This document describes how to configure Spring Security for authentication and authorization in a web application. It defines a WebSecurityConfig class that configures HTTP security with roles like OWNER and MANAGER for access control. It also defines a UserDetailsManager service for loading users and a User entity class implementing UserDetails. Tests are shown for security configuration, login, access control and more using Spring Security's test utilities.

1. JSUG
b1a9idps

11. MANAGER STAFF
STAFF

15. @Configuration @EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final UserDetailsManager userDetailsManager;
public WebSecurityConfig(UserDetailsManager userDetailsManager) {
this.userDetailsManager = userDetailsManager;
}
@Bean
public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); }
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/users/create").hasRole("OWNER", "MANAGER")
.antMatchers("/users/delete/{id}").hasRole("OWNER")
.anyRequest().authenticated()
.and().formLogin().loginPage("/login").defaultSuccessUrl("/users", true)
.and().logout().logoutSuccessUrl("/login").permitAll()
.and().csrf().disable();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsManager)
.passwordEncoder(passwordEncoder());
}
}

16. @Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
// "/users/create" OWNER MANAGER
.antMatchers("/users/create").hasAnyRole("OWNER", "MANAGER")
// "/users/delete/{id}" OWNER MANAGER
.antMatchers(“/users/delete/{id}").hasRole("OWNER")
//
.anyRequest().authenticated()
// FORM "/login" "/users"
.and().formLogin().loginPage("/login").defaultSuccessUrl("/users", true)
// "/login"
.and().logout().logoutSuccessUrl("/login").permitAll()
// CSRF
.and().csrf().disable();
}

18. public final class FormLoginConfigurer<H extends HttpSecurityBuilder<H>> extends
AbstractAuthenticationFilterConfigurer<H, FormLoginConfigurer<H>,
UsernamePasswordAuthenticationFilter> {
public FormLoginConfigurer() {
// UsernamePasswordAuthenticationFilter AuthenticationFilter
super(new UsernamePasswordAuthenticationFilter(), null);
// Form username "username"
usernameParameter(“username");
// Form password "password"
passwordParameter("password");
}

19. @Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// UserDetailsService.java PasswordEncoder.java
auth.userDetailsService(userDetailsManager)
.passwordEncoder(passwordEncoder());
}

21. public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException(
"Authentication method not supported: " + request.getMethod());
}
//
String username = obtainUsername(request);
String password = obtainPassword(request);
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
username = username.trim();
UsernamePasswordAuthenticationToken authRequest
= new UsernamePasswordAuthenticationToken(username, password);
setDetails(request, authRequest);
// AuthenticationManager
return this.getAuthenticationManager().authenticate(authRequest);
}

25. protected final UserDetails retrieveUser(String username,
UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException {
prepareTimingAttackProtection();
try {
//
UserDetails loadedUser
= this.getUserDetailsService().loadUserByUsername(username);
if (loadedUser == null) {
throw new InternalAuthenticationServiceException(
"UserDetailsService returned null, which is an interface contract
violation");
}
return loadedUser;
} catch (UsernameNotFoundException ex) {
mitigateAgainstTimingAttack(authentication);
throw ex;
} catch (InternalAuthenticationServiceException ex) {
throw ex;
} catch (Exception ex) {
throw new InternalAuthenticationServiceException(ex.getMessage(), ex);
}
}

26. protected void additionalAuthenticationChecks(UserDetails userDetails,
UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException {
if (authentication.getCredentials() == null) {
logger.debug("Authentication failed: no credentials provided");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials"));
}
String presentedPassword = authentication.getCredentials().toString();
//
if (!passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {
logger.debug(
"Authentication failed: password does not match stored value");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials”));
}
}

27. @Service
public class UserDetailsManager implements UserDetailsService {
private final UserRepository userRepository;
public UserDetailsManager(UserRepository userRepository) {
this.userRepository = userRepository;
}
@Override
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {
return userRepository.findByUsername(username)
.map(AuthenticatedUser::new)
.orElseThrow(
() -> new UsernameNotFoundException("username not found"));
}
}

