×
☰ See All Chapters

How to make endpoint accessible in spring security without the need for credentials

In the default configurations of Spring Security, all endpoints presume the presence of a valid user managed by the application. Nevertheless, not every endpoint within an application requires security measures, and for those that do, it becomes necessary to select distinct authorization rules. Implementing these changes involves the extension of the WebSecurityConfigurerAdapter class. This extension permits the overriding of the configure (HttpSecurity http) method, as illustrated in the following listing.

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="https://maven.apache.org/POM/4.0.0" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="https://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
     <version>2.6.0</version>
     <relativePath/> <!-- lookup parent from repository, not local -->
  </parent>
  <groupId>com.example</groupId>
  <artifactId>MakeEndpointsAccessibleWithNoCredentials</artifactId>
  <version>0.0.1-SNAPSHOT</version>
  <name>MakeEndpointsAccessibleWithNoCredentials</name>
  <description>Spring Boot Security Make Endpoints Accessible With No Credentials</description>
  <properties>
     <java.version>11</java.version>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
     <spring-boot.version>2.6.0</spring-boot.version>
  </properties>
  <dependencies>
     <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter</artifactId>
     </dependency>
     <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
     </dependency>
     <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
     </dependency>
  </dependencies>
  <dependencyManagement>
     <dependencies>
        <dependency>
           <groupId>org.springframework.boot</groupId>
           <artifactId>spring-boot-dependencies</artifactId>
           <version>${spring-boot.version}</version>
           <type>pom</type>
           <scope>import</scope>
        </dependency>
     </dependencies>
  </dependencyManagement>

  <build>
     <plugins>
        <plugin>
           <groupId>org.springframework.boot</groupId>
           <artifactId>spring-boot-maven-plugin</artifactId>
           <version>${spring-boot.version}</version>
           <executions>
              <execution>
                 <id>build-info</id>
                 <goals>
                    <goal>build-info</goal>
                    <goal>repackage</goal>
                 </goals>
              </execution>
           </executions>
         </plugin>
     </plugins>
  </build>

</project>

 

 

ApplicationConfig.java

package com.java4coding;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;

@Configuration
public class ApplicationConfig {
   @Bean
   public UserDetailsService userDetailsService() {
       var userDetailsService = new InMemoryUserDetailsManager();
       var user = User.withUsername("manu")
               .password("abcd")
               .authorities("read")
               .build();
       userDetailsService.createUser(user);
       return userDetailsService;
   }

   @Bean
   public PasswordEncoder passwordEncoder() {
       return NoOpPasswordEncoder.getInstance();
   }
}

 

 

DemoController.java

package com.java4coding;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class DemoController {

   @GetMapping(value = "/demo")
   public String sayHello() {
       return "Hurray! You are Authorized.";
   }
}

 

 

ApplicationWebSecurityConfigurerAdapter.java

package com.java4coding;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class ApplicationWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
   @Override
   protected void configure(HttpSecurity http) throws Exception {
       http.httpBasic();
       http.authorizeRequests().anyRequest().permitAll();
   }
}

 

 

SpringBootDemo.java

package com.java4coding;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class SpringBootDemo {
   public static void main(String[] args) {
       SpringApplication.run(SpringBootDemo.class, args);
   }
}

 

Let’s try the endpoint without passing credentials:

spring-security-without-the-need-for-credentials-0
 
All Chapters
Author