Sunday, November 17, 2024
Google search engine
HomeLanguagesJavaSpring Security – Securing Endpoints Using antMatchers()

Spring Security – Securing Endpoints Using antMatchers()

antMatchers() is used to configure the URL paths which either can be permitted or denied to the user’s http request, according to the role or the authorization of that particular user. The authorizeHttpRequests().antMatchers() are used to apply authorization to one or more paths you specify in antMatchers(). The mapping matches URLs using the following rules:

Rules applied on antmatchers():

  • ? – matches one character
  • * – matches zero or more characters
  • ** – matches zero or more directories in a path

Examples:

  • org/g?g – matches org/gfg, org/geg, etc.
  • org/*.jsp – matches all .jsp files in the org directory
  • org/**/test.jsp — matches all test.jsp files underneath the org path

Methods applied on antmatchers():

  • hasAnyRole()
  • hasRole()
  • hasAuthority()
  • hasAnyAuthority()
  • authenticated()
  • anonymous()

Example Project

In this article, we will explain how to secure endpoints using antMatchers(). We’re going to build on top of the simple Spring MVC example and secure the Endpoints Using antMatchers(). We are going to create two endpoints and we will see how to secure one endpoint and not secure another one. Sample code snippets are given below.

@Controller
public class GfgController {

// Secure this one
@GetMapping("/gfg")
public String helloGfg() {
return "hello-gfg";
}

// Don't secure this
@GetMapping("/gfg/welcome")
@ResponseBody
public String welcomeGfg() {
return "Welcome to Lazyroar";
}
}

@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests()
.antMatchers("/gfg").authenticated()
.antMatchers("/gfg/welcome").permitAll()
.and()
.formLogin()
.and()
.httpBasic();
}

Step 1: Create Your Project and Configure Apache Tomcat Server

Note: We are going to use Spring Tool Suite 4 IDE for this project. Please refer to this article to install STS in your local machine How to Download and Install Spring Tool Suite (Spring Tools 4 for Eclipse) IDE.

Step 2: Folder Structure

Before moving to the project let’s have a look at the complete project structure for our Spring MVC application.

File-Strcture.png

Folder Structure

Step 3: Add Dependencies to pom.xml File

Add the following dependencies to your pom.xml file

  • Spring Web MVC
  • Java Servlet API
  • Spring Security Config
  • Spring Security Web

XML




<dependencies>
   
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>5.3.24</version>
    </dependency>
     
    <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>javax.servlet-api</artifactId>
        <version>4.0.1</version>
        <scope>provided</scope>
    </dependency>   
     
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>5.7.3</version>
    </dependency>
     
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>5.7.3</version>
    </dependency>
     
</dependencies>


Below is the complete pom.xml file. Please cross-verify if you have missed some dependencies.

XML




<?xml version="1.0" encoding="UTF-8"?>
 
  <modelVersion>4.0.0</modelVersion>
 
  <groupId>com.gfg.springsecurity</groupId>
  <artifactId>springsecurity</artifactId>
  <version>0.0.1-SNAPSHOT</version>
  <packaging>war</packaging>
 
  <name>springsecurity Maven Webapp</name>
  <!-- FIXME change it to the project's website -->
  <url>http://www.gfg.com</url>
 
  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <maven.compiler.source>1.7</maven.compiler.source>
    <maven.compiler.target>1.7</maven.compiler.target>
  </properties>
 
  <dependencies>
   
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>5.3.24</version>
    </dependency>
     
    <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>javax.servlet-api</artifactId>
        <version>4.0.1</version>
        <scope>provided</scope>
    </dependency>   
     
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>5.7.3</version>
    </dependency>
     
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>5.7.3</version>
    </dependency>
     
