如何使用邮递员将用户登录详细信息传递给Spring Boot Rest API

Question

I am creating an API using Spring Boot Rest, I want to restrict the API so only logged in users can access it. Now to test the API I am using postman, but how to pass the user details to the API?

Here is my code:

@Configuration
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AccessDeniedHandler accessDeniedHandler;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
        .antMatchers(HttpMethod.GET, "/", "/orders").permitAll()
        .antMatchers(HttpMethod.POST, "/order/**").hasAnyRole("ADMIN")
        .antMatchers(HttpMethod.DELETE, "/order/**").hasAnyRole("ADMIN")
        .and()
        .exceptionHandling().accessDeniedHandler(accessDeniedHandler);

    }

    // create two users, admin and user
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

        auth.inMemoryAuthentication()
                .withUser("user").password("password").roles("USER")
                .and()
                .withUser("admin").password("password").roles("ADMIN");
    }
}

Here is my access denied handler:

@Component
public class MyAccessDeniedHandler implements AccessDeniedHandler {

    private static Logger logger = LoggerFactory.getLogger(MyAccessDeniedHandler.class);

    @Override
    public void handle(HttpServletRequest httpServletRequest,
                       HttpServletResponse httpServletResponse,
                       AccessDeniedException e) throws IOException, ServletException {

        Authentication auth
                = SecurityContextHolder.getContext().getAuthentication();

        if (auth != null) {
            logger.info("User '" + auth.getName()
                    + "' attempted to access the protected URL: "
                    + httpServletRequest.getRequestURI());
        }
        httpServletResponse.setContentType("application/json");
        ServletOutputStream outputStream = httpServletResponse.getOutputStream();
        outputStream.print("Wrong user");

    }
}

When I try to access the API with URL as order and method as DELETE using postman and passing user login details using Authorization tab with Basic Auth and passing Username as admin and password as password , I am getting Wrong user message.

How to pass the user loin details to my API using postman ?

Answer 1

Maybe form login is the default auth mechanism and you need to specify that you want to use Basic Auth.

Try this:

@Configuration
class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

  @Autowired
  private AccessDeniedHandler accessDeniedHandler;

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
      .antMatchers(HttpMethod.GET, "/", "/orders").permitAll()
      .antMatchers(HttpMethod.POST, "/order/**").hasAnyRole("ADMIN")
      .antMatchers(HttpMethod.DELETE, "/order/**").hasAnyRole("ADMIN")
      .and()
      .exceptionHandling().accessDeniedHandler(accessDeniedHandler)
    .and()  //added
    .httpBasic();  //added

  }

  // create two users, admin and user
  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

    auth.inMemoryAuthentication()
      .withUser("user").password("password").roles("USER")
      .and()
      .withUser("admin").password("password").roles("ADMIN");
  }
}

Answer 2

What you need is the following dependency (You might have it already):

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Than you can create a user in your application.properties file:

security.user.name=username
security.user.password=password

If you are using Spring 2.0.0 M4 or higher use "spring.security".

Now go to Postman under "Authorization" use "Basic Auth" and fill in the credenrtials you have set in the properties file.

Hope this is what you are looking for. Good luck:)