28. public class AuthenticatedUser implements UserDetails {
private final Integer id;
private final String name;
private final String username;
private final String password;
private final Role role;
//
public Integer getId() { return id; }
public String getName() { return name; }
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return createAuthorityList("ROLE_" + role.name());
}
@Override
public String getPassword() { return password; }
@Override
public String getUsername() { return username; }
@Override
public boolean isAccountNonExpired() { return true; }
@Override
public boolean isAccountNonLocked() { return true; }
@Override
public boolean isCredentialsNonExpired() { return true; }
@Override
public boolean isEnabled() { return true; }
}

34. public interface AccessDecisionVoter<S> {
int ACCESS_GRANTED = 1;
int ACCESS_ABSTAIN = 0;
int ACCESS_DENIED = -1;

45. @Bean
public RoleHierarchy roleHierarchy(SecurityRolesProperties rolesProperties) {
return rolesProperties.getRoleHierarchy();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/users/create").hasRole("MANAGER")
.antMatchers("/users/delete/{id}").hasRole("OWNER")
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").defaultSuccessUrl("/users", true)
.and()
.logout().logoutSuccessUrl("/login").permitAll()
.and()
.csrf().disable();
}

46. @Bean
public RoleHierarchy roleHierarchy(SecurityRolesProperties rolesProperties) {
// RoleHierarchyImpl.java Bean
return rolesProperties.getRoleHierarchy();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
// Role MANAGER
.antMatchers("/users/create").hasRole("MANAGER")
.antMatchers("/users/delete/{id}").hasRole("OWNER")
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").defaultSuccessUrl("/users", true)
.and()
.logout().logoutSuccessUrl("/login").permitAll()
.and()
.csrf().disable();
}

47. @Component
@ConfigurationProperties("security.roles")
public class SecurityRolesProperties {
private Map<String, List<String>> hierarchyMap = new LinkedHashMap<>();
public Map<String, List<String>> getHierarchyMap() {
return hierarchyMap;
}
public void setHierarchyMap(Map<String, List<String>> hierarchyMap) {
this.hierarchyMap = hierarchyMap;
}
public RoleHierarchy getRoleHierarchy() {
RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
String hierarchy =
isEmpty(hierarchyMap) ? "" : roleHierarchyFromMap(hierarchyMap);
roleHierarchy.setHierarchy(hierarchy);
return roleHierarchy;
}
}

48. @Component
@ConfigurationProperties("security.roles")
public class SecurityRolesProperties {
private Map<String, List<String>> hierarchyMap = new LinkedHashMap<>();
public Map<String, List<String>> getHierarchyMap() {
return hierarchyMap;
}
public void setHierarchyMap(Map<String, List<String>> hierarchyMap) {
this.hierarchyMap = hierarchyMap;
}
public RoleHierarchy getRoleHierarchy() {
RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
String hierarchy =
isEmpty(hierarchyMap) ? "" : roleHierarchyFromMap(hierarchyMap);
// Hierarchy
// hierarchy = "ROLE_OWNER > ROLE_MANAGERnROLE_MANAGER > ROLE_STAFFn"
roleHierarchy.setHierarchy(hierarchy);
return roleHierarchy;
}
}

51. // Role OWNER
@PreAuthorize("hasRole('OWNER')")
public List<User> list() {
return userRepository.findAll();
}
// role "OWNER"
@PreAuthorize("#role == 'OWNER'")
public List<User> list(String role) {
return userRepository.findAll();
}
// request.name "ruchitate"
@PreAuthorize("#r.name == 'ruchitate'")
public List<User> list(@P("r") UserRequest request) {
return userRepository.findAll();
}

52. // returnObject
@PostAuthorize("returnObject != null && returnObject.username == 'ruchitate'")
public User get(Integer id) {
return userRepository.findById(id).orElse(null);
}

53. // filterObject
@PreFilter("filterObject.name.equals('ruchitate')")
public List<User> list(List<UserRequest> requests) {
List<String> usernameList = requests.stream()
.map(UserRequest::getName)
.collect(Collectors.toList());
return userRepository.findAllByUsernameIn(usernameList);
}