  </dependencies>
 
  <build>
    <finalName>springsecurity</finalName>
    <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
      <plugins>
        <plugin>
          <artifactId>maven-clean-plugin</artifactId>
          <version>3.1.0</version>
        </plugin>
        <plugin>
          <artifactId>maven-resources-plugin</artifactId>
          <version>3.0.2</version>
        </plugin>
        <plugin>
          <artifactId>maven-compiler-plugin</artifactId>
          <version>3.8.0</version>
        </plugin>
        <plugin>
          <artifactId>maven-surefire-plugin</artifactId>
          <version>2.22.1</version>
        </plugin>
        <plugin>
          <artifactId>maven-war-plugin</artifactId>
          <version>3.2.2</version>
        </plugin>
        <plugin>
          <artifactId>maven-install-plugin</artifactId>
          <version>2.5.2</version>
        </plugin>
        <plugin>
          <artifactId>maven-deploy-plugin</artifactId>
          <version>2.8.2</version>
        </plugin>
      </plugins>
    </pluginManagement>
  </build>
</project>


Step 4: Configuring Dispatcher Servlet

Please refer to this article What is Dispatcher Servlet in Spring? and read more about Dispatcher Servlet which is a very very important concept to understand. Now we are going to configure Dispatcher Servlet with our Spring MVC application.

Go to the src > main > java and create a class WebAppInitilizer. Below is the code for the WebAppInitilizer.java file.

File: WebAppInitilizer.java

Java




package com.gfg.config;
 
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
 
public class WebAppInitilizer extends
               AbstractAnnotationConfigDispatcherServletInitializer {
 
    @Override
    protected Class<?>[] getRootConfigClasses() {
        // TODO Auto-generated method stub
        return null;
    }
 
    @Override
    protected Class<?>[] getServletConfigClasses() {
        Class[] configFiles = {MyAppConfig.class};
        return configFiles;
    }
 
    @Override
    protected String[] getServletMappings() {
        String[] mappings = {"/"};
        return mappings;
    }
 
}


Create another class in the same location (src > main > java) and name it MyAppConfig. Below is the code for the MyAppConfig.java file.

File: MyAppConfig.java

Java




package com.gfg.config;
 
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.view.InternalResourceViewResolver;
 
@Configuration
@EnableWebMvc
@ComponentScan("com")
public class MyAppConfig {
 
}


Reference article: Spring – Configure Dispatcher Servlet in Three Different Ways

Step 5: Create Your Spring MVC Controller

Go to the src > main > java and create a class GfgController. Below is the code for the GfgController.java file.

File: GfgController.java

Java




package com.gfg.controller;
 
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;
 
@Controller
public class GfgController {
     
    // Secure this one
    @GetMapping("/gfg")
    public String helloGfg() {
        return "hello-gfg";
    }
     
    // Don't secure this
    @GetMapping("/gfg/welcome")
    @ResponseBody
    public String welcomeGfg() {
        return "Welcome to Lazyroar";
    }
 
}


Reference article: Create and Run Your First Spring MVC Controller in Eclipse/Spring Tool Suite

Step 6: Create Your Spring MVC View

Go to the src > main > webapp > WEB-INF > right-click > New > Folder and name the folder as views. Then views > right-click > New > JSP File and name your first view. Here we have named it as hello-gfg.jsp file. Below is the code for the hello-gfg.jsp file. We have created a simple web page inside that file.

File: hello-gfg.jsp

HTML




<!DOCTYPE html>
<html>
<body bgcolor="green">
    <h1>Hello Lazyroar!</h1>
</body>
</html>


Reference article: How to Create Your First View in Spring MVC?

Step 7: Setting Up ViewResolver in Spring MVC

Go to the src > main > java > MyAppConfig and set your ViewResolver like this

File: MyAppConfig.java

Java




package com.gfg.config;
 
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.view.InternalResourceViewResolver;
 
@Configuration
@EnableWebMvc
@ComponentScan("com")
public class MyAppConfig {
     
    @Bean
    InternalResourceViewResolver viewResolver() {
        InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
        viewResolver.setPrefix("/WEB-INF/views/");
        viewResolver.setSuffix(".jsp");
        return viewResolver;
    }
 
}


Reference article: ViewResolver in Spring MVC

Step 8: Setting Up Spring Security Filter Chain

Go to the src > main > java and create a class MySecurityAppConfig and annotate the class with @EnableWebSecurity annotation. This class will help to create the spring security filter chain. Below is the code for the MySecurityAppConfig.java file.

