Auto-Generating Spring Security: Accessing the In-memory Database
Here's a nice Spring Security + Spring Boot tutorial on using in-memory H2 Database to configure Spring Security with source code examples.
Join the DZone community and get the full member experience.
Join For FreeI came across a blog post from the Spring Framework Guru that uses the H2 database console, and I thought it would be useful to combine the console with my own Spring Security tutorials.
- Can Spring Security be auto-generated?
- Auto-generating Spring Security Tutorial – Memory Realms
- Auto-generating Spring Security Tutorial – Default JDBC Realms
- Auto-generating Spring Security Tutorial – Custom JDBC Realms
I’ve updated the parkrunpb project on GitHub to replace hsqldb with h2database. I've also introduced a new class — WebConfiguration.java — which registers the H2 database servlet.
First, let's start the application:
mvn spring-boot:run
Access the Console
You can access the console through -http://localhost:8080/console
.
You then make sure the JDBC URL is:
jdbc:h2:mem:testdb
And login:
The layout shows the tables we loaded in schema.sql on the right (CUSTOM_AUTHORITIES, CUSTOM_USERS, and PARKRUNCOURSE)
Combine it With Spring Security
The next step is to combine with Spring Security, so I’ll use the configuration from the previous tutorial — Auto-generating Spring Security Tutorial – Custom JDBC Realms
We start with our class:
@EnableWebSecurity public class SecurityConfig extends
WebSecurityConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth
.jdbcAuthentication()
.dataSource(dataSource)
.usersByUsernameQuery(
"select username, password, enabled from custom_users where username = ?")
.authoritiesByUsernameQuery(
"select username, authority from custom_authorities where username = ?");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/webjars/**","/about.html","/rest/**").permitAll()
.antMatchers("/admin/**").hasAnyRole("CUSTOM_ADMIN")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/admin/admin.html")
.failureUrl("/login")
.permitAll()
.and()
.logout()
.logoutSuccessUrl("/")
.permitAll() ;
}
}
We then add to the configure method:
http.authorizeRequests().antMatchers("/").permitAll().and()
.authorizeRequests().antMatchers("/console/**").permitAll();
http.csrf().disable();
http.headers().frameOptions().disable();
The method then becomes:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/webjars/**","/about.html","/rest/**").permitAll()
.antMatchers("/admin/**").hasAnyRole("CUSTOM_ADMIN")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/admin/admin.html")
.failureUrl("/login")
.permitAll()
.and()
.logout()
.logoutSuccessUrl("/")
.permitAll();
http.authorizeRequests().antMatchers("/").permitAll().and()
.authorizeRequests().antMatchers("/console/**").permitAll();
http.csrf().disable();
http.headers().frameOptions().disable();
}
This means the normal security from the original tutorial is applied to the application, but we have a special rule for the console.
You can then test the application as before with the username/password customadmin/customadmin. You could also insert or update courses.
Published at DZone with permission of Martin Farrell, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments