5

I have a basic Spring Boot API with Spring Security enabled. When accessing a secured resource from within Vue (using axios), the browser will request me for username and password with an "Authorization Required" pop-up. After that, the credentials seem to be stored by the browser and I can just keep on making requests.

How should I bypass the authentication process made by the browser and replace it with one made and controlled directly by Vue Js?

Improve this question
3
  • If you really want to keep basic-authentication you will need to send an Authentication Header with your requests. You can define interceptors in axios to ensure they are sent with every request. However I'd prefer to use cookies / jwt tokens for authentication. Commented Apr 3, 2017 at 13:47
  • I assume I would have to configure Spring Boot to handle JWT then? Know any reference for this? Commented Apr 3, 2017 at 13:56
  • I think this explains it very well : svlada.com/jwt-token-authentication-with-spring-boot - however - if you are new to auth and vue I'd suggest you try to send the Basic Auth Header with every request in a first attempt to get into the topic. You will not need a lot of code and it's a good training. Commented Apr 3, 2017 at 14:11

1 Answer 1

Reset to default
5

First, add security configuration (Assuming you are using Spring Security):

@Configuration
public class ApiSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests()
                .antMatchers("/api/**").authenticated()
                .anyRequest().permitAll()
                .and().httpBasic().authenticationEntryPoint(apiAwareLoginUrlAuthenticationEntryPoint())
                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
    }

    @Bean
    public ApiBasicAuthenticationEntryPoint apiAwareLoginUrlAuthenticationEntryPoint() {
        ApiBasicAuthenticationEntryPoint entryPoint = new ApiBasicAuthenticationEntryPoint();
        entryPoint.setRealmName("Api Server");
        return entryPoint;
    }

    public static class ApiBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint {

        @Override
        public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
            response.addHeader("WWW-Authenticate", "Basic realm=\"" + getRealmName() + "\"");
            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
            //response.setContentType("");
            PrintWriter writer = response.getWriter();
            ObjectMapper mapper = new ObjectMapper();
            mapper.writeValue(writer, ApiDataGenerator.buildResult(
                    ErrorCode.AUTHORIZATION_REQUIRED, "Authorization failed"));
        }

    }
}

Second, Add authentication in the http request header in following format:

  • Authorization: Basic qwerasdfzxcv
  • qwerasdfzxcv is base64 hash that encode by username:password
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.