54. // filterObject
@PostFilter("filterObject.username == 'ruchitate'")
public List<User> list() {
return userRepository.findAll();
}

55. @Override
// Bean
@PostFilter("@roleEvaluator.hasRole(principal, filterObject.role)")
public List<UserDto> findAll() {
List<UserDto> userDtoList = new ArrayList<>();
userRepository.findAll().iterator()
.forEachRemaining(user -> userDtoList.add(UserDto.newUserDto(user)));
return userDtoList;
}
@Override
@PostAuthorize("returnObject != null && @roleEvaluator.hasRole(principal,
returnObject.role)")
public UserDto findOne(Integer id) {
return userRepository.findById(id)
.map(UserDto::newUserDto)
.get();
}

56. @Override
// MANAGER or OWNER
@PreAuthorize("hasRole('MANAGER')")
public UserDto create(UserCreateForm form) {
User user = new User();
BeanUtils.copyProperties(form, user, "password");
user.setPassword(passwordEncoder.encode(form.getPassword()));
return UserDto.newUserDto(userRepository.save(user));
}
@Override
@PreAuthorize("hasRole('OWNER')")
public void delete(Integer id) {
User user = userRepository.findById(id)
.filter(u -> u.getRole() != Role.OWNER)
.orElseThrow(NotAllowedOperationException::new);
userRepository.delete(user);
}

58. dependencies {
testImplementation 'org.springframework.security:spring-security-test'
}
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>

59. @Nested @SpringBootTest
class ListTest {
@Autowired
private WebApplicationContext context;
private MockMvc mockMvc;
@BeforeEach
void beforeEach() {
// SecurityFilter
mockMvc = webAppContextSetup(context).apply(springSecurity()).build();
}
@Test
void success() throws Exception {
User user = new User();
user.setId(1);
user.setName(" ");
user.setUsername("ruchitate");
user.setPassword("12345678");
user.setRole(Role.OWNER);
mockMvc.perform(get("/users")
//
.with(user(new AuthenticatedUser(user))))
.andExpect(status().isOk());
}
}

60. @Test
//
@WithUserDetails(value = "yaragaki", userDetailsServiceBeanName =
"userDetailsManager")
void findAllForManager() {
List<UserDto> result = userService.findAll();
// Role
Assertions.assertThat(result)
.extracting(
UserDto::getId,
UserDto::getName,
UserDto::getAge,
UserDto::getGender,
UserDto::getRole)
.containsExactly(
Tuple.tuple(2, " ", 31, WOMAN, MANAGER),
Tuple.tuple(3, " ", 24, MAN, STAFF));
}

61. @Test
@WithUserDetails(value = "ruchitate", userDetailsServiceBeanName =
"userDetailsManager")
void deleteForOwner() {
userService.delete(2);
Assertions.assertThatThrownBy(() -> userService.findOne(2))
.isInstanceOf(NotFoundException.class);
}
@Test
@WithUserDetails(value = "yaragaki", userDetailsServiceBeanName =
"userDetailsManager")
void deleteForManager() {
Assertions.assertThatThrownBy(() -> userService.delete(3))
.isInstanceOf(AccessDeniedException.class);
}

62. @Test
void loginSuccess() throws Exception {
MvcResult result
//
= mockMvc.perform(formLogin().user("ruchitate").password("12345678"))
.andReturn();
Assertions.assertThat(result.getResponse())
.extracting(
MockHttpServletResponse::getStatus,
MockHttpServletResponse::getRedirectedUrl)
.containsExactly(HttpStatus.FOUND.value(), "/users");
}
@Test
void loginFailed() throws Exception {
MvcResult result
= mockMvc.perform(formLogin().user("ruchitate").password("test"))
.andReturn();
Assertions.assertThat(result.getResponse())
.extracting(
MockHttpServletResponse::getStatus,
MockHttpServletResponse::getRedirectedUrl)
.containsExactly(HttpStatus.FOUND.value(), "/login?error");
}