stackoom
  简体   繁体   中英

Spring Boot Security JDBC Basic Authentication Failure

 原文  2020-07-24 10:56:02       java/ postgresql/ spring-boot/ jdbc/ spring-security

Question

I am setting up JDBC authentication with a PostgreSQL database from my Spring boot Security application.

I have created the below tables for users and roles, named 'users' and 'user_authorities', respectively.

CREATE SEQUENCE users_id_seq
  INCREMENT 1
  START 1
  MINVALUE 1
  MAXVALUE 2147483647
  CACHE 1;

CREATE TABLE users (
  id       integer NOT NULL DEFAULT nextval('users_id_seq'),
  username VARCHAR ( 100 ) UNIQUE NOT NULL,
  password VARCHAR ( 100 ) NOT NULL,
  enabled  boolean NOT NULL,
  CONSTRAINT users_pkey PRIMARY KEY (id)
);

CREATE SEQUENCE user_authorities_id_seq
  INCREMENT 1
  START 1
  MINVALUE 1
  MAXVALUE 2147483647
  CACHE 1;

  CREATE TABLE user_authorities(
   id         integer NOT NULL DEFAULT nextval('user_authorities_id_seq'),
   user_id   integer NOT NULL,
   authority varchar(100) not null,
   CONSTRAINT user_authorities_pkey PRIMARY KEY (id)
  );

Then insert the data as below:

-- create user: 'user'
INSERT INTO users(username,password,enabled) 
VALUES('user','$2a$10$TfjwK4p4y2xn5f6RN78gwOz0Le.cMGuhNaz51WDjChGCDF9Z0yqci',true);

-- create user: 'admin'
INSERT INTO users(username,password,enabled) 
VALUES('admin','$2a$10$lbZgb/zt4jBoPjqF.RfsOOOKyKJMOZjFS8QMyO.5p7Ob/jzf7ASPC',true);

-- create role: 'USER' for the user: 'user'
INSERT INTO users_authorities(user_id,authority) VALUES((select u.id from users u where u.username = 
'user'),'USER');

-- create role: 'ADMIN' for the user: 'admin'
INSERT INTO user_authorities(user_id,authority) VALUES((select u.id from users u where u.username = 
'admin'),'ADMIN');

Spring Boot application side, I have the security configuration: 

package com.mi.rest.webservices.restfulwebservices.security;

import javax.sql.DataSource;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import 
 org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{

   @Autowired
   DataSource dataSource;

   @Autowired
   BCryptPasswordEncoder bCryptEncoder;

   private static final String GET_USERS_SQL = "SELECT username, password, enabled from users where       
   username = ?";

   private static final String GET_USER_AUTHORITIES_SQL = "SELECT u.username, a.authority FROM    
   user_authorities a, users u WHERE u.username = ? AND u.id = a.user_id";

/**
 * Specify authentication scheme:
 * 
 * 1. In memory
 * 2. JDBC
 * 3. LDAP
 * 
 */
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {

    /**
     auth.inMemoryAuthentication()  
   .withUser("user").password("$2a$10$TfjwK4p4y2xn5f6RN78gwOz0Le.cMGuhNaz51WDjChGCDF9Z0yqci")
   .roles("USER")
   .and()
   .withUser("admin")
   .password("$2a$10$lbZgb/zt4jBoPjqF.RfsOOOKyKJMOZjFS8QMyO.5p7Ob/jzf7ASPC")
   .roles("ADMIN");
    */
    
    auth
    .jdbcAuthentication()       
    .usersByUsernameQuery(GET_USERS_SQL)
    .authoritiesByUsernameQuery(GET_USER_AUTHORITIES_SQL)
    .dataSource(dataSource)
    .passwordEncoder(bCryptEncoder);
}

//Authorization:
@Override
protected void configure(HttpSecurity http) throws Exception {

    http
            //HTTP Basic authentication
            .httpBasic()
            .and()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "/todo-app/userOnly").hasRole("USER")
            .antMatchers(HttpMethod.GET, "/todo-app/todos/**").hasRole("USER")
            .antMatchers(HttpMethod.GET, "/todo-app/adminOnly").hasRole("ADMIN")
            .antMatchers(HttpMethod.OPTIONS,"/**").permitAll()
            //.and()
            //.csrf().disable()
            ;
   }

 }

Now in order to test my setup, I have a RestController with the endpoints below:

  package com.mi.rest.webservices.restfulwebservices.controllers;

  import java.util.ArrayList;
  import java.util.Date;
  import java.util.List;

  import org.springframework.beans.factory.annotation.Autowired;
  import org.springframework.jdbc.core.JdbcTemplate;
  import org.springframework.web.bind.annotation.CrossOrigin;
  import org.springframework.web.bind.annotation.GetMapping;
  import org.springframework.web.bind.annotation.PathVariable;
  import org.springframework.web.bind.annotation.PostMapping;
  import org.springframework.web.bind.annotation.RequestBody;
  import org.springframework.web.bind.annotation.RequestMapping;
  import org.springframework.web.bind.annotation.RestController;

  @RestController
  @RequestMapping("/todo-app")
  @CrossOrigin(origins = "http://localhost:4200")
  public class TodoController { 

      @GetMapping("/userOnly")
      public TodoItem getForUserOnly() {
       TodoItem todo9 = new TodoItem();
       todo9.setId(9);
       todo9.setDescription("USER role item");
       todo9.setDone(false);
       todo9.setTargetDate(new Date());
       todo9.setUser("user");
    
       return todo9;
   }

   @GetMapping("/adminOnly")
   public TodoItem getForAdminOnly() {
       TodoItem todo9 = new TodoItem();
       todo9.setId(9);
       todo9.setDescription("ADMIN role item");
       todo9.setDone(false);
       todo9.setTargetDate(new Date());
       todo9.setUser("admin");
    
       return todo9;
      }
  }

Testing with Postman, I keep getting 403 forbidden for all tests (with user and admin authorized endpoints).

What is missing from this picture? any hints and advises are highly appreciated.

1 answers

solution1
 0  2021-06-21 14:59:34

Make not that i am appending "ROLE" to each authority. Spring expects the authorities to have a prefix of "ROLE...." .

reference - Spring doc

Edit the inserts for your users_authorities table

-- create role: 'USER' for the user: 'user'
INSERT INTO users_authorities(user_id,authority) VALUES((select u.id from users u where u.username = 
'user'),'ROLE_USER');

-- create role: 'ADMIN' for the user: 'admin'
INSERT INTO user_authorities(user_id,authority) VALUES((select u.id from users u where u.username = 
'admin'),'ROLE_ADMIN');

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Boot 2 security basic authentication Spring Boot Security -Basic Authentication Login authentication - Spring Boot Security, JDBC Why is Spring boot Security Basic Authentication slow? How to use JDBC-Authentication of Spring Boot/Spring Security with Flyway Spring 4 Security jdbc authentication Spring Security 5 authentication failure Spring boot security REST basic authentication from database Configure JDBC Authentication in Spring Boot Spring Boot JDBC authentication not working
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM