Access spring security protected APIs using curl

3 min readSep 8, 2021

Steps to access spring security protected APIs very much depend upon the Web Security Configuration in your spring boot project.

Below example i have tried to demonstrate two different Web Security Configuration and how to access it using curl.

Suppose we are trying to access following end url
http://localhost:8080/api/student

Example 1: HTTP Basic Authentication

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{@Override
protected void configure(HttpSecurity http) throws Exception {
    http
      authorizeRequests()
      .anyRequest()
      .fullyAuthenticated()
      .and()
      .httpBasic();
  }// you other overriden methods}

Steps and Syntax are as follows :

Access end url using curl and extract JSESSIONID token from response header
Access end url again with login credentials and jsession token

$ curl -i endurl$ curl endurl -u 'myusername:mypassword' -H 'Cookie: JSESSIONID=session_token'

Output

$ curl -i http://localhost:8080/api/studentHTTP/1.1 401 
Set-Cookie: JSESSIONID=B95F84C82CD28FBBC72BCACBF961AB32; Path=/; HttpOnly
WWW-Authenticate: Basic realm="Realm"
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Wed, 08 Sep 2021 08:06:31 GMT{"timestamp":"2021-09-08T08:06:31.130+00:00","status":401,"error":"Unauthorized","message":"","path":"/api/student"}$ curl http://localhost:8080/api/student -u 'admin:admin123' -H 'Cookie: JSESSIONID=B95F84C82CD28FBBC72BCACBF961AB32'

Example 2 : Form Login Authentication with csrf enabled

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{@Override
protected void configure(HttpSecurity http) throws Exception {
    http
      authorizeRequests()
      .anyRequest()
      .fullyAuthenticated()
      .and()
      .formLogin();
  }// you other overriden methods}

Steps and Syntax are as follows :

Access login using curl. Extract JSESSIONID token from response header and csrf token from response body
Access login url with credentials, csrf token and jsession token. Extract new jsessionid token from response header.
Access endurl with new authenticated jsession token.

$  curl -i loginurl$ curl -i -X POST loginurl -H 'Cookie: JSESSIONID=session_token' --data 'username=myusername&password=mypassword&_csrf=csrf_token'$ curl endurl -H 'Cookie: JSESSIONID=authenticated_session_token'

Output

$ curl -i http://localhost:8080/loginHTTP/1.1 200 
Set-Cookie: JSESSIONID=1D1242F6B50CD1C83EE80C85CF28196A; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Length: 1406
Date: Thu, 09 Sep 2021 06:19:52 GMT<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta name="description" content="">
    <meta name="author" content="">
    <title>Please sign in</title>
    <link href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-/Y6pD6FV/Vv2HJnA6t+vslU6fwYXjCFtcEpHbNJ0lyAFsXTsjBbfaDjzALeQsN6M" crossorigin="anonymous">
    <link href="https://getbootstrap.com/docs/4.0/examples/signin/signin.css" rel="stylesheet" crossorigin="anonymous"/>
  </head>
  <body>
     <div class="container">
      <form class="form-signin" method="post" action="/login">
        <h2 class="form-signin-heading">Please sign in</h2>
        <p>
          <label for="username" class="sr-only">Username</label>
          <input type="text" id="username" name="username" class="form-control" placeholder="Username" required autofocus>
        </p>
        <p>
          <label for="password" class="sr-only">Password</label>
          <input type="password" id="password" name="password" class="form-control" placeholder="Password" required>
        </p>
<input name="_csrf" type="hidden" value="484e6890-8758-4e97-97b2-d9f5968432a4" />
        <button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
      </form>
</div>
</body></html>

NOTE: Due to form login , the API server returns a login form in response body for all un-authenticated access. csrf token can be found as hidden input in the login form.

$ curl -i -X POST http://localhost:8080/login -H 'Cookie: JSESSIONID=1D1242F6B50CD1C83EE80C85CF28196A' --data 'username=admin&password=admin123&_csrf=484e6890-8758-4e97-97b2-d9f5968432a4'HTTP/1.1 302 
Set-Cookie: JSESSIONID=1CFAC14973C7F6C2D5ABB730A293C241; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Location: http://localhost:8080/
Content-Length: 0
Date: Thu, 09 Sep 2021 06:21:39 GMT$ curl http://localhost:8080/api/student -H 'Cookie: JSESSIONID=1CFAC14973C7F6C2D5ABB730A293C241'

3. Example 2 : Form Login Authentication with csrf disabled

Access login url with credentials . Extract jsessionid token from response header.
Access endurl with jsession token.

$ curl -i -X POST loginurl --data 'username=myusername&password=mypassword'$ curl endurl -H 'Cookie: JSESSIONID=session_token'

Output

$ curl -i -X POST 'http://localhost:8080/login' --data 'username=myuser&password=mypassword'HTTP/1.1 302 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=654963AC01329DAF5D4B28C3FDE6D16B; Path=/; HttpOnly
Location: http://localhost:8080/
Content-Length: 0
Date: Thu, 09 Sep 2021 05:36:26 GMT$ curl http://localhost:8080/hello -H 'Cookie:  JSESSIONID=654963AC01329DAF5D4B28C3FDE6D16B'

Access spring security protected APIs using curl

Written by Himanshu Pratap

More from Himanshu Pratap

Backup and Restore Postgresql database

Take backup of whole database

Configure User Authentication through Windows Active Directory Server in a Spring Boot Application

In this article we will try to authenticate a user to an external windows active directory domain server before granting him access to…

Implementing React Router v6 with code splitting in a React Typescript project.

React Router is a standard library for routing in React. It enables the navigation among views of various components in a React…

Maps an entity to a complex query involving multiple tables in a spring boot application using…

In a spring boot application, mapping database table to entity object is very easy using JPA / CRUD repository. If tables are dependent…

Recommended from Medium

Spring Security JWT Authentication & Authorization

This tutorial will guide you to secure a Spring Boot application with JWT (JSON Web Token) Authentication & Authorization using Spring…

Implementing Social Logins with React and Spring Boot using OAuth2

Introduction

Lists

New_Reading_List

Implementing User Authentication in a Spring Boot Application: A Detailed Step-by-Step Guide

User authentication is a critical component of web applications, providing secure access to user accounts and protecting sensitive…

Spring boot application to send emails using SMTP protocol

Welcome to my blog post, where I’ll guide you through the process of developing a Spring Boot project to send emails using the Simple Mail…

Login and Registration REST API with Spring Security

In this example, we will learn how to implement login and registration REST API using spring boot, spring security, hibernate and the H2…

Building Custom Authentication Provider in Spring Security: A Step-by-Step Guide

To use a custom authentication provider with Spring Security, you’ll need to create a custom implementation of the AuthenticationProvider…