Skip to content
Advertisement

endpoint for authentication with spring security

I wanna create custom endpoint for login.

@PostMapping("/login")
public ResponseEntity<?> login(@RequestBody LoginUserRequest userRequest) {
    Authentication authentication = authenticationManager.authenticate(
            new UsernamePasswordAuthenticationToken(userRequest.getUsername(), userRequest.getPassword()));
    if (authentication != null && !(authentication instanceof AnonymousAuthenticationToken) && authentication.isAuthenticated()) {
        SecurityContextHolder.getContext().setAuthentication(authentication);
        return new ResponseEntity<>(null, null, HttpStatus.OK);
    }
    return new ResponseEntity<>(null, null, HttpStatus.UNAUTHORIZED);
}

It works fine when password and username are correct but returns 200 and login form instead 401 for incorrect data.

@EnableWebSecurity

public class SecurityConfiguration extends WebSecurityConfigurerAdapter { private final UserDetailsService userDetailsService;

public SecurityConfiguration(UserDetailsService userDetailsService) {
    this.userDetailsService = userDetailsService;
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors()
            .and()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET).hasAuthority(UserRole.USER.name())
            .antMatchers(HttpMethod.POST, "/users").permitAll()
            .antMatchers(HttpMethod.POST, "/users/login").permitAll()
            .antMatchers(HttpMethod.POST).hasAuthority(UserRole.USER.name())
            .and()
            .formLogin()
            .permitAll()
            .and()
            .logout().invalidateHttpSession(true)
            .clearAuthentication(true).permitAll()
            .and()
            .csrf().disable();
}

@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}

}

Advertisement

Answer

Try something like that:

Don’t forget to Autowire AuthenticationManager and other services!

 @RequestMapping(value = "/auth", method = RequestMethod.POST)
    public ResponseEntity<?> getAuthenticationToken(
            @RequestBody YourRequestDTO yourRequestDTO
    ) {
       
        try {

            authenticationManager.authenticate(
                    new UsernamePasswordAuthenticationToken(
                            authenticationRequest.getLogin(),
                            authenticationRequest.getPassword()
                    )
            );
        } catch (BadCredentialsException e) {
            ErrorResponse errors = new ErrorResponse();
            errors.addError("credentials", "Wrong password or username!");
            return ResponseEntity.status(YourStatus).body(errors);
        }

User contributions licensed under: CC BY-SA
1 People found this is helpful
Advertisement