'Does Spring Security use Basic Auth or Form Based Authentication by default?
I'm learning about Spring Security in Spring Boot app and I try to understand what authentication way uses Spring Security by default. I know that Spring Security uses form-based authentication by default, but I made a test from Postman using basic authentication and it's working.
I have a very simple Spring Boot app.
Rest Controller:
package com.dgs.demsec.api;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class HelloController {
@GetMapping("/hello")
public String hello() {
return "Hello World!";
}
}
I added the spring-security dependency in the pom.xml:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.4.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.dgs</groupId>
<artifactId>dem-sec</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>dem-sec</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
And I don't have any configuration class for Spring Security. It is using the default configuration.
I start the app then I try to access the endpoint: http://localhost:8080/hello after that I use the default username which is user and the password generated by Spring Security and it's working, the response is "Hello World!". In the Google Chrome developer tools, for /login endpoint there is no Authorization header, so it doesn't use the basic authentication. And I can see this in Form Data for /login endpoint:
So Spring Security uses form-based authentication by default. Then I made 2 request from Postman, the first with form-based authentication and the second with basic-authentication and both of them are working. So the request it's working also if I send the credentials in the Authorization header. Can someone explain why it's working to make a request using basic authentication if it's a form-based authentication? Thank you!
Solution 1:[1]
I have checked this in WebSecurityConfigurerAdapter.class and seems like by default it was using http.formLogin() and http.httpBasic() as initial configuration to authenticate any request.
protected void configure(HttpSecurity http) throws Exception {
this.logger.debug("Using default configure(HttpSecurity). If subclassed this will potentially override subclass configure(HttpSecurity).");
http.authorizeRequests((requests) -> {
((AuthorizedUrl)requests.anyRequest()).authenticated();
});
http.formLogin();
http.httpBasic();
}
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | sri e |