1

Was testing a hardcoded endpoint for my Calorie management API. I hardcoded some users in my UserService.java and mapped them in my UserController to the /users url.

With Tomcat running on localhost:8080 I assumed that when I go to localhost:8080/users I would be able to see the users I added

Instead it takes me to a login page created by spring. Even though I can login with 'user' as the username and the generated password is in the build I do not want this to be implemented as I will be doing my own authentication in the future.

When going through the build file information the login page is connected to this information:

2020-04-23 11:22:38.314 INFO 1548 --- [ restartedMain] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@150d0d25, org.springframework.security.web.context.SecurityContextPersistenceFilter@7c82be70, org.springframework.security.web.header.HeaderWriterFilter@3258c818, org.springframework.security.web.csrf.CsrfFilter@18dd2f3, org.springframework.security.web.authentication.logout.LogoutFilter@336c3f7a, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@641198db, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@7b7cd5a, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@1c801106, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@4b9896a8, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@77927c43, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@6861d187, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@d43945e, org.springframework.security.web.session.SessionManagementFilter@19cc57e5, org.springframework.security.web.access.ExceptionTranslationFilter@7b984a77, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@2521604c]

I have no dependency that is related to security or authentication? is this coming from another dependency that has this information. Ive attached my pom.xl

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.3.0.M4</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.MS3.bootcamp</groupId>
    <artifactId>healthDiary</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>healthDiary</name>
    <description>Bootcamp project for MS3</description>

    <properties>
        <java.version>11</java.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-rest</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <scope>runtime</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
            <exclusions>
                <exclusion>
                    <groupId>org.junit.vintage</groupId>
                    <artifactId>junit-vintage-engine</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>org.gurux</groupId>
            <artifactId>gurux.dlms</artifactId>
            <version>4.0.4</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

    <repositories>
        <repository>
            <id>spring-milestones</id>
            <name>Spring Milestones</name>
            <url>https://repo.spring.io/milestone</url>
        </repository>
    </repositories>
    <pluginRepositories>
        <pluginRepository>
            <id>spring-milestones</id>
            <name>Spring Milestones</name>
            <url>https://repo.spring.io/milestone</url>
        </pluginRepository>
    </pluginRepositories>

</project>
hooknc
  • 4,854
  • 5
  • 31
  • 60
Noel Taterway
  • 13
  • 4
  • Springboot auto majically gives you security. What does your controller mapping for `/users` look like? Could you please add that to your question as well? – hooknc Apr 23 '20 at 16:54
  • Maybe this will help you: https://stackoverflow.com/questions/47273691/spring-boot-2-0-disable-default-security – PBarri Apr 23 '20 at 16:59

2 Answers2

1

You can exclude the default spring security configuration by adding the annotation above your Application

@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })
@ServletComponentScan
public class Application {

}
bob tang
  • 583
  • 3
  • 12
0

As you told on the question, seems like behavior as Spring Security is on the dependencies, so if you are dealing with Spring Security default login from http basic, the right solve would be configure it something like below:


@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.csrf().disable()
        .authorizeRequests().antMatchers("/**").permitAll()
        .and();
    }
}

The piece of code http.authorizeRequests().antMatchers("/**").permitAll() on this context, allow routes to no require authentication. The /** tells all possible routes from the context. By default the spring is all routes require authentication. So when you put Spring Security on you project with no security configuration, will force all user to login. Think that is for safety.

I made an project that was an simple example of RESTful API with spring boot, but I wasn't using 'Spring Boot Data Rest' that I published on Github, an the used class for this configuration was SecurityConfiguration.java, the full repository are on galeria-spring-boot.

Lots of more information about Spring Security on Security with Spring

Sham Fiorin
  • 403
  • 4
  • 16