restspring-securitypostman-native-app

Spring Security Authorize request from native Postman app

I am exploring/learning Spring security modules by implementing it through REST API.

To test the impact, we are using Postman native application as a rest client.

@RestController
@RequestMapping("/auth")
public class Employee {

    @GetMapping("/status")
    public ResponseEntity<String> getStatus()
    {
        ResponseEntity<String> responseEntity = new ResponseEntity<>("Resource is fetched", HttpStatus.OK);


        return responseEntity;
    }

}

above is a piece of resource for sake of consumption. and below is the code snippet to configure Authentication and authorization

@EnableWebSecurity
public class AppSecurityConfiguration extends WebSecurityConfigurerAdapter {


    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("ashish").password("{noop}admin").roles("USER")
                .and().withUser("foo").password("{noop}foo").roles("ADMIN");

    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/auth/status").hasRole("ADMIN").and()
        .formLogin()
        ;
    }

    @Bean
    public PasswordEncoder getPasswordEncoder()
    {
        return PasswordEncoderFactories.createDelegatingPasswordEncoder();
    }

}

now above authorization code is working fine when tried in browser - it uses its default spring login page. however i am not quite able to understand how to execute/test the same through postman.

in method protected void configure(HttpSecurity http) , i tried removing formLogin() it did not work. i added httpBasic - it also did not worked.

in postman, basic authentication is used by me. Postman Screenshot of Error

while searching on internet, i came across some really good articles but almost all of them uses some sort of UI technology like angular or thymleaf to demonstrate the concept which i am finding hard to grasp.

I am referring below video tutorials to learn spring security.

https://www.youtube.com/watch?v=payxWrmF_0k&list=PLqq-6Pq4lTTYTEooakHchTGglSvkZAjnE&index=6&t=0s

Thanks in advance! Ashish Parab

Solution
    1. Do a GET request http://localhost:8080/login via postman and it will return you an html. Extract the _csrf token from the response. It will look like
       <input name="_csrf" type="hidden" 
          value="1c470a6c-dff3-43aa-9d08-d308545dc880" />
    1. Do a POST request as follows to http://localhost:8080/login, copying the _csrf token, username and password as form params

    enter image description here

    1. Take note of the JESSIONID Cookie value in the response from step two. And that is the session Id of the authenticated session.

    2. As long as you sent the JESSIONID in subsequent requests as a cookie, spring security knows who you are. Postman will add that Cookie automatically to subsequent requests.

    3. you can add it manually as header with that cookie header or update the postman settings to always send JESSIONID cookie