Working on implementing HTTP Basic Authentication using Spring Security and Angular JS by including the Authorization header in $http headers:
const headers = {
authorization: "Basic " + btoa(this.login + ":" + this.password)
};
this._$http.get("user",
{
headers: headers,
})
.then(
this.showUser.bind(this),
this.showError.bind(this)
);
After successful login, I navigate to the jobs
component using $location
:
this._$location.path("jobs");
In the jobs
component, I retrieve available job listings:
public $onInit() {
this._$http.get("jobs").then(function(response) {
this.jobs = response.data;
}.bind(this));
this.authenticated = this._loginService.isLogged();
}
Interestingly, even without an authorization header, the functionality seems to work. I expected Spring Security
to respond with HTTP 401 Unauthorized
, but it still worked flawlessly. However, upon logging out from another browser window and reloading the jobs, they are not loaded. This raises concerns about whether the authorization data (HTTP Basic) should be included in all requests. Here is a snippet of my security configuration:
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.successHandler(
new DifferentRoleBasedStartingURLsAuthenticationSuccessHandler()
)
.and()
.logout()
.logoutUrl("/logout")
.and()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/jobs/**").authenticated()
.antMatchers("/interviews/**").authenticated()
.anyRequest().permitAll()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
;
I am uncertain if I made an error here. I believed that the rule
.antMatchers("/jobs/**").authenticated()
should also apply to jobs/
. Any suggestions or assistance would be greatly appreciated. Thank you.
UPDATE 2016-07-31:
I am starting to question whether authorization headers are truly necessary for every request in Spring with Angular integration. You can find my repository here, with the password set as test
for all user accounts created.