Configuring security in using Spring Boot

1,621 views
Skip to first unread message

Joshua Chaitin-Pollak

unread,
Aug 19, 2014, 4:02:52 PM8/19/14
to light...@googlegroups.com
Hello,

I've gone through the spring-boot tutorial and gotten LightAdmin setup so it starts cleanly. I have it configured like this:

        LightAdmin.configure(servletContext)
                .basePackage("com.assuredlabor.caipirinha.lightadmin")
                .baseUrl("/admin")
                .security(false)
                .backToSiteUrl("http://lightadmin.org");

When I browse to http://localhost:9090/admin I get a basic-auth prompt in the 'Spring' realm, if I click login I get another Basic auth in the 'Realm' realm. Then I get an authentication error page.

There doesn't seem to be any documentation on how to configure security. Is there any magic to it?

PS. I found I needed to exclude freemarker and velocity templates, since they are brought in by tiles-utils. If LightAdmin doesn't use those template engines, it would be good to exclude them to keep downstream projects as small as possible and error free.

Maxim Kharchenko

unread,
Sep 4, 2014, 6:17:11 AM9/4/14
to light...@googlegroups.com
Hi Joshua,
I've already excluded freemarker and velocity dependencies.
Regarding security, could you check with the latest version, please?

Cheers,
Max
LightAdmin Team

Luc De pauw

unread,
Sep 24, 2014, 5:45:06 AM9/24/14
to light...@googlegroups.com
Hi, Has this been fixed ? I'm using 1.0.1-RELEASE but stil get a basic authentication request.

Luc De pauw

unread,
Sep 24, 2014, 6:02:37 AM9/24/14
to light...@googlegroups.com
Springboot adds basic authenication to the webapp when it finds spring-security on the classpath.
The default username is 'user' and the password is a UUID generated at application startup time.

Maxim Kharchenko

unread,
Sep 24, 2014, 6:10:30 AM9/24/14
to
Hi mate,
Yep, you're right. 
In order to disable default Spring Boot's security, please adjust your application.properties accordingly: security.basic.enabled=false

Cheers,
Max
LightAdmin Team

membersound

unread,
Feb 16, 2015, 4:16:50 AM2/16/15
to light...@googlegroups.com
@Maxim Kharchenko
This should be included in the getting started page of lightadmin. I had the same issue and just found this by chance.
Most users - when evaulating lightadmin for use - won't require the security feature for a quickstart.

membersound

unread,
Feb 16, 2015, 4:18:26 AM2/16/15
to light...@googlegroups.com
@Joshua Chaitin-Pollak
 Did disabling spring security work for you? In my case NOT! I just get a 404 not found for myapp/admin path (or the Realm page if I enable spring security).

Joshua Chaitin-Pollak

unread,
Feb 16, 2015, 1:58:12 PM2/16/15
to light...@googlegroups.com
Hi,

We eventually got the LightAdmin working with Spring Security, but we removed LightAdmin once we got our own front end up and running, so I can't tell you exactly how we have it working now. We had the following configuration in our App.java (this could be moved to a separate @Configuration class):

    @Bean
   public ServletContextInitializer servletContextInitializer() {
       return new ServletContextInitializer() {
           @Override
           public void onStartup(ServletContext servletContext) throws ServletException {
               
               LightAdmin.configure(servletContext)
                       .basePackage("com.example.app")
                       .baseUrl("/admin")
                       .security(false)
                       .backToSiteUrl("http://lightadmin.org");

                new LightAdminWebApplicationInitializer().onStartup(servletContext);
           }
       };
   }

And then our SecurityConfiguration.java class looks like this:

@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(jsr250Enabled=true, prePostEnabled=true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
   
   @Autowired
   public AuthenticationService authenticationService;
   
   @Autowired
   public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
           auth.userDetailsService(authenticationService);
   }
   
   @Override
   public void configure(HttpSecurity http) throws Exception {
       http.csrf().disable().httpBasic()
           .and()
           .authorizeRequests()
               .antMatchers( "/admin/**" ).hasRole( "ADMIN" )
               .antMatchers( "/management/**" ).hasRole( "ADMIN" );
   }
}

I hope that helps.
Message has been deleted

Hãnh Nguyễn

unread,
May 15, 2018, 3:21:30 AM5/15/18
to Light Admin Group
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Bean
public PasswordEncoder passwordEncoder() {
System.out.println("Vao password encoder");
return new BCryptPasswordEncoder();
}
 
@Override
protected void configure(HttpSecurity http) throws Exception{
System.out.println("I am here");
http.cors().and().csrf().disable().authorizeRequests()
.antMatchers( "/register").permitAll()
.antMatchers("/").hasRole("MEMBER")
.antMatchers("/admin").hasRole("ADMIN")
.and()
.formLogin()
.loginPage("/login").permitAll()
.usernameParameter("email")
.passwordParameter("password")
.defaultSuccessUrl("/").permitAll()
.failureUrl("/login?error").permitAll()
.and()
.exceptionHandling()
.accessDeniedPage("/403");
// http.cors().and().csrf().disable();
// http.headers().frameOptions().disable();
}
 
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
}

I can't override default login template
Reply all
Reply to author
Forward
0 new messages