endpoint for authentication with spring security

I wanna create custom endpoint for login.

@PostMapping("/login")
public ResponseEntity<?> login(@RequestBody LoginUserRequest userRequest) {
    Authentication authentication = authenticationManager.authenticate(
            new UsernamePasswordAuthenticationToken(userRequest.getUsername(), userRequest.getPassword()));
    if (authentication != null && !(authentication instanceof AnonymousAuthenticationToken) && authentication.isAuthenticated()) {
        SecurityContextHolder.getContext().setAuthentication(authentication);
        return new ResponseEntity<>(null, null, HttpStatus.OK);
    }
    return new ResponseEntity<>(null, null, HttpStatus.UNAUTHORIZED);
}

JavaScript
​x
 
@PostMapping("/login")public ResponseEntity<?> login(@RequestBody LoginUserRequest userRequest) {    Authentication authentication = authenticationManager.authenticate(            new UsernamePasswordAuthenticationToken(userRequest.getUsername(), userRequest.getPassword()));    if (authentication != null && !(authentication instanceof AnonymousAuthenticationToken) && authentication.isAuthenticated()) {        SecurityContextHolder.getContext().setAuthentication(authentication);        return new ResponseEntity<>(null, null, HttpStatus.OK);    }    return new ResponseEntity<>(null, null, HttpStatus.UNAUTHORIZED);}​

It works fine when password and username are correct but returns 200 and login form instead 401 for incorrect data.

@EnableWebSecurity

JavaScript
 
@EnableWebSecurity​

public class SecurityConfiguration extends WebSecurityConfigurerAdapter { private final UserDetailsService userDetailsService;

public SecurityConfiguration(UserDetailsService userDetailsService) {
    this.userDetailsService = userDetailsService;
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors()
            .and()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET).hasAuthority(UserRole.USER.name())
            .antMatchers(HttpMethod.POST, "/users").permitAll()
            .antMatchers(HttpMethod.POST, "/users/login").permitAll()
            .antMatchers(HttpMethod.POST).hasAuthority(UserRole.USER.name())
            .and()
            .formLogin()
            .permitAll()
            .and()
            .logout().invalidateHttpSession(true)
            .clearAuthentication(true).permitAll()
            .and()
            .csrf().disable();
}

@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}

JavaScript
 
public SecurityConfiguration(UserDetailsService userDetailsService) {    this.userDetailsService = userDetailsService;}​@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {    auth.userDetailsService(userDetailsService);}​@Overrideprotected void configure(HttpSecurity http) throws Exception {    http.cors()            .and()            .authorizeRequests()            .antMatchers(HttpMethod.GET).hasAuthority(UserRole.USER.name())            .antMatchers(HttpMethod.POST, "/users").permitAll()            .antMatchers(HttpMethod.POST, "/users/login").permitAll()            .antMatchers(HttpMethod.POST).hasAuthority(UserRole.USER.name())            .and()            .formLogin()            .permitAll()            .and()            .logout().invalidateHttpSession(true)            .clearAuthentication(true).permitAll()            .and()            .csrf().disable();}​@Override@Beanpublic AuthenticationManager authenticationManagerBean() throws Exception {    return super.authenticationManagerBean();}​

}

Answer

Try something like that:

Don’t forget to Autowire AuthenticationManager and other services!

 @RequestMapping(value = "/auth", method = RequestMethod.POST)
    public ResponseEntity<?> getAuthenticationToken(
            @RequestBody YourRequestDTO yourRequestDTO
    ) {
       
        try {

            authenticationManager.authenticate(
                    new UsernamePasswordAuthenticationToken(
                            authenticationRequest.getLogin(),
                            authenticationRequest.getPassword()
                    )
            );
        } catch (BadCredentialsException e) {
            ErrorResponse errors = new ErrorResponse();
            errors.addError("credentials", "Wrong password or username!");
            return ResponseEntity.status(YourStatus).body(errors);
        }

JavaScript
 
 @RequestMapping(value = "/auth", method = RequestMethod.POST)    public ResponseEntity<?> getAuthenticationToken(            @RequestBody YourRequestDTO yourRequestDTO    ) {               try {​            authenticationManager.authenticate(                    new UsernamePasswordAuthenticationToken(                            authenticationRequest.getLogin(),                            authenticationRequest.getPassword()                    )            );        } catch (BadCredentialsException e) {            ErrorResponse errors = new ErrorResponse();            errors.addError("credentials", "Wrong password or username!");            return ResponseEntity.status(YourStatus).body(errors);        }​

Advertisement

Answer