stackoom
  简体   繁体   中英

angular 2 login with spring security

 原文  2017-03-29 13:23:51       rest/ angular/ spring-mvc/ spring-security/ restful-authentication

Question

im trying to integrate spring security with a custom angular 2 login, that is a specific endpoint of my app is protected with spring security, trying to access it will redirect to /login that is handled in angular 2. as things stands now i have no clue as to how to perform the login and grant access to the backend API once logged.

i am configuring spring security as follows:

@Override
protected void configure(final HttpSecurity http) throws Exception {
    http
        .csrf().disable()
        .cors().and()
        .authorizeRequests()
        .antMatchers("/api/someEndpoint/**")
        .hasRole(ADMIN_ROLE).and().formLogin()
        .loginPage("/login").and().logout();
}


@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
}

as I had the default login everything worked fine, but I have found myself unable to create a working angular 2 login integration. I tried the following code in angular 2 to no avail:

login(loginDetails:Object) {
    console.log(loginDetails)
    const headers = new Headers({ 'Content-Type': 'application/json' });
const options = new RequestOptions({ headers: headers });
const body = JSON.stringify(loginDetails);
    console.log(headers);
    console.log(body);
return this.http.post(this.loginUrl, body, options) 
}

as far as I know spring security defaults for username and password variable names are "username" and "password", which i am sure are being passed in the request body so when passing some invalid user data like {"username":"admin", "password": "pass"} I should be redirected to /login?error or something, and when successfully authenticated I should be redirected to /welcome and stay authenticated

I have the user and pass defined in my db and my custom userDetailsService checks against it any answers, comments or questions are welcome

3 answers

solution1
 7 ACCPTED  2017-03-29 14:24:19

Once you're working with the API, you've to use either HTTP Basic or token authentication and not Form one. It's required to use HTTPS when using any of them.

To auth in HTTP Basic way using Angular 2 the login service may look like this: 

login (loginDetails: any): Observable<LoginResponse> { // custom class, may be empty for now

    let headers = new Headers({ 
          'Authorization': 'Basic ' + btoa(loginDetails.login + ':' + loginDetails.pass),
          'X-Requested-With': 'XMLHttpRequest' // to suppress 401 browser popup
    });

    let options = new RequestOptions({ 
           headers: headers 
    });

    return this
              .http
              .post(this.loginUrl, {}, options)
              .catch(e => this.handleError(e); // handle 401 error - bad credentials
}

... then you can subscribe this in a component: 

loginNow() {
   this
     .loginService
     .login(this.loginDetails)
     .subscribe(next => {
        this.router.navigateByUrl("/"); // login succeed
     }, error => {
        this.error = "Bad credentials"; // or extract smth from <error> object
     });
}

Then you can use the loginNow() method inside the component templates like this (click)="loginNow() .

Once the server will accept the authorization, JSESSIONID will be stored in your browser automatically because of Spring Security features and you won't be forced to send the credential details each time in order to access private resources.

Your login server method may look like this: 

@PreAuthorize("hasRole('USER')")
@PostMapping("/login")
public ResponseEntity login() {
    return new ResponseEntity<>(HttpStatus.OK);
}

... it will reject with 401 UNAUTHORIZED once the authorization fails or accept with 200 SUCCESS if it won't.

How to setup the server in the proper way there's a number of Spring Security demo projects - https://github.com/spring-guides/tut-spring-security-and-angular-js

the code isn't tested though :(

solution2
 0  2018-10-24 13:28:19

Your spring security config needs to look like this 

 http!!
     .cors().and()
     .csrf().disable()
    .authorizeRequests()
     .requestMatchers(object: RequestMatcher {
       override fun matches(request: HttpServletRequest?): Boolean {
         return CorsUtils.isCorsRequest(request)
       }
     }).permitAll()
    .antMatchers("/api/**").authenticated()
    .anyRequest().permitAll()
    .and()
    .formLogin().permitAll()

solution3
 0  2019-09-24 06:18:47

I had a similar issue, but I had to override the successlogout handler as mentioned here .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring security - login architecture Spring Security REST Login json login on spring security Angular and Spring Security Architecture Spring Security to Validate login RestAPI Spring security without form login Spring Security 3 Web + Restful Login Spring Boot + Spring Security Restful Login Angular 2 Spring Security CSRF Token Spring security for REST and Angular 2.0
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM