In this Spring Boot Security Database Authentication Example, we will learn how to secure REST API using Spring Boot Database Authentication. All the user who tries to access the secured resource will be authenticated and authorized using the Database Authentication.
Creating table
Create EMPLOYEE Table, simply Copy and Paste the following SQL query in the query editor to get the table created.
CREATE TABLE EMPLOYEE( USERNAME varchar(50) NOT NULL, PASSWORD varchar(65) NOT NULL, ROLE varchar(15) NOT NULL); INSERT INTO EMPLOYEE VALUES ('user','$2a$10$5e3dB36HeRcozRgp8xQfw.tfD3Qsut8xu/NT9g/DSpVKg9Kzuitrq','USER'); INSERT INTO EMPLOYEE VALUES ('admin','$2a$10$5e3dB36HeRcozRgp8xQfw.tfD3Qsut8xu/NT9g/DSpVKg9Kzuitrq','ADMIN');
Note: While inserting the password in the database, encode it with Bcrypt encoder . In my case i have encoded my password “password” to “$2a$10$5e3dB36HeRcozRgp8xQfw.tfD3Qsut8xu/NT9g/DSpVKg9Kzuitrq”
Folder Structure:
- Create a Maven project (maven-archetype-quickstart) “SpringBootDatabaseAuth” and create a package for our source files “com.javainterviewpoint” under src/main/java
- Now add the following dependency in the POM.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.javainterviewpoint</groupId> <artifactId>SpringBootDatabaseAuth</artifactId> <version>0.0.1-SNAPSHOT</version> <packaging>jar</packaging> <name>SpringBootDatabaseAuth</name> <url>http://maven.apache.org</url> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <java.version>1.8</java.version> </properties> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.0.7.RELEASE</version> </parent> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-jdbc</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-configuration-processor</artifactId> <optional>true</optional> </dependency> <dependency> <groupId>org.hibernate</groupId> <artifactId>hibernate-validator</artifactId> <version>5.2.4.Final</version> </dependency> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>5.1.47</version> </dependency> </dependencies> </project>
- Create the Java classes Application.java, HelloController.java and SpringSecurityConfig.java under com.javainterviewpoint folder.
The spring-boot-starter-parent is a special starter, it provides useful Maven defaults. Since we are developing a web application, we also need to add spring-boot-starter-web dependency.This will add dependencies such Tomcat, Jackson, Spring boot etc which are required for our application.
spring-boot-starter-security dependency adds all the security related dependencies.
spring-boot-starter-jdbc is the starter which is needed for using JDBC
Spring Boot Security Database Authentication Example
Dependency Tree
[INFO] ------------------------------------------------------------------------ [INFO] Building SpringBootDatabaseAuth 0.0.1-SNAPSHOT [INFO] ------------------------------------------------------------------------ [INFO] [INFO] --- maven-dependency-plugin:3.0.2:tree (default-cli) @ SpringBootDatabaseAuth --- [INFO] com.javainterviewpoint:SpringBootDatabaseAuth:jar:0.0.1-SNAPSHOT [INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.0.7.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-starter:jar:2.0.7.RELEASE:compile [INFO] | | +- org.springframework.boot:spring-boot:jar:2.0.7.RELEASE:compile [INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.0.7.RELEASE:compile [INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.0.7.RELEASE:compile [INFO] | | | +- ch.qos.logback:logback-classic:jar:1.2.3:compile [INFO] | | | | \- ch.qos.logback:logback-core:jar:1.2.3:compile [INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.10.0:compile [INFO] | | | | \- org.apache.logging.log4j:log4j-api:jar:2.10.0:compile [INFO] | | | \- org.slf4j:jul-to-slf4j:jar:1.7.25:compile [INFO] | | +- javax.annotation:javax.annotation-api:jar:1.3.2:compile [INFO] | | +- org.springframework:spring-core:jar:5.0.11.RELEASE:compile [INFO] | | | \- org.springframework:spring-jcl:jar:5.0.11.RELEASE:compile [INFO] | | \- org.yaml:snakeyaml:jar:1.19:runtime [INFO] | +- org.springframework.boot:spring-boot-starter-json:jar:2.0.7.RELEASE:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.7:compile [INFO] | | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile [INFO] | | | \- com.fasterxml.jackson.core:jackson-core:jar:2.9.7:compile [INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.7:compile [INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.7:compile [INFO] | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.7:compile [INFO] | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.0.7.RELEASE:compile [INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.35:compile [INFO] | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.35:compile [INFO] | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.35:compile [INFO] | +- org.hibernate.validator:hibernate-validator:jar:6.0.13.Final:compile [INFO] | +- org.springframework:spring-web:jar:5.0.11.RELEASE:compile [INFO] | | \- org.springframework:spring-beans:jar:5.0.11.RELEASE:compile [INFO] | \- org.springframework:spring-webmvc:jar:5.0.11.RELEASE:compile [INFO] | +- org.springframework:spring-context:jar:5.0.11.RELEASE:compile [INFO] | \- org.springframework:spring-expression:jar:5.0.11.RELEASE:compile [INFO] +- org.springframework.boot:spring-boot-starter-security:jar:2.0.7.RELEASE:compile [INFO] | +- org.springframework:spring-aop:jar:5.0.11.RELEASE:compile [INFO] | +- org.springframework.security:spring-security-config:jar:5.0.10.RELEASE:compile [INFO] | | \- org.springframework.security:spring-security-core:jar:5.0.10.RELEASE:compile [INFO] | \- org.springframework.security:spring-security-web:jar:5.0.10.RELEASE:compile [INFO] +- org.springframework.boot:spring-boot-starter-jdbc:jar:2.0.7.RELEASE:compile [INFO] | +- com.zaxxer:HikariCP:jar:2.7.9:compile [INFO] | | \- org.slf4j:slf4j-api:jar:1.7.25:compile [INFO] | \- org.springframework:spring-jdbc:jar:5.0.11.RELEASE:compile [INFO] | \- org.springframework:spring-tx:jar:5.0.11.RELEASE:compile [INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.0.7.RELEASE:compile (optional) [INFO] +- org.hibernate:hibernate-validator:jar:5.2.4.Final:compile [INFO] | +- javax.validation:validation-api:jar:2.0.1.Final:compile [INFO] | +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile [INFO] | \- com.fasterxml:classmate:jar:1.3.4:compile [INFO] \- mysql:mysql-connector-java:jar:5.1.47:compile [INFO] ------------------------------------------------------------------------
