Spring Security integration with a REST API

Hi guys,

Heard about this forum and thought this would be a great place to ask a question. They say there are no stupid questions... please disagree if you feel like it.

I'm trying to pick up Spring but not having a strong Java knowledge I have to learn a lot of stuff around it as I get to it. I understand it's a terrible way to learn but I kinda enjoy it. I understand there is no structure to such learning but I'm having fun and I see it as a form of entertainment. This is a hobby so I am not charging anybody money or making any sort of real world damage.

I'm trying to integrate Spring Security with a rest api I'm trying to build. Most things are clear. I need to override methods that redirect and return 401 / 200 instead of 302. Also I have to configure in memory users. I've followed a couple of tutorial but in the end I made a solution that's kind of a hybrid. Having done that I am left with 3 lines that confuse me, because I don't really understand what Spring is doing with it.

My custom security configurer class that extends WebSecurityConfigurerAdapter

import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler; @Configuration @EnableWebSecurity @Order(101) public class MySecurityConfigurer extends WebSecurityConfigurerAdapter { @Autowired private RestAuthenticationEntryPoint restAuthenticationEntryPoint; @Autowired private CustomAuthenticationSuccessHandler authenticationSuccessHandler; @Override protected void configure(AuthenticationManagerBuilder builder) throws Exception { builder.inMemoryAuthentication() .withUser("root").password("root").roles("ADMIN") .and() .withUser("admin").password("admin").roles("ADMIN"); } @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .exceptionHandling() .authenticationEntryPoint(restAuthenticationEntryPoint) .and() .authorizeRequests() .antMatchers("/api/**").authenticated() .and() .formLogin() .successHandler(authenticationSuccessHandler) .failureHandler(new SimpleUrlAuthenticationFailureHandler()) .and() .logout(); } @Bean public CustomAuthenticationSuccessHandler mySuccessHandler() { return new CustomAuthenticationSuccessHandler(); } }

I'm am not sure what these lines are doing. And any help would be greatly appreciated.

@Bean public CustomAuthenticationSuccessHandler mySuccessHandler() { return new CustomAuthenticationSuccessHandler(); }

I'm assuming that Spring registers it somewhere but I would like to know a bit more.


Here are the other two files in my `security` package

import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler; import org.springframework.security.web.savedrequest.HttpSessionRequestCache; import org.springframework.security.web.savedrequest.RequestCache; import org.springframework.security.web.savedrequest.SavedRequest; import org.springframework.util.StringUtils; public class CustomAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler { private RequestCache requestCache = new HttpSessionRequestCache(); @Override public void onAuthenticationSuccess( HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException { SavedRequest savedRequest = requestCache.getRequest(request, response); if (savedRequest == null) { clearAuthenticationAttributes(request); return; } String targetUrlParam = getTargetUrlParameter(); if(isAlwaysUseDefaultTargetUrl() || (targetUrlParam != null && StringUtils.hasText(request.getParameter(targetUrlParam)))) { requestCache.removeRequest(request, response); clearAuthenticationAttributes(request); return; } clearAuthenticationAttributes(request); } public void setRequestCache(RequestCache requestCache) { this.requestCache = requestCache; } }

import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.stereotype.Component; @Component("restAuthenticationEntryPoint") public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint{   @Override   public void commence(   HttpServletRequest request,   HttpServletResponse response,   org.springframework.security.core.AuthenticationException authException   ) throws IOException, ServletException {        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized"); } }


Thank you in advance.

Mirko