Implement basic authentication for a web application using Spring Security.
- [Instructor] Before we get started with implementing basic authentication for our application, we need to discuss the application itself real quick. Then this project is based on a mythical Landon Hotel system. There is a simple web application that focuses on the guest lookup and editing for the hotel. That web application is backed with a web-services application that is based on a Microservices architecture pattern. Now, once you go ahead and open up your ID, and make sure that you've checked out the exercise files for this chapter.
I want you to take a moment and look at your actual applications themselves. First we're gonna open up the Guest Services application. And in Source Main Java, in the package com frank moley security services, there is an application called Guest Services Application. And on line nine, I want you to notice that there's a main method. Now this is how we would actually start our application if you don't have access to advanced features, such as the run dashboard that I have in IntelliJ Ultimate Edition.
So I'm gonna use that run dashboard to start my applications, but if you don't, just create a run configuration that executes this main method for the Guest Services application. And there's a similar method in the web application itself. So, I'm gonna go ahead and jump over here to my run dashboard, and I'm gonna start up the services application first. And once the services application gets started, I'm gonna jump over here to the guest application and start it up. You'll notice as this is happening that I'm getting 8100 for the Guest Services application, and that's the port that it's listening on.
And 8080 is our web application. So let's open up a Chrome browser and let's navigate to local host 8080. And you'll see that our web application itself loads. So now it's gonna be time to actually implement security, because right now, if I go and click view guests, I have unrestricted access to our guests. And that's not a safe thing when dealing with PII data. So let's jump back into our web application.
And I'm gonna reduce my dashboard here so we can see a little bit more code. And we're gonna open up the guest app project. And specifically we're gonna open up the pom file. Now, to our pom file, right before our test dependency, let's go ahead and create a new dependency. Now, since we're using spring boot, we're gonna continue that pattern. And we're gonna use the spring boot starter security. And spring boot starter security comes from the group ID org dot springframework dot boot.
And because of version management, we actually don't need version. So we'll let Maven do its thing and import the application. If you don't have your IDE set up to do the auto import, now would be a good time to go ahead and do that operation. So once Maven is done, I'm actually gonna go back to my run dashboard. So we're gonna go ahead and re-start our application. Now you may notice here that I've got dev tools listed on the web application itself. And, indeed, I could leverage dev tools if I was making a change to a class within my application.
But because I am actually adding to the class loader, I need to go ahead and re-start my application. So now that this is up, let's jump back to Chrome, and let's go ahead and refresh our page. And you'll see that immediately I now have forms-based authentication, and I haven't done anything. And that's because the default behavior for spring security, once it's added to your project, is to enable forms-based authentication for the entire application. Now you may notice, well there's a user name and a password, where does that come from? The user name, by default, is user.
And the password, if we go back to the console for our application, you will see that I have this user-generated security password. And there's a nice UUID listed here. Now you may have to look a little bit in your console output, depending on the level of de-bugging you have. If I copy that UUID, and go back into my application and paste that as the password, I can now log-in to the application. And that's just the default behavior. But we're implementing http basic, so we don't wanna use that.
So I'm gonna go ahead and actually close Chrome. Now back in my IDE, we're gonna go implement our security model. So let's navigate to source main java in the package com frank moley security app. And we're gonna create a new file. And that new file is going to be a class. And we are going to name it Application Security Configuration. All right, so now that my class is up, we're gonna actually extend the web security configure adapter.
And we need to annotate our class. We're gonna annotate it with at configuration because this is a Java configuration. And we also need to enable web security. Because we are in a web application model. Now, I'm gonna pop up a window here to allow me to generate an override method. And the method that we want to override is the configure method that takes an htvp security object. So go ahead and let IntelliJ generate that.
And we are going to replace the super with a call to the http builder. And to that builder, the first thing we're gonna do is CSRF dot disable to prevent that exploit. And now we're gonna type in authorize request. So, this is where we're actually gonna go in and configure how spring security is going to work. Now we're gonna use an ant matcher, and that ant matcher is gonna allow us to actually specify the urls that we want to allow.
Later on, this is where we will mess with authorization as well, but for now, authenticated is good. And now we're gonna give it a separate And command to let it know that I wanna use http basic. And that's all there is to it. I can now restart my application. And while that's restarting, I'm gonna go ahead and open up Chrome. And from Chrome, I'm gonna navigate, once again, to local host 8080. Now you will see I have full access to this page, because I told http basic to allow this page to any request.
But if I click on view guests, you will see that I get the http basic authentication window that is default for my web browser. Now much like before, we're gonna go ahead and type in a user. But because we don't have a password, we need to go back to our console and find that UUID that was generated. Copy that into our buffer and drop that in. So you will see I've got access to the full web application because I've authenticated to it.
And that's all there is for http basic authentication in a spring application.
- Authentication vs. authorization
- Implementing in-memory and JDBC authentication
- Form-based authentication
- Building login and logout pages
- Configuring LDAP authentication
- Leveraging OAuth 2
- WebFlux basic security