Access spring security protected APIs using curl
3 min readSep 8, 2021
Steps to access spring security protected APIs very much depend upon the Web Security Configuration in your spring boot project.
Below example i have tried to demonstrate two different Web Security Configuration and how to access it using curl.
Suppose we are trying to access following end url
http://localhost:8080/api/student
Example 1: HTTP Basic Authentication
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{@Override
protected void configure(HttpSecurity http) throws Exception {
http
authorizeRequests()
.anyRequest()
.fullyAuthenticated()
.and()
.httpBasic();
}// you other overriden methods}
Steps and Syntax are as follows :
- Access end url using curl and extract JSESSIONID token from response header
- Access end url again with login credentials and jsession token
$ curl -i endurl$ curl endurl -u 'myusername:mypassword' -H 'Cookie: JSESSIONID=session_token'
Output
$ curl -i http://localhost:8080/api/studentHTTP/1.1 401
Set-Cookie: JSESSIONID=B95F84C82CD28FBBC72BCACBF961AB32; Path=/; HttpOnly
WWW-Authenticate: Basic realm="Realm"
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Wed, 08 Sep 2021 08:06:31 GMT{"timestamp":"2021-09-08T08:06:31.130+00:00","status":401,"error":"Unauthorized","message":"","path":"/api/student"}$ curl http://localhost:8080/api/student -u 'admin:admin123' -H 'Cookie: JSESSIONID=B95F84C82CD28FBBC72BCACBF961AB32'
Example 2 : Form Login Authentication with csrf enabled
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{@Override
protected void configure(HttpSecurity http) throws Exception {
http
authorizeRequests()
.anyRequest()
.fullyAuthenticated()
.and()
.formLogin();
}// you other overriden methods}
Steps and Syntax are as follows :
- Access login using curl. Extract JSESSIONID token from response header and csrf token from response body
- Access login url with credentials, csrf token and jsession token. Extract new jsessionid token from response header.
- Access endurl with new authenticated jsession token.
$ curl -i loginurl$ curl -i -X POST loginurl -H 'Cookie: JSESSIONID=session_token' --data 'username=myusername&password=mypassword&_csrf=csrf_token'$ curl endurl -H 'Cookie: JSESSIONID=authenticated_session_token'
Output
$ curl -i http://localhost:8080/loginHTTP/1.1 200
Set-Cookie: JSESSIONID=1D1242F6B50CD1C83EE80C85CF28196A; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Length: 1406
Date: Thu, 09 Sep 2021 06:19:52 GMT<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<title>Please sign in</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-/Y6pD6FV/Vv2HJnA6t+vslU6fwYXjCFtcEpHbNJ0lyAFsXTsjBbfaDjzALeQsN6M" crossorigin="anonymous">
<link href="https://getbootstrap.com/docs/4.0/examples/signin/signin.css" rel="stylesheet" crossorigin="anonymous"/>
</head>
<body>
<div class="container">
<form class="form-signin" method="post" action="/login">
<h2 class="form-signin-heading">Please sign in</h2>
<p>
<label for="username" class="sr-only">Username</label>
<input type="text" id="username" name="username" class="form-control" placeholder="Username" required autofocus>
</p>
<p>
<label for="password" class="sr-only">Password</label>
<input type="password" id="password" name="password" class="form-control" placeholder="Password" required>
</p>
<input name="_csrf" type="hidden" value="484e6890-8758-4e97-97b2-d9f5968432a4" />
<button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
</form>
</div>
</body></html>
NOTE: Due to form login , the API server returns a login form in response body for all un-authenticated access. csrf token can be found as hidden input in the login form.
$ curl -i -X POST http://localhost:8080/login -H 'Cookie: JSESSIONID=1D1242F6B50CD1C83EE80C85CF28196A' --data 'username=admin&password=admin123&_csrf=484e6890-8758-4e97-97b2-d9f5968432a4'HTTP/1.1 302
Set-Cookie: JSESSIONID=1CFAC14973C7F6C2D5ABB730A293C241; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Location: http://localhost:8080/
Content-Length: 0
Date: Thu, 09 Sep 2021 06:21:39 GMT$ curl http://localhost:8080/api/student -H 'Cookie: JSESSIONID=1CFAC14973C7F6C2D5ABB730A293C241'
3. Example 2 : Form Login Authentication with csrf disabled
- Access login url with credentials . Extract jsessionid token from response header.
- Access endurl with jsession token.
$ curl -i -X POST loginurl --data 'username=myusername&password=mypassword'$ curl endurl -H 'Cookie: JSESSIONID=session_token'
Output
$ curl -i -X POST 'http://localhost:8080/login' --data 'username=myuser&password=mypassword'HTTP/1.1 302
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=654963AC01329DAF5D4B28C3FDE6D16B; Path=/; HttpOnly
Location: http://localhost:8080/
Content-Length: 0
Date: Thu, 09 Sep 2021 05:36:26 GMT$ curl http://localhost:8080/hello -H 'Cookie: JSESSIONID=654963AC01329DAF5D4B28C3FDE6D16B'
