java - How to configure Spring Security for a single page application? -
i faced problem configuration spring security single page application.
so, defualt config looks like
@configuration @enablewebsecurity public class securityconfiguration extends websecurityconfigureradapter { @autowired @qualifier("customuserdetailsservice") userdetailsservice userdetailsservice; @autowired public void configureglobalsecurity(authenticationmanagerbuilder auth) throws exception { auth.userdetailsservice(userdetailsservice); } @override protected void configure(httpsecurity http) throws exception { http.authorizerequests() .antmatchers("/", "/list").permitall() .antmatchers("/admin/**").access("hasrole('admin')") .and().formlogin().loginpage("/login").permitall() .usernameparameter("ssoid").passwordparameter("password") .and().csrf() .and().exceptionhandling().accessdeniedpage("/access_denied"); } @bean(name="authenticationmanager") @override public authenticationmanager authenticationmanagerbean() throws exception { return super.authenticationmanagerbean(); } }
from documentation methods login().loginpage("/login") says use redirecting login page. single page configuration doesn't relevant. how should configure spring single page application? mean how configure login, logout in controller , in configuration file.
spring lemon can complete example this, let me summarize things below.
by default, when user logs in, spring security redirects him home page. when login fails, or after successful logout, user redirected login page. also, on trying access urls user not have sufficient rights, redirected login page.
as say, behavior won't suit single page applications. api should instead send 200 response along user data, or 4xx response. can done supplying own handlers, this:
@override protected void configure(httpsecurity http) throws exception { http .formlogin() ... .successhandler(your authentication success handler object) .failurehandler(your authentication failure handler object) .and() .logout() ... .logoutsuccesshandler(your logout success handler object) .and() .exceptionhandling() .authenticationentrypoint(new http403forbiddenentrypoint()) ... }
you find many examples in internet on how code these handler classes. example, in spring-lemon project, these coded below.
authentication success handler
@component public class authenticationsuccesshandler extends simpleurlauthenticationsuccesshandler { @autowired private objectmapper objectmapper; @autowired private lemonservice<?,?> lemonservice; @override public void onauthenticationsuccess(httpservletrequest request, httpservletresponse response, authentication authentication) throws ioexception, servletexception { response.setstatus(httpservletresponse.sc_ok); response.setcontenttype(mediatype.application_json_value); abstractuser<?,?> currentuser = lemonservice.userforclient(); response.getoutputstream().print( objectmapper.writevalueasstring(currentuser)); clearauthenticationattributes(request); } }
in summary, returns 200 response jsonified current-user in response data.
authentication failure handler
in fact, there no need code class authentication failure handler - simpleurlauthenticationfailurehandler
provided spring, if instantiated without arguments, works desired.
public class lemonlogoutsuccesshandler implements logoutsuccesshandler { @override public void onlogoutsuccess(httpservletrequest request, httpservletresponse response, authentication authentication) throws ioexception, servletexception { response.setstatus(httpservletresponse.sc_ok); } }
for detailed example, referring spring lemon's lemonsecurityconfig class , other classes in it's security package can helpful.
Comments
Post a Comment