Spring Boot Security Configuration
package com.javainterviewpoint; import javax.sql.DataSource; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.context.properties.ConfigurationProperties; import org.springframework.boot.jdbc.DataSourceBuilder; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; @Configuration @EnableWebSecurity public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private DataSource dataSource; @Bean @ConfigurationProperties("spring.datasource") public DataSource ds() { return DataSourceBuilder.create().build(); } @Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic() .and() .authorizeRequests() .anyRequest().authenticated(); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.jdbcAuthentication().dataSource(dataSource) .authoritiesByUsernameQuery("select USERNAME, ROLE from EMPLOYEE where USERNAME=?") .usersByUsernameQuery("select USERNAME, PASSWORD, 1 as enabled from EMPLOYEE where USERNAME=?"); } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } }
- @EnableWebSecurity annotation enables spring security configuration which is defined in WebSecurityConfigurerAdapter
- We have declared the Datasource object annotated with the @Autowired annotation, which looks for the definition in the below bean which will be built by DataSourceBuilder
@Autowired private DataSource dataSource;
- DataSourceBuilder class builds the Datasource with the common implementations and properties, it supports small set of configurations only and we inject the additional properties using @ConfigurationProperties annotation.
@Bean @ConfigurationProperties("spring.datasource") public DataSource ds() { return DataSourceBuilder.create().build(); }
- Since we have extended WebSecurityConfigurerAdapter, it allows us to override spring’s security default feature. In our example we will be enabling HTTP Basic authentication which authenticates all the incoming request
- The configure() method configures the HttpSecurity class which authorizes each HTTP request which has been made. In our example all the request will be authenticated and allowed access only when the user has USER or ADMIN role
- .httpBasic() –> Makes spring to use the HTTP Basic Authentication method to authenticate the user
- authorizeRequests()
.anyRequest().authenticated() –> All requests to the endpoint must be authorized or else they should be rejected. - .csrf().disable() –> Disables CSRF protection
@Override Protected void configure(HttpSecurity http) throws Exception { http.httpBasic() .and() .authorizeRequests() .anyRequest().authenticated(); }
- configureGlobal() method configures the AuthenticationManagerBuilder class with the valid user credentials and the allowed roles.
- We have configured JDBC Authentication and set up two queries for AuthenticationManagerBuilder
- usersByUsernameQuery –> Authenticating the user
- authoritiesByUsernameQuery –> Authorizing the user
@Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.jdbcAuthentication().dataSource(dataSource) .authoritiesByUsernameQuery("select USERNAME, ROLE from EMPLOYEE where USERNAME=?") .usersByUsernameQuery("select USERNAME, PASSWORD, 1 as enabled from EMPLOYEE where USERNAME=?"); }
- In Spring Boot 2, we need to pass the encoded password,We have registered our passwordEncoder as BCryptPasswordEncoder. While saving the password in the database we need to save it in a Bcrypt encoded format, which will be decoded while authenticating.
@Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); }
Whenever we have not mapped any PasswordEncoder then SpringBoot will throw the “There is no PasswordEncoder mapped for the id \”null\” error
HelloController.java
package com.javainterviewpoint; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; @RestController public class HelloController { @RequestMapping("/user") public String showUserMsg() { return "User has logged in!!!"; } @RequestMapping("/admin") public String showAdminMsg() { return "Admin has logged in!!!"; } }
- We have annotated our “HelloController” class with @RestController, @RestController annotation is introduced in Spring 4 it is a combination of @Controller + @ResponseBody. So when using @RestController, you do not need to use @ResponseBody it is optional now
- We have two methods
- showUserMsg() –> This method will be called when the request is /user
- showAdminMsg() –> This method will be called when the request is /admin
Application.java
package com.javainterviewpoint; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; @SpringBootApplication public class Application { public static void main( String[] args ) { SpringApplication.run(Application.class, args); } }
The Application class main() method is the triggering point of our application. Inside the main method we will be calling the SpringApplication class run() method which bootstraps our Application and starts the tomcat server. We will be passing our class name [Applicaion.class] as an argument to the run() method.
Output
In POSTMAN, select GET method and give the url as “http://localhost:8080/user”. In the Authorization tab select the Type as “Basic Auth” and key in the invalid username /password. You will be getting 401 Unauthorized error
Now pass the valid username and password [user/password (or) admin/password]
Leave a Reply