Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
B
B
bitwheeze2022-01-17 23:13:12
Java
bitwheeze, 2022-01-17 23:13:12

Do I understand spring security correctly?

Hello,

trying to understand spring security. All examples are somehow inappropriate for my task or I don’t understand something. There are a lot of things and all the solutions are too different.

I have requests that have two cookies set - account and token. Account is essentially a username, and token is actually a custom token that needs to be periodically checked that it is valid.

I have created an AppPrincipal class that implements the UserDetails interface.
In the custom filter, I retrieve the above cookies and create an AppPrincipal object.

But I don't understand how to use it. As far as I understand, I need to put the principal into the SecurityContextHolder somehow.

If I understood everything correctly, I need to call

SecurityContextHolder.getContext().setAuthentication()


But it requires a class with the Authentification interface. Do I need some ready-made ones to use and are there suitable ones, or do I need to create my own class that implements the Authentification interface?

How then to check in endpoints? Is it just to call SecurityContextHolder.getContext().isAuthenticated() and in which case to do a whack or how can annotations be used or a central configuration? I have a webflux of the form

@RequestMapping(value = "/stats/{account}", method = RequestMethod.GET)
    public Mono<List<PersonalStatsRecord>> getPersonalStatsAccount(@PathVariable String account) {
        return Mono.just(sessionRepository.getStatsForAccount(account));
    }


I would be very grateful if you tell me if I'm on the right track or "everything ... nya Misha" and everything needs to be redone?

Thanks

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
V
VictorZZZZ, 2022-01-27
@bitwheeze

You need to create a configuration for your security.
This is a Bean that inherits from WebSecurityConfigurerAdapter
In it, override the configure method. And there indicate which endpoints should go under an authorized user, and which ones you want to allow without authorization.
For example something like this:

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/stats/**").permitAll()
                .antMatchers(new String[]{
                        "/register",
                        "/admin/**"}).hasRole("ADMIN")
                .antMatchers("/**").authenticated().and()
                    .formLogin()
                        .loginPage("/login")
                        .loginProcessingUrl("/authenticateTheUser")
                        .failureUrl("/login?error=true")
                        .defaultSuccessUrl("/")
                .and()
                    .logout()
                    .logoutSuccessUrl("/login")
                  .permitAll();
}

Similar questions
I
IvanOne2015-05-26 11:50:16
How to create invoices? 3Reply
P
pomaz_andrew2017-09-20 15:52:55
How to identify packages not included in package.json? 3Reply
D
DDwrt1002019-10-09 13:20:14
How to put the generated query string in the DAO JPA repository? 0Reply
S
speckolya2017-05-10 12:42:44
How do you look at writing an android app without using android xml? 0Reply
R
Rishat Sultanov2017-05-10 12:46:50
A good manual for trees? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question