How to Secure Spring Rest Services with Spring Sercurity and Angularjs? -


i have spring mvc server backend rest-services , angularjs webfrontend.

i want secure spring mvc rest services want use java config.. , have no idea how configuration mus like. can me ? implementation have found : https://github.com/philipsorst/angular-rest-springsecurity

i use postgrsdb , wand store username , password , roles there, session token in example https://github.com/philipsorst/angular-rest-springsecurity stored in cache , not in db ?

at moment have simple form login security, testing, did not use jsp use spring mvc rest services , angularjs webfrontend.. how can modify spring security code works oauth2 in example https://github.com/philipsorst/angular-rest-springsecurity ? have @ moment 2 classes spring security..

@configuration @enablewebmvcsecurity public class securityconfig extends websecurityconfigureradapter{      @override     public void configure(authenticationmanagerbuilder auth) throws exception {          auth         .inmemoryauthentication()         .withuser("username").password("test").roles("user");     } }

and register securityconfig in webinitializer.

public class webinitializer extends abstractannotationconfigdispatcherservletinitializer {  @override protected class<?>[] getrootconfigclasses() {     return new class<?>[]{ persistencecontext.class,appconfig.class,securityconfig.class };  } ....

but roles , username/password should stored in database.. must use special databse schema spring security store username,password , roles in db ?

and can implement can add @secured annotation(or other annotation) on 1 of rest services role in ? @secured("userrole")

or ist basic authentification easier ? can secure rest services basic authentification rolemanagement !? if can use basic authentification.. best regards

in order load users have create authentication manager , wire userdetailsservice authentication manager. following doc link gives overview of authentication manager, , core components associated.

http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#core-services

so, answer first question...

but roles , username/password should stored in database.. must use special databse schema spring security store username,password , roles in db ?

you can either. if want, spring security can handle database side you, have supply reference jdbc datasource has spring's schema design.

http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#core-services-jdbc-user-service

and

http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#appendix-schema

-or-

you can utilize own schema providing userdetailsservice implementation of own load own database schema. here's samples can started approach.

<context:component-scan base-package="com.example.security" /> <security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled"/>  <bean id="dao-provider" class="org.springframework.security.authentication.dao.daoauthenticationprovider"       p:userdetailsservice-ref="myuserdetailsservice"       p:passwordencoder-ref="sha-pw-encoder"       p:saltsource-ref="my-salt-source" />  <bean id="sha-pw-encoder" class="org.springframework.security.authentication.encoding.shapasswordencoder"       p:encodehashasbase64="true" />  <bean id="my-salt-source" class="org.springframework.security.authentication.dao.reflectionsaltsource"       p:userpropertytouse="salt" />  <security:authentication-manager>     <security:authentication-provider ref="dao-provider"/> </security:authentication-manager>

finally, provide implementation of userdetailsservice so:

@component("myuserdetailsservice") public class myuserdetailsserviceimpl implements userdetailsservice {  //reference spring jpa repository loading users private final userrepository userrepository;  @autowired public myuserdetailsserviceimpl(userrepository userrepository) {     this.userrepository = userrepository; }  @override @transactional public userdetails loaduserbyusername(string username) throws usernamenotfoundexception         {     user user = userrepository.findbyname(username);     if (user != null) {         return new userdetails() {           ... //create user details user object         }     } else {         string err = string.format("failed find username: %s in local database.  trying other auth mechanisms.", username);         throw new usernamenotfoundexception(err);     }   } }

... second question:

and can implement can add @secured annotation(or other annotation) on 1 of rest services role in ? @secured("userrole")

yes, above configuration allow use @secured annotation configuring global-method-security.

and finally, yes of still utilize basic authentication default, can reconfigured use digest authentication if necessary. recommend giving full read docs @ http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/ in order grasp you're trying do. but, should on way.


Comments

Post a Comment

Popular posts from this blog

php - SPIP: From Tag directly to an article -

i work spip , plugin called tagsphere works fine tags in spip. have tag groupe put 1 article tag. when click on tag in tagsphere send me before menu can see articles linked tag. want send me directly article without see tag menu before. here code model of thagsphere: <div id="tagsphere-#env{id_article}"> <ul> <boucle_mot(mots){id_groupe ?}> <li>[<a href="#url_mot">(#titre)</a>]</li> </boucle_mot> </ul> </div> anybody idea? if want skip tag page, have link directly article. <b_article> block prevents display tag if no article linked. <div id="tagsphere-#env{id_article}"> <ul> <boucle_mot(mots){id_groupe ?}> <b_article> <li> <a<boucle_article(articles){...
Read more

jquery - isAjaxRequest always return false -

i got error message 404,'model has not been saved' following code my action controller public function actionextend($id) { $model=$this->loadmodel($id); if(yii::app()->request->isajaxrequest) { $model->todate = date('y-m-d h:i:s a',(strtotime('next month',strtotime(date('y-01-d'))))); if($model->save()) { yii::app()->end(); } else { throw new chttpexception(404,'model has not been saved'); } } } the jquery call $("#buttonextend<?php echo $this->post_row;?>").click(function(e){ $.ajax({ type: "post", url: "<?php echo yii::app()->createurl('post/extend', array('id' => $data['id'])); ?>", }); }); why not ajax call ? thank help i found response, missed } , function ...
Read more

ruby on rails - In a controller spec, how to find a specific tag in the generated view? -

i know integration tests preferred need ran in controller test, i'm testing gem injecting html code in view, xhr can't run in feature spec (if can, please explain me how :) ) so rspec controller tests can assert selector present (with capybara) : response.body.should have_selector('#foobar') has_selector? call all method capybara find selector. what want last child of body , assert id in particular. afaik it's not possible have_selector. what : all('body:first-child').first.id.should == '#foobar' however, capybara dsl, defined (more or less): def all(*args) page.all(*args) end and page empty unless use visit it's integrations specs. how can use capybara all method inside rspec controller test ? i can't test right after googling seems trick def page capybara::node::simple.new(response.body) end source
Read more