File: MySecurityAppConfig.java

Java




package com.gfg.config;
 
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 
// This class will help to create
// spring security filter chain
@EnableWebSecurity
public class MySecurityAppConfig extends WebSecurityConfigurerAdapter {
 
}


Step 9: Create Spring Security Initilizer

Go to the src > main > java and create a class SecurityInitializer. This class will help to register the spring security filter chain with our application. Below is the code for the SecurityInitializer.java file.

File: SecurityInitializer.java

Java




package com.gfg.config;
 
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
 
// This class will help to register spring security
// filter chain with our application
public class SecurityInitializer extends AbstractSecurityWebApplicationInitializer {
 
}


Now we are done with setting up our Spring Security Filter Chain.

Step 10: Create Users and Password Encoder

Modify the MyAppConfig file. Here we are going to create the PasswordEncoder Bean.

File: MyAppConfig.java

Java




package com.gfg.config;
 
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.view.InternalResourceViewResolver;
 
@Configuration
@EnableWebMvc
@ComponentScan("com")
public class MyAppConfig {
     
    @Bean
    InternalResourceViewResolver viewResolver() {
        InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
        viewResolver.setPrefix("/WEB-INF/views/");
        viewResolver.setSuffix(".jsp");
        return viewResolver;
    }
     
      // Create the bean for PasswordEncoder
    @Bean
    PasswordEncoder getPasswordEncoder() {
        return new BCryptPasswordEncoder();
    }
 
}


Modify the MySecurityAppConfig file. Here we are going to create the User, and we are going to provide the password in Bcrypt format. And we are also going to provide the roles to the user.

Note: We are going to use Spring Security In-Memory Authentication. Please refer to this article for more detail.

File: MySecurityAppConfig.java

Java




package com.gfg.config;
 
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
 
// This class will help to create
@SuppressWarnings("deprecation")
// spring security filter chain
@EnableWebSecurity
public class MySecurityAppConfig extends WebSecurityConfigurerAdapter {
     
    @Autowired
    private PasswordEncoder passwordEncoder;
     
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
        .withUser("gfg")
        .password(passwordEncoder.encode("gfg123"))
        .roles("admin");
    }
 
}


Step 11: Configuring Basic Authentication and Securing Endpoints Using antMatchers()

Modify the MySecurityAppConfig file. Here we are going to use antMatchers() to secure our endpoints.

File: MySecurityAppConfig.java

Java




package com.gfg.config;
 
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
 
// This class will help to create
@SuppressWarnings("deprecation")
// spring security filter chain
@EnableWebSecurity
public class MySecurityAppConfig extends WebSecurityConfigurerAdapter {
     
    @Autowired
    private PasswordEncoder passwordEncoder;
     
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
        .withUser("gfg")
        .password(passwordEncoder.encode("gfg123"))
        .roles("admin");
    }
     
    // Configuring basic authentication through configure method
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .authorizeHttpRequests()
        .antMatchers("/gfg").authenticated()
        .antMatchers("/gfg/welcome").permitAll()
            .and()
            .formLogin().loginPage("/customLogin")
            .and()
            .httpBasic();
    }
         
 
}


Now, let’s run the application and test it out.

Step 10: Run Your Spring MVC Application

To run our Spring MVC Application right-click on your project > Run As > Run on Server. After that use the following URL to run your controller.

http://localhost:8080/springsecurity/gfg

And it will ask for authentication to use the endpoint and a pop-up screen will be shown like this.

Now sign in with the following credentials

  • Username: gfg
  • Password: gfg123

And now you can access your endpoint. You will get the output like this.

But when you hit the following endpoint you can access it without any authentication.

http://localhost:8080/springsecurity/gfg/welcome

You will get the output like this.

antmatcher-1.png

RELATED ARTICLES

Most Popular

Recent Comments