SpringSecurity: Authorisation and Roles

SpringSecurity: Authorization
2023-07-24 14:19:41 +02:00 · 2023-07-24 13:37:04 +02:00
5 changed files with 52 additions and 13 deletions
--- a/src/main/java/djmil/cashcard/CashCardController.java
+++ b/src/main/java/djmil/cashcard/CashCardController.java
@ -13,6 +13,8 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.util.UriComponentsBuilder;

+import java.security.Principal;
+
 import java.net.URI;
 import java.util.List;
 import java.util.Optional;
@ -28,8 +30,12 @@ public class CashCardController {
    }

    @GetMapping("/{requestedId}")
-    public ResponseEntity<CashCard> findById(@PathVariable Long requestedId) {
-        Optional<CashCard> cashCardOptional = cashCardRepository.findById(requestedId);
+    public ResponseEntity<CashCard> findById(@PathVariable Long requestedId, Principal principal) {
+        CashCard cashCard = cashCardRepository.findByIdAndOwner(
+	            requestedId, 
+	            principal.getName()
+        );
+        Optional<CashCard> cashCardOptional = Optional.ofNullable(cashCard);

        if (cashCardOptional.isPresent()) {
            return ResponseEntity.ok(cashCardOptional.get());
@ -44,8 +50,9 @@ public class CashCardController {
    // }

    @GetMapping
-    public ResponseEntity<List<CashCard>> findAll(Pageable pageable) {
-        Page<CashCard> page = cashCardRepository.findAll(
+    public ResponseEntity<List<CashCard>> findAll(Pageable pageable, Principal principal) {
+        Page<CashCard> page = cashCardRepository.findByOwner(
+                principal.getName(),
                PageRequest.of(
                        pageable.getPageNumber(),
                        pageable.getPageSize(),
@ -56,13 +63,15 @@ public class CashCardController {
    }

    @PostMapping
-    private ResponseEntity<Void> createCashCard(@RequestBody CashCard newCashCardRequest, UriComponentsBuilder ucb) {
-        CashCard savedCashCard = cashCardRepository.save(newCashCardRequest); // CRUD - Create
+    private ResponseEntity<Void> createCashCard(@RequestBody CashCard newCashCardRequest, UriComponentsBuilder ucb, Principal principal) {
+        CashCard cashCardWithOwner = new CashCard(null, newCashCardRequest.amount(), principal.getName());
+        CashCard savedCashCard = cashCardRepository.save(cashCardWithOwner); // CRUD - Create

        URI locationOfNewCashCard = ucb
                .path("cashcards/{id}")
                .buildAndExpand(savedCashCard.id())
                .toUri();
+
        return ResponseEntity.created(locationOfNewCashCard).build();
    }
 }
--- a/src/main/java/djmil/cashcard/CashCardRepository.java
+++ b/src/main/java/djmil/cashcard/CashCardRepository.java
@ -2,10 +2,15 @@ package djmil.cashcard;

 import org.springframework.data.repository.CrudRepository;
 import org.springframework.data.repository.PagingAndSortingRepository;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageRequest;

 public interface 
    CashCardRepository 
 extends 
    CrudRepository<CashCard, Long>, 
-    PagingAndSortingRepository<CashCard, Long> {
+    PagingAndSortingRepository<CashCard, Long>     
+{
+    CashCard findByIdAndOwner(Long id, String owner);
+	Page<CashCard> findByOwner(String owner, PageRequest amount);
 }
--- a/src/main/java/djmil/cashcard/SecurityConfig.java
+++ b/src/main/java/djmil/cashcard/SecurityConfig.java
@ -18,7 +18,8 @@ public class SecurityConfig {
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests()
            .requestMatchers("/cashcards/**")
-            .authenticated()
+            //.authenticated()
+            .hasRole("CARD-OWNER") // <<-- enable RBAC
            .and()
            .csrf().disable()
            .httpBasic();
@ -34,11 +35,19 @@ public class SecurityConfig {
    @Bean
    public UserDetailsService testOnlyUsers(PasswordEncoder passwordEncoder) {
        User.UserBuilder users = User.builder();
+	
        UserDetails sarah = users
            .username("sarah1")
            .password(passwordEncoder.encode("abc123"))
-            .roles() // No roles for now
+            .roles("CARD-OWNER") // new role
            .build();
-    return new InMemoryUserDetailsManager(sarah);
+        
+        UserDetails hankOwnsNoCards = users
+            .username("hank-owns-no-cards")
+            .password(passwordEncoder.encode("qrs456"))
+            .roles("NON-OWNER") // new role
+            .build();
+        
+        return new InMemoryUserDetailsManager(sarah, hankOwnsNoCards);
    }
 }
--- a/src/test/java/djmil/cashcard/CashcardApplicationTests.java
+++ b/src/test/java/djmil/cashcard/CashcardApplicationTests.java
@ -59,14 +59,13 @@ class CashcardApplicationTests {
 	@Test
 	@DirtiesContext
 	void shouldCreateANewCashCard() {
-		CashCard newCashCard = new CashCard(null, 250.00, "sarah1");
+		CashCard newCashCard = new CashCard(null, 250.00, null);
 		ResponseEntity<Void> createResponse = restTemplate
 			.withBasicAuth("sarah1", "abc123")
 			.postForEntity("/cashcards", newCashCard, Void.class );

 		assertThat(createResponse.getStatusCode()).isEqualTo(HttpStatus.CREATED);

-
 		// Validate created CashCard
 		URI locationOfNewCashCard = createResponse.getHeaders().getLocation();
   		ResponseEntity<String> getResponse = restTemplate
@ -154,4 +153,20 @@ class CashcardApplicationTests {
 			.getForEntity("/cashcards/99", String.class);
 		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
 	}
+
+	@Test
+	void shouldRejectUsersWhoAreNotCardOwners() {
+		ResponseEntity<String> response = restTemplate
+		.withBasicAuth("hank-owns-no-cards", "qrs456")
+		.getForEntity("/cashcards/99", String.class);
+		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
+	}
+
+	@Test
+	void shouldNotAllowAccessToCashCardsTheyDoNotOwn() {
+		ResponseEntity<String> response = restTemplate
+		.withBasicAuth("sarah1", "abc123")
+		.getForEntity("/cashcards/102", String.class); // <<-- kumar2's data
+		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND);
+	}
 }
--- a/src/test/resources/data.sql
+++ b/src/test/resources/data.sql
@ -1,3 +1,4 @@
 INSERT INTO CASH_CARD(ID, AMOUNT, OWNER) VALUES (99, 123.45, 'sarah1');
 INSERT INTO CASH_CARD(ID, AMOUNT, OWNER) VALUES (100, 1.00, 'sarah1');
-INSERT INTO CASH_CARD(ID, AMOUNT, OWNER) VALUES (101, 150.00, 'sarah1');
+INSERT INTO CASH_CARD(ID, AMOUNT, OWNER) VALUES (101, 150.00, 'sarah1');
+INSERT INTO CASH_CARD(ID, AMOUNT, OWNER) VALUES (102, 200.00, 'kumar2');
Author	SHA1	Message	Date
djmil	d3751dda0f	SpringSecurity: Authorisation and Roles	2023-07-24 14:19:41 +02:00
djmil	f4b171add1	SpringSecurity: Authorization	2023-07-24 13:37:04 +02:00