No matter how much I read Spring Security is an alien concept. Any pointers?

Question

I have the following requirement that I need to implement on a project, but not matter how many books or articles I read on spring security I cannot figure out what the configuration methods are actually doing.

My requirements are as follows.

1. when REST calls are made to /api/** I just need to check that the user has included a token in the header and if so, I need to validate the token using an in house component. If the token is not present or not valid I just want to return a 401 to the client.

If the token is valid then they are authenticated and can proceed to the respective controller. Role based auth is not required, so I am assuming this is where permitAll() comes in?

2. rest calls to actuator /info, /health do not require the user to be authenticated

3. calls to /hawtio and /jolokia require the same as part 1), but if the token is not present they are redirected to the login page where they can enter a username and password. The username and password is then validated using an internal service and the generated token added to the users header. The user can also logout of the web ui, which should return them to the login page.

So for instance, if we take the example below.

@Override
protected void configure(HttpSecurity http) throws Exception {
 http
       **.authorizeRequests()**
       .antMatchers("/resources/**")**.permitAll()**
       .anyRequest()**.authenticated()**
       .and()
       .formLogin()
       .loginPage("/login")
       **.permitAll()**
       .and()
       .logout()
       **.permitAll()**.logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
}

What is the significance of the parts I have surrounded with ** **

I think I understand that REST calls to /resources/** just pass straight through without the user needing to have been authenticated. But the next line

.anyRequest().authenticated()

just confuses me. I think I get that it's stating ALL other requests require the user to be authenticated. But authenticated by what? How do you get authenticated and what happens if they are not authenticated?

Any help appreciated.

Answer 1

.authorizeRequests() means you want to start configuring which requests to which endpoints should be checked for authorization.

.antMatchers("/resources/**")**.permitAll()** here you are saying that all requests to /resources/** are allowed without any authorization.

The last 2 permitAll are so that clients can access the login endpoint and logout endpoint.

All of this is the absolute basics of spring security. And is talked about in many tutorials on the internet.

If you seriously are going to work with spring security i suggest you spend some time reading the architecture of spring security https://docs.spring.io/spring-security/reference/servlet/architecture.html so that you understand the basics. Otherwise you will have a hard time.

Become friends with the spring security documentation as it will help you a lot more than tutorials.