined in Part 2.
@RepositoryRestResource(collectionResourceRel = "people", path = "people") @PreAuthorize("hasRole('ROLE_USER')") public interface PersonRepository extends PagingAndSortingRepository<Person, Long> {
List<Person> findByLastName(@Param("name") String name);
@PreAuthorize("hasRole('ROLE_ADMIN')") @Override Person save(Person p);
@PreAuthorize("hasRole('ROLE_ADMIN')") @Override void delete(Long aLong);
}
We allow PersonRepository interface to be accessible by default with the role USER only. We further override permission of the method save and delete to allow the role ADMIN to modify the records in our database.
Try verifying this in Postman! Have fun!
