1

I'd like to prevent people from accessing my application (Angular 7 frontend, Spring Boot backend) when they are not logged in using Spring-Boot-Security. I authenticate my user via ldap and would like to set roles based on database entries, but let's get to this step by step. So what I did now is replacing the default Spring-Boot-Security-login (via the generated password) with my ldap-configuration (but still using the default login-page). I got the following code for that:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/login")
            .authorizeRequests()
            .anyRequest().fullyAuthenticated()
            .and()
            .httpBasic();
        http.formLogin().defaultSuccessUrl("/", true);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
    }

    @Bean
    public AuthenticationManager authenticationManager() {
        return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider()));
    }
    @Bean
    public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
        ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider(AD_DOMAIN, AD_URL);
        provider.setConvertSubErrorCodesToExceptions(true);
        provider.setUseAuthenticationRequestCredentials(true);
        return provider;
    }

Now by default when including the spring-boot-starter-security artifact, everyone is redirected to the /login-page when trying to access any page. Sadly since I overwrote that config with my own that is not the case any more. How can I let spring do this again (also with the frontend-pages, which were prevented from accessing too)?

Rüdiger
  • 893
  • 5
  • 27
  • 56
  • It's not clear what is your question. Do you want to redirect unauthenticated users to another url, different from `/login`? Or is your problem that authenticated users are redirected to `/login`? – naXa stands with Ukraine Dec 22 '18 at 19:41
  • @naXa I would like to have people redirected to `/login` when they try to access any page but did not already authenticate via `/login`. Yet, I just found out about what I did wrong. I specified the `antMatcher` which seems to override the `httpSecurity`-options for this and prevented spring-boot from redirecting every time. Removing that line and inserting `.formLogin().and()` right before `httpBasic()` did the trick – Rüdiger Dec 22 '18 at 19:45
  • 1
    Good news:) If you managed to solve your question yourself, please take some time to post an answer. You can then accept it in 2 days. This way you share the knowledge with others and officially mark this question as resolved. – naXa stands with Ukraine Dec 22 '18 at 22:36
  • Also, do you think your question is similar to this existing question? [Spring Security keeps redirecting me to login page](https://stackoverflow.com/q/41827388/1429387) – naXa stands with Ukraine Dec 22 '18 at 22:40

0 Answers0