Spring boot basic auth username is not validated

Question

I am a newbie with spring security and I have created a basic auth for my spring boot application to try it out

I have created MYGlobalAuthenticationConfigurerAdapter like this:

@Value("${username}")
    String username;

    @Value("${password}")
    String password;

    @Override
    public void init(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService());
    }

    @Bean
    public UserDetailsService userDetailsService() {
        return new UserDetailsService() {

            @Override
            public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
                return new User(username, password, true, true, true, true,
                        AuthorityUtils.createAuthorityList("USER"));
            }
        };
    }

note that I load username and password from properties file and I validate against values

and MyWebSecurityConfigurerAdapter like this:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().anyRequest().fullyAuthenticated().and().
    httpBasic().and().
    csrf().disable();
}

with a @EnableWebSecurity annotation.

I try postman to connect to one of my web services with username and password every time I change username the request is validated even if the username is not the same as the one I put in my properties file

Md Zahid Raza · Accepted Answer · 2017-03-10T13:12:04.273

This is because you are returning User object in all case without any check with the one received in argument. Try following code:

@Value("${username}")
    String username;

    @Value("${password}")
    String password;

    @Override
    public void init(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService());
    }

    @Bean
public UserDetailsService userDetailsService() {
    return new UserDetailsService() {

        @Override
        public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException {
            if(name.equals(username)){
                return new User(username, password, true, true, true, true,
                    AuthorityUtils.createAuthorityList("USER"));
            }else{
                throw new UsernameNotFoundException("Could not find the user '" + name + "'");
            }

        }
    };
}

UPDATE

User will not be validated by any password, but with only password which you use in User creation inside loadUserByUsername() method. In this method you only find the user by username and return, authentication is not done here, but authentication is done internally by spring and it matches the password which you passed while creating user ( and returning) with the password which is passed by you in request. It also verifies the role of user for the url you are accessing and if url is mapped for any specific role, then user with that role is given access, for any other role it will send access denied response. So, It will not authenticate user with any password.

can you look at my question please @md zahid raza? https://stackoverflow.com/questions/46065063/spring-boot-basic-authentication — Felipe A., Sep 06 '17 at 02:47

Spring boot basic auth username is not validated

1 Answers1