Access spring security protected APIs using curl

Steps to access spring security protected APIs very much depend upon the Web Security Configuration in your spring boot project.

Below example i have tried to demonstrate two different Web Security Configuration and how to access it using curl.

Suppose we are trying to access following end url
http://localhost:8080/api/student

Example 1: HTTP Basic Authentication

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
authorizeRequests()
.anyRequest()
.fullyAuthenticated()
.and()
.httpBasic();
}
// you other overriden methods}

Steps and Syntax are as follows :

$ curl -i endurl$ curl endurl -u 'myusername:mypassword' -H 'Cookie: JSESSIONID=session_token'

Output

$ curl -i http://localhost:8080/api/studentHTTP/1.1 401 
Set-Cookie: JSESSIONID=B95F84C82CD28FBBC72BCACBF961AB32; Path=/; HttpOnly
WWW-Authenticate: Basic realm="Realm"
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Wed, 08 Sep 2021 08:06:31 GMT
{"timestamp":"2021-09-08T08:06:31.130+00:00","status":401,"error":"Unauthorized","message":"","path":"/api/student"}$ curl http://localhost:8080/api/student -u 'admin:admin123' -H 'Cookie: JSESSIONID=B95F84C82CD28FBBC72BCACBF961AB32'

Example 2 : Form Login Authentication with csrf enabled

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
authorizeRequests()
.anyRequest()
.fullyAuthenticated()
.and()
.formLogin();
}
// you other overriden methods}

Steps and Syntax are as follows :

$  curl -i loginurl$ curl -i -X POST loginurl -H 'Cookie: JSESSIONID=session_token' --data 'username=myusername&password=mypassword&_csrf=csrf_token'$ curl endurl -H 'Cookie: JSESSIONID=authenticated_session_token'

Output

$ curl -i http://localhost:8080/loginHTTP/1.1 200 
Set-Cookie: JSESSIONID=1D1242F6B50CD1C83EE80C85CF28196A; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Length: 1406
Date: Thu, 09 Sep 2021 06:19:52 GMT
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<title>Please sign in</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-/Y6pD6FV/Vv2HJnA6t+vslU6fwYXjCFtcEpHbNJ0lyAFsXTsjBbfaDjzALeQsN6M" crossorigin="anonymous">
<link href="https://getbootstrap.com/docs/4.0/examples/signin/signin.css" rel="stylesheet" crossorigin="anonymous"/>
</head>
<body>
<div class="container">
<form class="form-signin" method="post" action="/login">
<h2 class="form-signin-heading">Please sign in</h2>
<p>
<label for="username" class="sr-only">Username</label>
<input type="text" id="username" name="username" class="form-control" placeholder="Username" required autofocus>
</p>
<p>
<label for="password" class="sr-only">Password</label>
<input type="password" id="password" name="password" class="form-control" placeholder="Password" required>
</p>
<input name="_csrf" type="hidden" value="484e6890-8758-4e97-97b2-d9f5968432a4" />
<button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
</form>
</div>
</body></html>

NOTE: Due to form login , the API server returns a login form in response body for all un-authenticated access. csrf token can be found as hidden input in the login form.

$ curl -i -X POST http://localhost:8080/login -H 'Cookie: JSESSIONID=1D1242F6B50CD1C83EE80C85CF28196A' --data 'username=admin&password=admin123&_csrf=484e6890-8758-4e97-97b2-d9f5968432a4'HTTP/1.1 302 
Set-Cookie: JSESSIONID=1CFAC14973C7F6C2D5ABB730A293C241; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Location: http://localhost:8080/
Content-Length: 0
Date: Thu, 09 Sep 2021 06:21:39 GMT
$ curl http://localhost:8080/api/student -H 'Cookie: JSESSIONID=1CFAC14973C7F6C2D5ABB730A293C241'

3. Example 2 : Form Login Authentication with csrf disabled

$ curl -i -X POST loginurl --data 'username=myusername&password=mypassword'$ curl endurl -H 'Cookie: JSESSIONID=session_token'

Output

$ curl -i -X POST 'http://localhost:8080/login' --data 'username=myuser&password=mypassword'HTTP/1.1 302 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=654963AC01329DAF5D4B28C3FDE6D16B; Path=/; HttpOnly
Location: http://localhost:8080/
Content-Length: 0
Date: Thu, 09 Sep 2021 05:36:26 GMT
$ curl http://localhost:8080/hello -H 'Cookie: JSESSIONID=654963AC01329DAF5D4B28C3FDE6D16B'

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store