Problem with integrating Spring Boot backend + oauth with frontend app

Tags: , , ,



I have backend Spring Boot app which uses data from Spotify api and it requires user to log in in order to provide my app with auth token. It works fine, but i have no idea how to integrate it with frontend app. When sending requests from outside of server app (localhost:8080) i always get 403 code.

The problem might be that I should request Spotify token on frontend, and then somehow pass it to the backend, but to be honest i dont even know what should I google in order to achieve this.

Here are some key classes:

@Configuration
@EnableOAuth2Sso
public class SpotifyConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception{
        http.authorizeRequests().antMatchers("/login").authenticated();
    }

}
And inside @RestController:
@GetMapping("/user")
    public Principal user(Principal principal){
        return principal;
    }

@GetMapping("/")
    public Principal home(Principal principal){
        return principal;
    }

@GetMapping("/login")
    public Principal login(Principal principal){
        return principal;
    }

This is my first time with something related to Spring Security and i have no idea whats going on in here xd

Answer

First of all, you’d all request prohibited by spring security cause this line of code.

http.authorizeRequests().antMatchers("/login").authenticated();

You’ve to grant access to certain request, or any request, but in your case you’ve been forbidden every request. That’s the reason why when you try to access to spring boot app through rest you received 403 status (forbidden)

So, you have multiple options to resolve this. I’ll give you twice.

  1. If you want granted access from every request, change your code line in spring security from above to this:
http.authorizeRequests().antMatchers("/**").permitAll();
  • “/**” means all folders and subfolders
  • permitAll() means spring security granted access for all request that match with antMatchers function.
  1. If you want give access to some request, authenticate user by login and other security stuff, you could start like this:
http.authorizeRequests()
.antMatchers("/somePath").authenticated();
.antMatchers("/somePath2").authenticated();
.antMatchers("/somePath3").permitAll();

But Spring Security it’s so much deeper than this, so if you want to go much deeper in the multiples configurations availables you need to read the official doc. https://docs.spring.io/spring-security/site/docs/current/reference/html5/#preface, and also it has a lot of simple examples of configuration to have fun.



Source: stackoverflow