Spring 安全和 REST API 登录

Question

I have backend in spring-boot, exposing REST API, and i have SEPARATED front end in react.

I want to use spring security to secure my back end, and i want to keep spring authentication chain. However, when i use configuration such as:

@Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .addFilterBefore(authenticationFilter(), UsernamePasswordAuthenticationFilter.class)
                .cors().disable()
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/newUser").permitAll()
                .anyRequest().authenticated()
                .and()
                .exceptionHandling()
                .and()          
                .formLogin().pertmitAll();
    }

This generates /login endpoint and every request that is not authorized will get redirected to login page. However spring generates this /login login page and as i said i have my own stand-alone fornt-end in REACT, so i do not want spring to generate this page, i want it to tell my client to redirect to /login . If i disable formLogin

.formLogin().disable()

then i also lose my /login POST endpoint, and springs default authentication process.

Is there a way to keep to /login POST endpoint but remove the login page and let my frond-end client to redirect.

Thanks for help!

Answer 1

I agree with Toerktumlare 100%. You really should use the default implementations that Spring Security Framework offers and if you really need to add additional configuration that cannot be passed by values, then you should extend the original Spring Security Class.

In this case, you just have to specify the endpoint where your login page is:

.formLogin()
.loginPage("/yourLoginPage.html")
.loginProcessingUrl("/doLgin")
.defaultSuccessUrl("/yourHomePahe.html", true)

Answer 2

When you use the GET method, you will get html page. As I understand you need POST API call, Post API call to get JWT access_tocken and refresh tocken

you can use "/login" as API in post call to send a username and password; in response, you will get a token or anything that you send after successful authentication.