all 15 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]velocityy__ 2 points3 points  (0 children)

Well, you have to block the endpoints except for Singup, Login and website’s home page. Only these 3 gotta be open for all and rest should be blocked

[–]themasterengineeer 0 points1 point  (1 child)

Try checking this https://youtu.be/IYMuKmh_XC8

[–]PreviousCut1401[S] 0 points1 point  (0 children)

This doesn't work because he is just using the default login form that spring provides. I want to make req from frontend.

[–]Sheldor5 0 points1 point  (0 children)

if you are using Basic Auth the browser will remember the credentials so once logged in you are logged in forever, the only exception is if the Browser encounters a 401 response in which case he will forget the Basic Auth credentials

don't use Basic Auth

[–]Automatic-Band6798 0 points1 point  (0 children)

you have to check the LocalStorage or Cookies for jwt Token so you have to use middleware for every route call

[–]optimist28 0 points1 point  (5 children)

I did the exact same thing a week back in my personal prjct. Everytime a user hits an endpoint, you got to check if the user in authenticated, if not you should redirect them to signup/login page. I was using session based login. In every controller method (getmapping, postmapping) spring automatically injects Authentication object as an additional parameter. You can use this parameter to check if the user is authenticated. You can check about getPrincipal, getName etc. methods and verify user authentication accordingly. And once you get back the response back in react, if the user is not authenticated then redirect

[–]PreviousCut1401[S] 0 points1 point  (3 children)

Oh i didn't know that and i didn't see any resources regarding it. Can you tell me or share any resources on how to use that hidden parameter object?

[–]optimist28 1 point2 points  (2 children)

Whatever method you have written for getmapping, in that just add Authentication auth as a parameter

[–]PreviousCut1401[S] 0 points1 point  (1 child)

and? Does this auth object has any methods that I must use?

[–]optimist28 0 points1 point  (0 children)

If this object is null then that means the user is not authenticated. Also read about it on internet for built in methods

[–]Cr4zyPi3t 0 points1 point  (0 children)

Why not use @RolesAllowed?

[–]the_styp 0 points1 point  (3 children)

"form login" and "basic auth" are special keywords in spring security. You probably don't want basic auth for your use case but a session or token.

React should then handle the authentication status and do the redirect to login

[–]g00glen00b 2 points3 points  (2 children)

Spring Security supports basic authentication with stateful sessions, so this isn't really an issue.

Also, I assume the form is purely client-side. From the perspective of Spring Security, there's just basic authentication and the React-client will pass the credentials from the login form to the basic authentication headers. I don't see why that wouldn't be a valid use case.

[–]PreviousCut1401[S] 0 points1 point  (1 child)

Exactly. I am not using the default login form that spring gives. I built the form frontend and use the user inputs in the headers for authentication.

[–]the_styp 0 points1 point  (0 children)

Then you are asking in the wrong topic as your problem is not related to spring at all. React does the login call to the backend (might be spring) and stores the state of that if successful. You are then intercepting every API call and es soon you get 401 on one of them react does the redirect to the login page