Build RESTful APIs with Spring MVC
  • Introduction
  • Overview
  • An introduction to REST
  • Prerequisites
  • Getting Started
    • Project skeleton
    • Configure Spring WebMVC
    • Configure Datasource
    • Configure JPA
    • Configure Spring Security
    • Configure Swagger
    • Maven profiles and Spring profiles
  • Getting started with Spring Boot
    • Project skeleton
    • Configure Datasource
    • Configure JPA
    • Configure Spring Security
    • Configure Swagger
    • Maven profiles and Spring profiles
  • Build REST API
  • Handle Exceptions
  • Test APIs
  • Visualize and document REST APIs
  • Secure APIs
  • Upgrade to Spring Boot 1.4
Powered by GitBook
On this page

Was this helpful?

  1. Getting started with Spring Boot

Configure Spring Security

By default, Spring Boot will add BASIC authentication for your application. You can set the username and password in application.yml directly.

In a real world application, we would use DataSource driven configuration which you can use database to store user info.

Slightly changes the security configuration. Add a custom WebSecurityConfigurerAdapter bean is enough.

/**
 *
 * @author hantsy
 */
@Configuration
public class SecurityConfig {

    @Bean
    public WebSecurityConfigurerAdapter webSecurityConfigure(){
        return new WebSecurityConfigurerAdapter() {

            @Override
            protected void configure(HttpSecurity http) throws Exception {
            // @formatter:off
                http
                    .authorizeRequests()
                    .antMatchers("/api/signup", "/api/users/username-check")
                    .permitAll()
                    .and()
                        .authorizeRequests()
                        .regexMatchers(HttpMethod.GET, "^/api/users/[\\d]*(\\/)?$").authenticated()
                        .regexMatchers(HttpMethod.GET, "^/api/users(\\/)?(\\?.+)?$").hasRole("ADMIN")
                        .regexMatchers(HttpMethod.DELETE, "^/api/users/[\\d]*(\\/)?$").hasRole("ADMIN")
                        .regexMatchers(HttpMethod.POST, "^/api/users(\\/)?$").hasRole("ADMIN")
                    .and()
                        .authorizeRequests()
                        .antMatchers("/api/**").authenticated()
                    .and()
                        .authorizeRequests()
                        .anyRequest().permitAll()
                    .and()
                        .sessionManagement()
                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                    .and()
                        .httpBasic()
                    .and()
                        .csrf()
                        .disable();
            // @formatter:on
            }
        };
    }
}

To customize security, you could have to define your own UserDetails and UserDetailsService.

@Entity
@Table(name = "users")
public class User implements UserDetails, Serializable {

}

Create a JPA entity to implement the UserDetails interface.

@Component
public class SimpleUserDetailsServiceImpl implements UserDetailsService {

    private static final Logger log = LoggerFactory.getLogger(SimpleUserDetailsServiceImpl.class);

    private UserRepository userRepository;

    public SimpleUserDetailsServiceImpl(UserRepository userRepository) {
        this.userRepository = userRepository;
    }

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userRepository.findByUsername(username);
        if (user == null) {
            throw new UsernameNotFoundException("username not found:" + username);
        }

        log.debug("found by username @" + username);

        return user;

    }

}

Define a UserDetailsService, which can be detected by the newest Spring Security, there is no need to wire the UserDetailsService with AuthenticationManager in configuration file. Check the Upgrade to Spring Boot 1.4 for more details.

PreviousConfigure JPANextConfigure Swagger

Last updated 5 years ago

Was this helpful?