Auto-Generating Spring Security: Accessing the In-memory Database

I came across a blog post on Spring Framework guru’s  which uses the h2 database console, and thought it would be useful to combine the console with my own spring security tutorials –

I’ve updated the parkrunpb project on github to replace hsqldb with h2database. Ive also introduced a new class WebConfiguration.java, which registers the h2 database servlet

Start the application –

mvn spring-boot:run

Access The Console

You can access the console through -http://localhost:8080/console

console2

You then make sure the JDBC URL is –

jdbc:h2:mem:testdb

And login –

console3

The layout shows the tables we loaded in schema.sql on the right (CUSTOM_AUTHORITIES, CUSTOM_USERS and PARKRUNCOURSE)

Combine it with spring security

The next step is to combine with Spring Security, so I’ll use the configuration from the previous tutorial –Auto-generating Spring Security Tutorial – Custom JDBC Realms

We start with our class –

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private DataSource dataSource;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth)
            throws Exception {
         auth
             .jdbcAuthentication()
                 .dataSource(dataSource)
                   .usersByUsernameQuery(
                   "select username, password, enabled from custom_users where username = ?")
                   .authoritiesByUsernameQuery(
                   "select username, authority from custom_authorities where username = ?");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/webjars/**","/about.html","/rest/**").permitAll()
                .antMatchers("/admin/**").hasAnyRole("CUSTOM_ADMIN")
                .anyRequest().authenticated()
            .and()
                .formLogin()
                    .loginPage("/login")
                    .defaultSuccessUrl("/admin/admin.html")
                    .failureUrl("/login")
                    .permitAll()
             .and()
                .logout()
                    .logoutSuccessUrl("/")
                    .permitAll()
                    ;                    
    }    
}

We then add to the configure method –

        http.authorizeRequests().antMatchers("/").permitAll().and()
                .authorizeRequests().antMatchers("/console/**").permitAll();
         http.csrf().disable();
        http.headers().frameOptions().disable();

The method then becomes –

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/webjars/**","/about.html","/rest/**").permitAll()
                .antMatchers("/admin/**").hasAnyRole("CUSTOM_ADMIN")
                .anyRequest().authenticated()
            .and()
                .formLogin()
                    .loginPage("/login")
                    .defaultSuccessUrl("/admin/admin.html")
                    .failureUrl("/login")
                    .permitAll()
             .and()
                .logout()
                    .logoutSuccessUrl("/")
                    .permitAll()
                    ;
                    
        http.authorizeRequests().antMatchers("/").permitAll().and()
                .authorizeRequests().antMatchers("/console/**").permitAll();
         http.csrf().disable();
        http.headers().frameOptions().disable();
                    
    }

This means the normal security from the original tutorial is applied to the application, but we have a special rule for the console

You can then test the application as before with the username/password customadmin/customadmin. You could also insert or update courses,

About the Author Martin Farrell

Leave a Comment: