<Tech>Brunch


Securing Rest Web Service with In-Memory model of BasicAuth

This post deals with Securing a Spring Rest Web Service, using in-memory model of BasicAuth offered by Spring Security. The sample application built for this purpose has used Java 1.8 and Spring dependencies for version 5.

An earlier post on this website, ‘Building REST Web Service with Spring 5‘, covered creating a Rest Web Service using Spring 5. In this post, I am going to build authentication on the same set of Rest Web Services.

I prefer annotations/Java Configuration, so I have entirely used Java configuration in this implementation.
Over the existing Rest Webservice, I used In-Memory credentials with Default Spring BasicAuth. I will be sharing what new changes I had to do in this implementation.

The SpringSecurityConfig class which extends WebSecurityConfigurerAdapter. This class is the config class used to declare all the configurations related to Spring Security.
This class uses inMemoryAuthentication, and defines legitimate users and their credentials with roles.
I have put a check on http request under configure() method, to intercept it and do authentication upon it.

Rest web services under this implementation are protected even if someone tries to hit GET requests through browsers. On hitting the resource URL through browser, a login form will be presented. While using REST clients, like SOAP-UI/PostMan, we need to provide authentication credentials under ‘Basic Auth’.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
protected void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser(CommonConstants.ADMIN_USER_NAME).password(CommonConstants.ADMIN_USER_PWD)
.roles(CommonConstants.ADMIN_ROLE);
auth.inMemoryAuthentication().withUser(CommonConstants.USER_USER_NAME).password(CommonConstants.USER_PWD)
.roles(CommonConstants.USER_ROLE);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().exceptionHandling().and().authorizeRequests().antMatchers("/**")
.hasRole(CommonConstants.ADMIN_ROLE).and().httpBasic().and().formLogin();
}
}

The SpringSecurityInitializer class, which extends AbstractSecurityWebApplicationInitializer. The purpose of this class is to load springSecurityFilterChain automatically. Just an empty class will do, unless you want to override some methods for some additional custom configurations.

1
2
3
public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer {

}

The SpringBeanDefinitionsConfig class. This class is for configuring the beans for the Spring Application using Java Configuration only. I have defined my implementation of PasswordEncoder because Spring 5 onwards, having an implementation of PasswordEncoder is necessary. Though, my PasswordEncoder does nothing rather than comparing two plain Strings. :D

1
2
3
4
5
6
7
8
9
10
11
@Configuration
@EnableWebMvc
@ComponentScan(basePackages = "com.techbrunch.boostrap.webapplication")
public class SpringBeanDefinitionsConfig {

@Bean
public PasswordEncoder passwordEncoder(){
return new MyPasswordEncoder();
}

}



You can find the complete code for this implementation of Authentication for Rest Web Service at my GitHub repo below:
https://github.com/anshulgammy/inmemauthforrestwebservice