Configuring Spring Security with Spring Boot

I am new to configuring Spring Security using Java Config. I was trying to follow this posting. However, when I run my app, I get a Basic Auth challenge on all URLs, including /. Entering the either of the userid/pass combos below do not seem to work.

My Controller:

package com.xxx.web;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
@RequestMapping("/")
/**
 * Controller to handle basic "root" URLs
 * 
 * @author xxx
 * @version 0.1.0
 */
public class RootController {
 /**
 * Handles '/'
 * @param model
 * @return
 */
 @RequestMapping
 public String index(Model model) {
 return "index";
 }
 /**
 * Handles '/signup'
 * @param model
 * @return
 */
 @RequestMapping("/signup")
 public String signup(Model model) {
 return "signup";
 }
 /**
 * Handles '/about'
 * @param model
 * @return
 */
 @RequestMapping("/about")
 public String about(Model model) {
 return "about";
 }
 /**
 * Handles '/login'
 * @param model
 * @return
 */
 @RequestMapping("/login")
 public String login(Model model) {
 return "login";
 }
 /**
 * Handles '/admin'
 * @param model
 * @return
 */
 @RequestMapping("/admin")
 public String admin(Model model) {
 return "admin";
 }
}

Not sure what else to try. Just looking for some guidance as to why this isn't working.

Update

For completeness, here is the config class:

package com.xxx.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
/**
 * Configures the security for the application
 * 
 * @author XXX
 * @version 0.1.0
 *
 */
public class WebSecurityAppConfig extends WebSecurityConfigurerAdapter {
 @Override
 /**
 * @see org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#registerAuthentication(AuthenticationManagerBuilder)
 */
 protected void registerAuthentication(AuthenticationManagerBuilder auth)
 throws Exception {
 auth
 .inMemoryAuthentication()
 .withUser("user") // #1
 .password("password")
 .roles("USER")
 .and()
 .withUser("admin") // #2
 .password("password")
 .roles("ADMIN","USER");
 }
 @Override
 /**
 * @see org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(WebSecurity)
 */
 public void configure(WebSecurity web) throws Exception {
 web
 .ignoring()
 .antMatchers("/resources/**"); // #3
 }
 @Override
 /**
 * @see org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(HttpSecurity)
 */
 protected void configure(HttpSecurity http) throws Exception {
 http
 .authorizeRequests()
 .antMatchers("/","/signup","/about").permitAll() // #4
 .antMatchers("/admin/**").hasRole("ADMIN") // #6
 .anyRequest().authenticated() // 7
 .and()
 .formLogin() // #8
 .loginPage("/login") // #9
 .permitAll(); // #5
 }
}

And the WebApplicationInitializer:

package com.xxx.config;
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
/**
 * 
 * @author XXX
 * @version 0.1.0
 */
public class SpringWebMvcInitializer extends
 AbstractAnnotationConfigDispatcherServletInitializer {
 @Override
 /**
 * 
 */
 protected Class<?>[] getRootConfigClasses() {
 return new Class[] { WebSecurityAppConfig.class };
 }
 @Override
 /**
 * 
 */
 protected Class<?>[] getServletConfigClasses() {
 return null;
 }
 @Override
 /**
 * 
 */
 protected String[] getServletMappings() {
 return null;
 }
}

I didn't include these before because they are pretty much a copy-paste from the referenced blog posting.

• I don't see Spring Boot anywhere there. Is the summary a typo?

  Dave Syer

  – Dave Syer

  2013年11月04日 14:19:57 +00:00

  Commented Nov 4, 2013 at 14:19
• My understanding with Spring Boot is that you would put the Actuator in for Security, then add the appropriate Spring Java configuration classes in place. Am I wrong in this assumption? The only walkthrough I have found for Spring Boot with Spring Security doesn't use a Controller, and I tried to copy what it was doing as close as I could.

  CodeChimp

  – CodeChimp

  2013年11月04日 17:41:57 +00:00

  Commented Nov 4, 2013 at 17:41
• Your understanding is correct. There are two samples (spring-boot-sample-secure, which is newish, and spring-boot-sample-actuator, which is older) that use Spring Security. The "secure" one is probably closest to your use case.

  Dave Syer

  – Dave Syer

  2013年11月04日 17:45:07 +00:00

  Commented Nov 4, 2013 at 17:45
• (I still don't see Spring Boot anywhere in the code you posted though. I wouldn't be using AbstractAnnotationConfigDispatcherServletInitializer for instance if I were you - try SpringBootServletInitializer).

  Dave Syer

  – Dave Syer

  2013年11月04日 17:46:18 +00:00

  Commented Nov 4, 2013 at 17:46
• Thanks for the input. Will check out the other sample when I get home. I am probably looking at an older GIT repo. Also, will switch to the SpringBootServletInitializer. Hopefully that gets me past my current road block.

  CodeChimp

  – CodeChimp

  2013年11月04日 17:48:28 +00:00

  Commented Nov 4, 2013 at 17:48

1 Answer 1

Start asking to get answers

Find the answer to your question by asking.

Explore related questions

See similar questions with these tags.