Spring Security: Upgrading the deprecated WebSecurityConfigurerAdapter (#12540)
* add SecurityFilterChain application in spring security web boot 4 * pmd violation * fix: pom description * remove unused code, format * make tests grouped logically * add missing case for user role * rename package to lower case
This commit is contained in:
+14
@@ -0,0 +1,14 @@
|
||||
package com.baeldung.securityfilterchain;
|
||||
|
||||
import org.springframework.boot.SpringApplication;
|
||||
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
|
||||
|
||||
@SpringBootApplication
|
||||
@EnableWebMvc
|
||||
public class SecurityFilterChainApplication {
|
||||
|
||||
public static void main(String[] args) {
|
||||
SpringApplication.run(SecurityFilterChainApplication.class, args);
|
||||
}
|
||||
}
|
||||
+50
@@ -0,0 +1,50 @@
|
||||
package com.baeldung.securityfilterchain.configuration;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
|
||||
import org.springframework.security.config.http.SessionCreationPolicy;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
|
||||
@EnableWebSecurity
|
||||
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
|
||||
public class SecurityConfig {
|
||||
|
||||
@Value("${spring.security.debug:false}")
|
||||
boolean securityDebug;
|
||||
|
||||
@Bean
|
||||
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
http.csrf()
|
||||
.disable()
|
||||
.authorizeRequests()
|
||||
.antMatchers(HttpMethod.DELETE)
|
||||
.hasRole("ADMIN")
|
||||
.antMatchers("/admin/**")
|
||||
.hasAnyRole("ADMIN")
|
||||
.antMatchers("/user/**")
|
||||
.hasAnyRole("USER", "ADMIN")
|
||||
.antMatchers("/login/**")
|
||||
.anonymous()
|
||||
.anyRequest()
|
||||
.authenticated()
|
||||
.and()
|
||||
.httpBasic()
|
||||
.and()
|
||||
.sessionManagement()
|
||||
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
|
||||
|
||||
return http.build();
|
||||
}
|
||||
|
||||
@Bean
|
||||
public WebSecurityCustomizer webSecurityCustomizer() {
|
||||
return (web) -> web.debug(securityDebug)
|
||||
.ignoring()
|
||||
.antMatchers("/css/**", "/js/**", "/img/**", "/lib/**", "/favicon.ico");
|
||||
}
|
||||
}
|
||||
+31
@@ -0,0 +1,31 @@
|
||||
package com.baeldung.securityfilterchain.configuration;
|
||||
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.core.userdetails.User;
|
||||
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
|
||||
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
|
||||
|
||||
@Configuration
|
||||
public class UserDetailServiceConfig {
|
||||
|
||||
@Bean
|
||||
public UserDetailsService userDetailsService(BCryptPasswordEncoder bCryptPasswordEncoder) {
|
||||
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
|
||||
manager.createUser(User.withUsername("user")
|
||||
.password(bCryptPasswordEncoder.encode("userPass"))
|
||||
.roles("USER")
|
||||
.build());
|
||||
manager.createUser(User.withUsername("admin")
|
||||
.password(bCryptPasswordEncoder.encode("adminPass"))
|
||||
.roles("ADMIN", "USER")
|
||||
.build());
|
||||
return manager;
|
||||
}
|
||||
|
||||
@Bean
|
||||
public BCryptPasswordEncoder bCryptPasswordEncoder() {
|
||||
return new BCryptPasswordEncoder();
|
||||
}
|
||||
}
|
||||
+34
@@ -0,0 +1,34 @@
|
||||
package com.baeldung.securityfilterchain.controller;
|
||||
|
||||
import org.springframework.web.bind.annotation.DeleteMapping;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
@RestController
|
||||
public class ResourceController {
|
||||
@GetMapping("/login")
|
||||
public String loginEndpoint() {
|
||||
return "Login!";
|
||||
}
|
||||
|
||||
@GetMapping("/admin")
|
||||
public String adminEndpoint() {
|
||||
return "Admin!";
|
||||
}
|
||||
|
||||
@GetMapping("/user")
|
||||
