Access spring security protected APIs using curl

Himanshu Pratap
3 min readSep 8, 2021

--

Steps to access spring security protected APIs very much depend upon the Web Security Configuration in your spring boot project.

Below example i have tried to demonstrate two different Web Security Configuration and how to access it using curl.

Suppose we are trying to access following end url
http://localhost:8080/api/student

Example 1: HTTP Basic Authentication

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
authorizeRequests()
.anyRequest()
.fullyAuthenticated()
.and()
.httpBasic();
}
// you other overriden methods}

Steps and Syntax are as follows :

  1. Access end url using curl and extract JSESSIONID token from response header
  2. Access end url again with login credentials and jsession token
$ curl -i endurl$ curl endurl -u 'myusername:mypassword' -H 'Cookie: JSESSIONID=session_token'

Output

$ curl -i http://localhost:8080/api/studentHTTP/1.1 401 
Set-Cookie: JSESSIONID=B95F84C82CD28FBBC72BCACBF961AB32; Path=/; HttpOnly
WWW-Authenticate: Basic realm="Realm"
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Wed, 08 Sep 2021 08:06:31 GMT
{"timestamp":"2021-09-08T08:06:31.130+00:00","status":401,"error":"Unauthorized","message":"","path":"/api/student"}$ curl http://localhost:8080/api/student -u 'admin:admin123' -H 'Cookie: JSESSIONID=B95F84C82CD28FBBC72BCACBF961AB32'

Example 2 : Form Login Authentication with csrf enabled

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
authorizeRequests()
.anyRequest()
.fullyAuthenticated()
.and()
.formLogin();
}
// you other overriden methods}

Steps and Syntax are as follows :

  1. Access login using curl. Extract JSESSIONID token from response header and csrf token from response body
  2. Access login url with credentials, csrf token and jsession token. Extract new jsessionid token from response header.
  3. Access endurl with new authenticated jsession token.
$  curl -i loginurl$ curl -i -X POST loginurl -H 'Cookie: JSESSIONID=session_token' --data 'username=myusername&password=mypassword&_csrf=csrf_token'$ curl endurl -H 'Cookie: JSESSIONID=authenticated_session_token'

Output

$ curl -i http://localhost:8080/loginHTTP/1.1 200 
Set-Cookie: JSESSIONID=1D1242F6B50CD1C83EE80C85CF28196A; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Length: 1406
Date: Thu, 09 Sep 2021 06:19:52 GMT
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<title>Please sign in</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-/Y6pD6FV/Vv2HJnA6t+vslU6fwYXjCFtcEpHbNJ0lyAFsXTsjBbfaDjzALeQsN6M" crossorigin="anonymous">
<link href="https://getbootstrap.com/docs/4.0/examples/signin/signin.css" rel="stylesheet" crossorigin="anonymous"/>
</head>
<body>
<div class="container">
<form class="form-signin" method="post" action="/login">
<h2 class="form-signin-heading">Please sign in</h2>
<p>
<label for="username" class="sr-only">Username</label>
<input type="text" id="username" name="username" class="form-control" placeholder="Username" required autofocus>
</p>
<p>
<label for="password" class="sr-only">Password</label>
<input type="password" id="password" name="password" class="form-control" placeholder="Password" required>
</p>
<input name="_csrf" type="hidden" value="484e6890-8758-4e97-97b2-d9f5968432a4" />
<button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
</form>
</div>
</body></html>

NOTE: Due to form login , the API server returns a login form in response body for all un-authenticated access. csrf token can be found as hidden input in the login form.

$ curl -i -X POST http://localhost:8080/login -H 'Cookie: JSESSIONID=1D1242F6B50CD1C83EE80C85CF28196A' --data 'username=admin&password=admin123&_csrf=484e6890-8758-4e97-97b2-d9f5968432a4'HTTP/1.1 302 
Set-Cookie: JSESSIONID=1CFAC14973C7F6C2D5ABB730A293C241; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Location: http://localhost:8080/
Content-Length: 0
Date: Thu, 09 Sep 2021 06:21:39 GMT
$ curl http://localhost:8080/api/student -H 'Cookie: JSESSIONID=1CFAC14973C7F6C2D5ABB730A293C241'

3. Example 2 : Form Login Authentication with csrf disabled

  1. Access login url with credentials . Extract jsessionid token from response header.
  2. Access endurl with jsession token.
$ curl -i -X POST loginurl --data 'username=myusername&password=mypassword'$ curl endurl -H 'Cookie: JSESSIONID=session_token'

Output

$ curl -i -X POST 'http://localhost:8080/login' --data 'username=myuser&password=mypassword'HTTP/1.1 302 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=654963AC01329DAF5D4B28C3FDE6D16B; Path=/; HttpOnly
Location: http://localhost:8080/
Content-Length: 0
Date: Thu, 09 Sep 2021 05:36:26 GMT
$ curl http://localhost:8080/hello -H 'Cookie: JSESSIONID=654963AC01329DAF5D4B28C3FDE6D16B'

--

--

Himanshu Pratap
Himanshu Pratap

Written by Himanshu Pratap

System Administrator and Full stack web developer.

No responses yet