Till now, we don’t speak about security. No time to waste, let’s add security to our application.
Add the spring boot starter security to our pom.xml
Copy to Clipboard
Restart your application and go back to the API where we have the end point that give us the information on the movie number 1. Refresh the page and .. magic, we have an authentication form ! it redirect automatically to localhost:8080/login to display a login form based authentication.
if it doesn’t work at the first time, try to reimport changes by maven. With intellij you have the option to enable auto import
If you want to access to the previous page the default login is user and the password … hmmm where is this password ? The password is generated at the run of the application you can find it in the console log of your IDE. And now we are login to the application.
but we didn’t add this authentication form ? right ? but ..
It’s there that spring security is awesome. Without any configuration, it gives us a basic authentication form to access to our application.
Use Form Based Auth
To login our application we can access to the login page by going to …/login page or by going to the link a defined endpoint then we will be redirect to the login form page.
But what about logout ? Simply request the page …/logout
Then a page will ask you to click on a buton to logout. That’s it !
You will be redirect to the login page and notify that you are logout.
If you request again your api, the browser redirect also to the login page as you are not anymore signin to the application.
Behind the scene
If we take a look to the request in the network console of the chrome devTool, we will see the request when you are signin.
We can see details of the request. This is a POST request, the status code, some response headers, request headers but what I want to show you is the Form Data part. It is the actual payload which is sent to out backend. we can see the username and password value and also another key _csrf that we will see later what it is.
Implement Basic Auth
We will now learn how to change from form based auth to basic auth.
First let’s create a new package, called, i.e configuration. Create a java class SecurityConfiguration.
Annoted this class with @Configuration and @EnableWebSecurity
Extends the class WebSecurityConfigurerAdapter. By extending this adapter, we have several method we can override. In first, override the method configure with param HttpSecurity class.
Copy to Clipboard
What we will do now is configure the security to authorized any request should be authenticated with an username and password.
remove the line in the configure method and use http object to make the configuration.
Copy to Clipboard
line 2 indicate that we want to authorized requests.
line 3 indicate for which request, here any request will be restricted.
line 4 we specified we want that requests has to be authenticated.
line 5 and line 6 add the mechanism type of the authentication.
Restart your application and refresh the page to access to the detail of our movie number one.
Now the form for the authentication is not anymore display, login and password is now request with a popup.
Enter the user as login and the password generated by spring (you can find it in the console log)
You are now redirect to the page with the details on the movie number 2.
Now logout with the link localhost:8080/logout … but wait it is not working anymore ???
We received an error page that notify :
This application has no explicit mapping for /error, so you are seeing this as a fallback.
This is because spring control each request, login and password should be validate for all the page.
If you go back to the previous page you will be able to access to the detail of the movie number 2.
Next we will see how to implement all of this.
At this time, to login again to the application you have to restart it.