I am building a reddit clone with Spring Boot and AngularJS. Currently I have a rest repository of posts and comments that can be accessed when a user logs in.
Security Config file
package com.example.MundaneHeroes.Configuration;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception
{
http.antMatcher("/**").authorizeRequests().antMatchers("/", "/login**", "/account/**").permitAll().anyRequest().authenticated().and().oauth2Login();
}
}
application.yml file
server:
port: 8082
servlet:
session:
cookie:
name: UISESSION
spring:
h2:
console:
enabled: true
settings:
web-allow-others: true
datasource:
url: jdbc:h2:mem:testdb
driver-class-name: org.h2.Driver
password:
username: sa
security:
oauth2:
client:
registration:
custom-client:
client-id: R2dpxQ3vPrtfgF72
client-secret: fDw7Mpkk5czHNuSRtmhGmAGL42CaxQB9
client-name: Auth Server
scope: user_info
provider: custom-provider
redirect-uri-template: http://localhost:8082/login/oauth2/code/
client-authentication-method: basic
authorization-grant-type: authorization_code
provider:
custom-provider:
token-uri: http://localhost:8081/auth/oauth/token
authorization-uri: http://localhost:8081/auth/oauth/authorize
user-info-uri: http://localhost:8081/auth/user/me
user-name-attribute: name
I mostly followed this tutorial here on creating an authorization server
My problem is I havent been able to add users to this authorization server
I added a User entity, and a JPA repository of users and added code to configure additional accept additional users beyond the 1 in the tutorial. I've overriden user details, so I believe thats a good start.
@Value("${user.oauth.user.username}")
private String username;
@Value("${user.oauth.user.password}")
private String password;
@Autowired
private UserService userDetailsService;
@Override
@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception
{
auth.inMemoryAuthentication().withUser(username).password(passwordEncoder().encode(password)).roles("ADMIN");
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
//auth to userService and password encoder
}
However I have no idea how to accept data from the /account/ page where the client would create a new account.
here is the html code for account.html
<!DOCTYPE html>
<html lang="en" ng-app="userApp">
<head>
<meta charset="UTF-8">
<title>Title</title>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.8.0/angular.min.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.8.0/angular-route.js"></script>
<script src="account.js"></script>
<script src="bower_components/angular/angular.js"></script>
<link rel="stylesheet" href="../app.css" />
</head>
<body ng-controller="UserController">
Username <input ng-model="username"/><br>
Password <input ng-model="password"/><br>
Email <input ng-model="email"/><br>
<input type="button" value="Send" ng-click="postuser(username, password, email)" />
<p>StatusCode: {{statusval}}</p>
<p>Status: {{status}}</p>
<p>Response {{headers}}</p>
</body>
</html>
and account.js
'use strict';
var userApp = angular.module('userApp', []);
userApp.controller('UserController', function UserController($scope, $http) {
$scope.username = null;
$scope.password = null;
$scope.email = null;
$scope.postuser = function(username, password, email){
var data = {
username: username,
password: password,
email: email
};
$http.post("http://localhost:8081/auth/users", JSON.stringify(data)).then (function (response){
if (response.data)
$scope.msg = "Post Data Submitted Successfully!";
}, function (response) {
$scope.msg = JSON.stringify(data)
$scope.statusval = response.status;
$scope.statustext = response.statusText;
$scope.headers = response.xhrStatus;
})
};
})
I have been trying to modify the http security expressions in the original code
@Override
protected void configure(HttpSecurity http) throws Exception
{
//http.authorizeRequests().antMatchers("/h2-console/**").permitAll();
http.requestMatchers().antMatchers("/login", "/oauth/authorize").and().authorizeRequests().anyRequest().authenticated().and().formLogin().permitAll();
// http.requestMatchers().antMatchers("/login", "/oauth/authorize").and().authorizeRequests().antMatchers("/login").authenticated().and().formLogin().permitAll().and().authorizeRequests().antMatchers("/h2-console/**").anonymous();
//http.authorizeRequests().antMatchers("/h2-console/**").anonymous();
// http.requestMatchers().antMatchers("/login", "/oauth/authorize").and().authorizeRequests().anyRequest().
// http.requestMatchers().antMatchers("/login", "/oauth/authorize");
//http.authorizeRequests().anyRequest().authenticated().and().formLogin().permitAll();
//http.antMatcher("/**").requestMatchers("/h2-console/**")
// http.requestMatchers().antMatchers("/login", "/oauth/authorize");
// http.authorizeRequests().antMatchers("/h2-console/**").permitAll();
// .requestMatchers().antMatchers("/login", "/oauth/authorize");
// http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/h2-console/**").permitAll();
//to run h2 might use profiles later
http.csrf().disable();
http.headers().frameOptions().disable();
}
The things that are commented out are things that I have tried
I have a controller in the Auth server that accepts POST requests. When I comment out the normal httpSecurity expressions and add code to disable csrf protection and disable headers, I can create accounts. (obviously this isn't a good solution)
At this point I'm kinda stuck, I also suspect that this isn't at all the correct way of sending data to a secure server. But, I haven't been able to find any guides online
So, can anybody help or point me in the right direction?
I came up with this line of code to get everything working
http
.csrf().disable()
.headers().frameOptions().disable()
.and()
.requestMatchers()
.antMatchers("/login")
.and()
.authorizeRequests()
.antMatchers("/login").authenticated()
.and().formLogin().permitAll()
.and()
.requestMatchers()
.antMatchers("/oauth/authorize")
.and()
.authorizeRequests()
.antMatchers("/oauth/authorize").authenticated()
.and().formLogin().permitAll()
.and().requestMatchers()
.antMatchers("/h2-console/**")
.and().authorizeRequests()
.antMatchers("/h2-console/**").permitAll()
.and().requestMatchers()
.antMatchers("/users")
.and()
.authorizeRequests().antMatchers("/users").permitAll()
.and()
.requestMatchers().antMatchers("/user/currentUser")
.and()
.authorizeRequests().antMatchers("/user/currentUser").permitAll();
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.