Access spring security protected APIs using curl

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
authorizeRequests()
.anyRequest()
.fullyAuthenticated()
.and()
.httpBasic();
}
// you other overriden methods}
  1. Access end url using curl and extract JSESSIONID token from response header
  2. Access end url again with login credentials and jsession token
$ curl -i endurl$ curl endurl -u 'myusername:mypassword' -H 'Cookie: JSESSIONID=session_token'
$ curl -i http://localhost:8080/api/studentHTTP/1.1 401 
Set-Cookie: JSESSIONID=B95F84C82CD28FBBC72BCACBF961AB32; Path=/; HttpOnly
WWW-Authenticate: Basic realm="Realm"
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Wed, 08 Sep 2021 08:06:31 GMT
{"timestamp":"2021-09-08T08:06:31.130+00:00","status":401,"error":"Unauthorized","message":"","path":"/api/student"}$ curl http://localhost:8080/api/student -u 'admin:admin123' -H 'Cookie: JSESSIONID=B95F84C82CD28FBBC72BCACBF961AB32'
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
authorizeRequests()
.anyRequest()
.fullyAuthenticated()
.and()
.formLogin();
}
// you other overriden methods}
  1. Access login using curl. Extract JSESSIONID token from response header and csrf token from response body
  2. Access login url with credentials, csrf token and jsession token. Extract new jsessionid token from response header.
  3. Access endurl with new authenticated jsession token.
$  curl -i loginurl$ curl -i -X POST loginurl -H 'Cookie: JSESSIONID=session_token' --data 'username=myusername&password=mypassword&_csrf=csrf_token'$ curl endurl -H 'Cookie: JSESSIONID=authenticated_session_token'
$ curl -i http://localhost:8080/loginHTTP/1.1 200 
Set-Cookie: JSESSIONID=1D1242F6B50CD1C83EE80C85CF28196A; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Length: 1406
Date: Thu, 09 Sep 2021 06:19:52 GMT
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<title>Please sign in</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-/Y6pD6FV/Vv2HJnA6t+vslU6fwYXjCFtcEpHbNJ0lyAFsXTsjBbfaDjzALeQsN6M" crossorigin="anonymous">
<link href="https://getbootstrap.com/docs/4.0/examples/signin/signin.css" rel="stylesheet" crossorigin="anonymous"/>
</head>
<body>
<div class="container">
<form class="form-signin" method="post" action="/login">
<h2 class="form-signin-heading">Please sign in</h2>
<p>
<label for="username" class="sr-only">Username</label>
<input type="text" id="username" name="username" class="form-control" placeholder="Username" required autofocus>
</p>
<p>
<label for="password" class="sr-only">Password</label>
<input type="password" id="password" name="password" class="form-control" placeholder="Password" required>
</p>
<input name="_csrf" type="hidden" value="484e6890-8758-4e97-97b2-d9f5968432a4" />
<button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
</form>
</div>
</body></html>
$ curl -i -X POST http://localhost:8080/login -H 'Cookie: JSESSIONID=1D1242F6B50CD1C83EE80C85CF28196A' --data 'username=admin&password=admin123&_csrf=484e6890-8758-4e97-97b2-d9f5968432a4'HTTP/1.1 302 
Set-Cookie: JSESSIONID=1CFAC14973C7F6C2D5ABB730A293C241; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Location: http://localhost:8080/
Content-Length: 0
Date: Thu, 09 Sep 2021 06:21:39 GMT
$ curl http://localhost:8080/api/student -H 'Cookie: JSESSIONID=1CFAC14973C7F6C2D5ABB730A293C241'
  1. Access login url with credentials . Extract jsessionid token from response header.
  2. Access endurl with jsession token.
$ curl -i -X POST loginurl --data 'username=myusername&password=mypassword'$ curl endurl -H 'Cookie: JSESSIONID=session_token'
$ curl -i -X POST 'http://localhost:8080/login' --data 'username=myuser&password=mypassword'HTTP/1.1 302 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=654963AC01329DAF5D4B28C3FDE6D16B; Path=/; HttpOnly
Location: http://localhost:8080/
Content-Length: 0
Date: Thu, 09 Sep 2021 05:36:26 GMT
$ curl http://localhost:8080/hello -H 'Cookie: JSESSIONID=654963AC01329DAF5D4B28C3FDE6D16B'

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Himanshu Pratap

Himanshu Pratap

System Administrator and Full stack web developer.