Lesson 2 of 28

01. Bootstrap The Application

1. Introduction

2. Install Spring Security

3. Enable Basic Auth

4. Authentication with AppUser

5. Password Encoder

02. Web Layer Security - RBAC

6. Permit Public APIs

7. Role Based Authorization

8. Disable CSRF

9. Current Authenticated User

03. Web Layer Security - PBAC

10. Permission Based Authorization

11. Define Permissions

12. Assign Permissions

13. Remove Role Based Access

04. Service Layer Security

14. PreAuthorize

15. PostAuthorize

16. Authorize Using Spring Beans

05. Domain Object Instance Security

17. Domain Object Instance Security

18. PermissionEvaluator Interface

19. PermissionEvaluator Strategy

20. DB Backed UserDetailsService

06. Token Based Authentication

21. Basic Authentication Revisited

22. Generate Token

23. Persist Token

24. Verify Token

25. Invalidate Token

07. Token Based Authentication and Authorization

26. JSON Web Token

27. Generate JWT

28. Verify JWT

Install Spring Security

Let's add Spring Security to the application by adding spring-boot-starter-security dependency to the pom.xml as below:

pom.xml


<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Adding any framework doesn't normally have any immediate effect until we provide the corresponding configuration. But by just adding Spring Security dependency, it secures all the resources (incl. static resources) by default. Restart the application and send a GET request to ListCourses API in Postman, instead of receiving the list of courses we will receive 401 Unauthorized error.

401 Unauthorized error status in Postman

Now let's access the same API from the browser, instead of getting 401 Unauthorized error we are redirected to a Login page which was not created by us in the application.

302 Found redirect error redirecting the browser to the login page

How do we access the APIs?

Spring Security creates an in-memory user with username user and a randomly generated password which can be found in the console:


Using generated security password: fdea9fea-3b53-43f8-b78b-046ca27b03af
This generated password is for development use only. Your security configuration must be updated before running your application in production.

This password changes each time we re-run the application. If we enter the credentials in the login form, we will be redirected to the requested API URL where we can see the list of courses.

Provide credential in Spring Security default login page

List of courses response for the entered credentials in the browser

Similarly let's go back to Postman, choose Basic Auth in Authorization tab, and enter the same credentials, we will receive the list of courses as API response.

List of courses response for the entered credentials in Postman

We can notice Spring Security behaves differently while accessing the API from Postman and Browser. This is because of different AuthenticationEntryPoint implementations used to start the authentication process.

Basic Auth is the out-of-the-box authentication mechanism enabled by Spring Security. And therefore BasicAuthenticationEntryPoint is the default AuthenticationEntryPoint. It responds with 401 Unauthorized error with WWW-Authenticate header value Basic realm="Realm" for any unauthenticated requests. This header value enabled us to know the authentication method used to access the resource while using Postman.

Whereas, if the unauthenticated request has any of the following Accept header values: text/html, application/xml, application/xhtml+xml, Spring Security will then replace the default AuthenticationEntryPoint with LoginUrlAuthenticationEntryPoint. It responds with 302 redirect error and redirects the browser to the default login page provided by Spring Security. Thus Basic Auth is replaced with form based login authentication mechanism while using browser.

Introduction

Enable Basic Auth

Learn Spring Security

Contents

Install Spring Security

How do we access the APIs?