JavaAuthenticationPart4

Using Spring Security (Web Applications)

Spring Security Configuration

SecurityConfig.java

In a Spring Security-based web application, the SecurityConfig class extends WebSecurityConfigurerAdapter to configure security settings. The @Configuration and @EnableWebSecurity annotations indicate that this is a security configuration class. The configure(AuthenticationManagerBuilder auth) method sets up in-memory authentication with a hardcoded user ("admin") and password ("password"),marked with the {noop} prefix to indicate that no password encoding is applied. The configure(HttpSecurity http) method secures all HTTP requests, requiring authentication for any request. It also configures a custom login page at /login and permits access to both the login and logout pages for all users. This configuration allows Spring Security to handle the login and logout processes automatically, redirecting users to the appropriate pages based on their authentication status.

import org.springframework.context.annotation.Configuration;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;

import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration

@EnableWebSecurity

public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override

    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

       auth.inMemoryAuthentication()

           .withUser("admin")

           .password("{noop}password")

           .roles("USER");

    }

    @Override

    protected void configure(HttpSecurity http) throws Exception {

       http.authorizeRequests()

           .anyRequest()

           .authenticated()

            .and()

           .formLogin()

           .loginPage("/login")

           .permitAll()

            .and()

            .logout()

           .permitAll();

    }

}

Controller for Custom Login Page

LoginController.java

The LoginController is a simple Spring MVC controller that maps the /login URL to a method that returns the view name "login". This method is annotated with @GetMapping("/login") to handle GET requests to the login page. When a user navigates to /login, this method returns the "login" view name, which corresponds to a login page view (e.g., a JSP or HTML page). This allows the application to display a custom login page when users are not authenticated, leveraging Spring Security's form-based authentication mechanism.

import org.springframework.stereotype.Controller;

import org.springframework.web.bind.annotation.GetMapping;

@Controller

public class LoginController {

   @GetMapping("/login")

    public String login() {

        return "login";

    }

}

For more details find part 5 in the blog,next week.