Working on implementing HTTP Basic Authentication using Spring Security and Angular JS by including the Authorization header in $http headers:
const headers = {
authorization: "Basic " + btoa(this.login + ":" + this.password)
};
this._$http.get("user",
{
headers: headers,
})
.then(
this.showUser.bind(this),
this.showError.bind(this)
);
After successful login, I navigate to the jobs component using $location:
this._$location.path("jobs");
In the jobs component, I retrieve available job listings:
public $onInit() {
this._$http.get("jobs").then(function(response) {
this.jobs = response.data;
}.bind(this));
this.authenticated = this._loginService.isLogged();
}
Interestingly, even without an authorization header, the functionality seems to work. I expected Spring Security to respond with HTTP 401 Unauthorized, but it still worked flawlessly. However, upon logging out from another browser window and reloading the jobs, they are not loaded. This raises concerns about whether the authorization data (HTTP Basic) should be included in all requests. Here is a snippet of my security configuration:
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.successHandler(
new DifferentRoleBasedStartingURLsAuthenticationSuccessHandler()
)
.and()
.logout()
.logoutUrl("/logout")
.and()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/jobs/**").authenticated()
.antMatchers("/interviews/**").authenticated()
.anyRequest().permitAll()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
;
I am uncertain if I made an error here. I believed that the rule
.antMatchers("/jobs/**").authenticated()jobs/. Any suggestions or assistance would be greatly appreciated. Thank you.
UPDATE 2016-07-31:
I am starting to question whether authorization headers are truly necessary for every request in Spring with Angular integration. You can find my repository here, with the password set as test for all user accounts created.