java - How to configure Spring Security for a single page application? -


i faced problem configuration spring security single page application.

so, defualt config looks like

@configuration @enablewebsecurity public class securityconfiguration extends websecurityconfigureradapter {      @autowired     @qualifier("customuserdetailsservice")     userdetailsservice userdetailsservice;      @autowired     public void configureglobalsecurity(authenticationmanagerbuilder auth) throws exception {         auth.userdetailsservice(userdetailsservice);     }      @override     protected void configure(httpsecurity http) throws exception {         http.authorizerequests()                 .antmatchers("/", "/list").permitall()                 .antmatchers("/admin/**").access("hasrole('admin')")                 .and().formlogin().loginpage("/login").permitall()                 .usernameparameter("ssoid").passwordparameter("password")                 .and().csrf()                 .and().exceptionhandling().accessdeniedpage("/access_denied");     }      @bean(name="authenticationmanager")     @override     public authenticationmanager authenticationmanagerbean() throws exception {         return super.authenticationmanagerbean();     }   } 

from documentation methods login().loginpage("/login") says use redirecting login page. single page configuration doesn't relevant. how should configure spring single page application? mean how configure login, logout in controller , in configuration file.

spring lemon can complete example this, let me summarize things below.

by default, when user logs in, spring security redirects him home page. when login fails, or after successful logout, user redirected login page. also, on trying access urls user not have sufficient rights, redirected login page.

as say, behavior won't suit single page applications. api should instead send 200 response along user data, or 4xx response. can done supplying own handlers, this:

@override protected void configure(httpsecurity http) throws exception { http     .formlogin()         ...         .successhandler(your authentication success handler object)         .failurehandler(your authentication failure handler object)         .and()     .logout()         ...         .logoutsuccesshandler(your logout success handler object)         .and()     .exceptionhandling()         .authenticationentrypoint(new http403forbiddenentrypoint())     ... } 

you find many examples in internet on how code these handler classes. example, in spring-lemon project, these coded below.

authentication success handler

@component public class authenticationsuccesshandler     extends simpleurlauthenticationsuccesshandler {      @autowired         private objectmapper objectmapper;      @autowired         private lemonservice<?,?> lemonservice;      @override     public void onauthenticationsuccess(httpservletrequest request,             httpservletresponse response,             authentication authentication)     throws ioexception, servletexception {          response.setstatus(httpservletresponse.sc_ok);         response.setcontenttype(mediatype.application_json_value);          abstractuser<?,?> currentuser = lemonservice.userforclient();          response.getoutputstream().print(                 objectmapper.writevalueasstring(currentuser));          clearauthenticationattributes(request);     } } 

in summary, returns 200 response jsonified current-user in response data.

authentication failure handler

in fact, there no need code class authentication failure handler - simpleurlauthenticationfailurehandler provided spring, if instantiated without arguments, works desired.

logout success handler

public class lemonlogoutsuccesshandler     implements logoutsuccesshandler {      @override     public void onlogoutsuccess(httpservletrequest request,         httpservletresponse response, authentication authentication)         throws ioexception, servletexception {            response.setstatus(httpservletresponse.sc_ok);     } } 

for detailed example, referring spring lemon's lemonsecurityconfig class , other classes in it's security package can helpful.


Comments

Popular posts from this blog

resizing Telegram inline keyboard -

command line - How can a Python program background itself? -

php - "cURL error 28: Resolving timed out" on Wordpress on Azure App Service on Linux -