Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Spring Security With Spring Boot 2.0: Securing Your Endpoints

DZone's Guide to

Spring Security With Spring Boot 2.0: Securing Your Endpoints

Let's take a look at how to separate your secured endpoints from public endpoints using Spring Security and Spring Boot 2.0!

· Java Zone ·
Free Resource

Java-based (JDBC) data connectivity to SaaS, NoSQL, and Big Data. Download Now.

Up until now, in our previous posts, we had our endpoints and controllers secured using the default Spring Security configuration. When Spring Security is on the classpath, the auto-configuration secures all endpoints by default.

However, when it comes to complex applications, we need different security policies per endpoints. We also need to configure which endpoints should be secured, what type of users should be able to access the endpoints, and which endpoints should be public.

A great example would be an endpoint that displays a welcome message to the user.:

package com.gkatzioura.security.securityendpoints.controller;

import java.util.ArrayList;
import java.util.List;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class IndexController {

    @GetMapping(path = "welcome")
    public String getMessage() {

        return "Welcome to the application";
    }
}

Since your application is already secured, you need to provide public access to that endpoint. In order to do so, Spring provides us with the HttpSecurity class. By extending the WebSecurityConfigurerAdapter, we can configure the endpoints that should be secured and the endpoint that should be public.

So, let's create the WebSecurityConfigurerAdapter configuration:

package com.gkatzioura.security.securityendpoints.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/welcome").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .permitAll()
            .and()
            .logout()
            .permitAll();
    }
}

Now, let's take it to different parts by calling the authorizeRequests function. We get an HTTP configurer and it's possible to add the endpoints that we want public or secure.

By calling the function antMatchers, we can pass an array of ant patterns. The function applied would create a rule for each endpoint specified in the  antMatchers.
The next function is the anyRequest function. The authenticated rule will be applied to any request received.

Last but not least — Spring comes with the default login form and the default logout endpoint. In order to make it feasible to login and logout, we must allow access to these endpoints.

So, the end result should have the welcome endpoint as publicly accessible, a preconfigured form for login, and the log out endpoint.

Connect any Java based application to your SaaS data.  Over 100+ Java-based data source connectors.

Topics:
spring security ,spring boot 2.0 ,java ,security ,endpoints

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}