public String userEndpoint() {
|
||||
return "User!";
|
||||
}
|
||||
|
||||
@GetMapping("/all")
|
||||
public String allRolesEndpoint() {
|
||||
return "All Roles!";
|
||||
}
|
||||
|
||||
@DeleteMapping("/delete")
|
||||
public String deleteEndpoint(@RequestBody String s) {
|
||||
return "I am deleting " + s;
|
||||
}
|
||||
}
|
||||
+94
@@ -0,0 +1,94 @@
|
||||
package com.baeldung.securityfilterchain;
|
||||
|
||||
import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.boot.test.context.SpringBootTest;
|
||||
import org.springframework.security.test.context.support.WithAnonymousUser;
|
||||
import org.springframework.security.test.context.support.WithUserDetails;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
|
||||
import org.springframework.web.context.WebApplicationContext;
|
||||
|
||||
@SpringBootTest(classes = SecurityFilterChainApplication.class)
|
||||
public class SecurityFilterChainIntegrationTest {
|
||||
@Autowired
|
||||
private WebApplicationContext context;
|
||||
|
||||
private MockMvc mvc;
|
||||
|
||||
@BeforeEach
|
||||
public void setup() {
|
||||
mvc = MockMvcBuilders.webAppContextSetup(context)
|
||||
.apply(springSecurity())
|
||||
.build();
|
||||
}
|
||||
|
||||
@Test
|
||||
@WithUserDetails(value = "admin")
|
||||
public void whenAdminAccessUserEndpoint_thenOk() throws Exception {
|
||||
mvc.perform(get("/user"))
|
||||
.andExpect(status().isOk());
|
||||
}
|
||||
|
||||
@Test
|
||||
@WithUserDetails(value = "admin")
|
||||
public void whenAdminAccessAdminSecuredEndpoint_thenIsOk() throws Exception {
|
||||
mvc.perform(get("/admin"))
|
||||
.andExpect(status().isOk());
|
||||
}
|
||||
|
||||
@Test
|
||||
@WithUserDetails(value = "admin")
|
||||
public void whenAdminAccessDeleteSecuredEndpoint_thenIsOk() throws Exception {
|
||||
mvc.perform(delete("/delete").content("{}"))
|
||||
.andExpect(status().isOk());
|
||||
}
|
||||
|
||||
@Test
|
||||
@WithAnonymousUser
|
||||
public void whenAnonymousAccessLogin_thenOk() throws Exception {
|
||||
mvc.perform(get("/login"))
|
||||
.andExpect(status().isOk());
|
||||
}
|
||||
|
||||
@Test
|
||||
@WithAnonymousUser
|
||||
public void whenAnonymousAccessRestrictedEndpoint_thenIsUnauthorized() throws Exception {
|
||||
mvc.perform(get("/all"))
|
||||
.andExpect(status().isUnauthorized());
|
||||
}
|
||||
|
||||
@Test
|
||||
@WithUserDetails()
|
||||
public void whenUserAccessUserSecuredEndpoint_thenOk() throws Exception {
|
||||
mvc.perform(get("/user"))
|
||||
.andExpect(status().isOk());
|
||||
}
|
||||
|
||||
@Test
|
||||
@WithUserDetails()
|
||||
public void whenUserAccessRestrictedEndpoint_thenOk() throws Exception {
|
||||
mvc.perform(get("/all"))
|
||||
.andExpect(status().isOk());
|
||||
}
|
||||
|
||||
@Test
|
||||
@WithUserDetails()
|
||||
public void whenUserAccessAdminSecuredEndpoint_thenIsForbidden() throws Exception {
|
||||
mvc.perform(get("/admin"))
|
||||
.andExpect(status().isForbidden());
|
||||
}
|
||||
|
||||
@Test
|
||||
@WithUserDetails()
|
||||
public void whenUserAccessDeleteSecuredEndpoint_thenIsForbidden() throws Exception {
|
||||
mvc.perform(delete("/delete"))
|
||||
.andExpect(status().isForbidden());
|
||||
}
|
||||
}
|
||||
+1
@@ -0,0 +1 @@
|
||||
spring.security.debug=true
|
||||
+12
@@ -0,0 +1,12 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<configuration scan="true" scanPeriod="15 seconds" debug="false">
|
||||
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
|
||||
<encoder>
|
||||
<pattern>[%d{ISO8601}]-[%thread] %-5level %logger - %msg%n</pattern>
|
||||
</encoder>
|
||||
</appender>
|
||||
|
||||
<root level="INFO">
|
||||
<appender-ref ref="STDOUT"/>
|
||||
</root>
|
||||
</configuration>
|
||||
Reference in New Issue
Block a user