SpringSecurity

- secure endpoint
- login page
- in-memory user credentials
- tests

README.md

@@ -355,4 +355,191 @@ public class CreetingControllerTests {
 }
 ```
 
-Notice the `@MockBean` annotation, which is essentially used to obtain an interface of a mocked class.  Later, `when` function used to define an actual mock.
+Notice the `@MockBean` annotation, which is essentially used to obtain an interface of a mocked class.  Later, `when` function used to define an actual mock.
+
+# Security
+
+Let's say, that we want to have `secret` endpoint, available only for for some users. [SpringSecurity](https://docs.spring.io/spring-security/reference/index.html) can be used to achieve this. 
+
+*`build.gradle`*
+```yaml
+dependencies {
+	implementation 'org.springframework.boot:spring-boot-starter-security'
+	testImplementation 'org.springframework.security:spring-security-test'
+}
+```
+
+## Security config
+
+At the core of Spring Security [architecture](https://spring.io/guides/topicals/spring-security-architecture/) - lays concept of filters. Common practice is to use dedicated class as provider of desired security configuration.
+
+*`src/main/java/djmil/hellomvc/SecurityConfig.java`*
+```java
+package djmil.hellomvc;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+
+@Configuration
+public class SecurityConfig {
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        http
+        .authorizeHttpRequests(authz -> authz      
+            .requestMatchers("/secret").authenticated()
+            .anyRequest().permitAll()
+        );
+
+        http
+		.formLogin(form -> form
+			.loginPage("/login")
+			.permitAll()
+		);
+
+        return http.build();
+    }
+```
+
+`SecurityFilterChain`  [is](https://docs.spring.io/spring-security/reference/servlet/architecture.html#servlet-securityfilterchain)  used by [FilterChainProxy](https://docs.spring.io/spring-security/reference/servlet/architecture.html#servlet-filterchainproxy) to determine which Spring Security `Filter` instances should be invoked for the current request. In this code snipped, we've defined:
+- only `authenticated` users are allowed to access `/secret` endpoint
+- all other request would be server without any restrictions
+- login form is accessible at `/login` endpoint
+  At this point, we shall make sure that this endpoint is known by our Controller
+
+## Login page
+
+Basic idea is well defined in official [documentation](https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/form.html).
+
+![Basic Flow](https://docs.spring.io/spring-security/reference/_images/servlet/authentication/unpwd/loginurlauthenticationentrypoint.png)
+1.  First, a user makes an unauthenticated request to the resource (`/private`) for which it is not authorized.
+2. Spring Security’s [`AuthorizationFilter`](https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html) indicates that the unauthenticated request is _Denied_ by throwing an `AccessDeniedException`.
+3. Since the user is not authenticated, [`ExceptionTranslationFilter`](https://docs.spring.io/spring-security/reference/servlet/architecture.html#servlet-exceptiontranslationfilter) initiates _Start Authentication_ and sends a redirect to the login page with the configured [`AuthenticationEntryPoint`](https://docs.spring.io/spring-security/reference/servlet/authentication/architecture.html#servlet-authentication-authenticationentrypoint). In most cases, the `AuthenticationEntryPoint` is an instance of [`LoginUrlAuthenticationEntryPoint`](https://docs.spring.io/spring-security/site/docs/6.1.2/api/org/springframework/security/web/authentication/LoginUrlAuthenticationEntryPoint.html).
+4. The browser requests the login page to which it was redirected.
+5. Something within the application, must [render the login page](https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/form.html#servlet-authentication-form-custom).
+
+*`Login Form - src/main/resources/templates/login.html`*
+```html
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
+	<head>
+		<title>Please Log In</title>
+	</head>
+	<body>
+		<h1>Please Log In</h1>
+		<div th:if="${param.error}">
+			Invalid username and password.</div>
+		<div th:if="${param.logout}">
+			You have been logged out.</div>
+		<form th:action="@{/login}" method="post">
+			<div>
+			<input type="text" name="username" placeholder="Username"/>
+			</div>
+			<div>
+			<input type="password" name="password" placeholder="Password"/>
+			</div>
+			<input type="submit" value="Log in" />
+		</form>
+	</body>
+</html>
+```
+
+*`LoginController`*
+```java
+@Controller
+class LoginController {
+	@GetMapping("/login")
+	String login() {
+		return "login";
+	}
+}
+```
+
+## User Authentication 
+
+Spring Security provides comprehensive support for [Authentication](https://docs.spring.io/spring-security/reference/features/authentication/index.html#authentication). We are going to use [In-Memory](https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/in-memory.html) [Authentication Mechanism](https://docs.spring.io/spring-security/reference/servlet/authentication/index.html#servlet-authentication-mechanisms)
+
+Add these `Beans` to *`SecurityConfig.java`*
+```java
+@Bean
+public PasswordEncoder passwordEncoder() {
+	return new BCryptPasswordEncoder();
+}
+
+@Bean
+public UserDetailsService testOnlyUsers(PasswordEncoder passwordEncoder) {
+	User.UserBuilder users = User.builder();
+
+	UserDetails sarah = users
+		.username("agent")
+		.password(passwordEncoder.encode("qaz123"))
+		//.roles("CARD-OWNER") // no roles for now
+		.build();
+	
+	return new InMemoryUserDetailsManager(sarah);
+}
+```
+
+Essentially, this means that our app would authorise only one hard-coded user. There are other ways to [manage](https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/storage.html) user login credentials. 
+
+## Test
+
+So far so good, in a best TDD fashion, let's write a test to check our secure endpoint security:
+
+*`CreetingControllerTests.java`*
+```java
+import org.springframework.security.test.context.support.WithMockUser;
+...
+
+@WebMvcTest(controllers = GreetingController.class)
+public class CreetingControllerTests {
+...
+	@Test
+	@WithMockUser(username = "user1", password = "pwd", roles = "USER")
+	public void secret() throws Exception {
+		when(service.nameLength("World")).thenReturn(7);
+		this.mockMvc.perform(get("/secret"))
+				.andDo(print())
+				.andExpect(status().isOk())
+				.andExpect(content().string(containsString("Greetings user1!")));
+	}
+}
+```
+
+`@WithMockUser` injects mock user into Controller's test instance from `WebMvcTest`.
+
+> [!note] Mock user from tests has nothing to do with In-Memory stored user credentials from [[README#User Authentication]]  
+
+## Secure endpoint
+
+Finally, everything is ready for creation of `/secret` Secure Endpoint. 
+
+*`GreetingsController.java`*
+```java
+import java.security.Principal;
+...
+
+    @GetMapping("/secret")
+    public String secret(Principal principal, Model model) {
+
+        model.addAttribute("name", principal.getName());
+        model.addAttribute("secret", 42);
+
+        return "secret";
+    }
+```
+
+SpringSecurity will make sure to process all our previously defined security routines (alongside with applying some common protection techniques and utilities like Cookies) and only if the request was qualified - it will be served to the specified endpoint with all the security related info stored in convenient `Principal` class. 
+
+Also, let's update our home page, so users would be aware of existence of our secret endpoint. 
+*`index.html`*
+```html
+<body>
+    <p>Get your greeting <a href="/greeting">here</a></p>
+    <p>Get your secret <a href="/secret">here</a></p>
+</body>
+```
+
+Upon attempt to visit `/secret` endpoint, unauthenticated users would be redirected to `/login` page, and if that was successful, they'd be redirected back to the `/secret`. Spring framework is handling all that complexity for us.

build.gradle

@@ -18,8 +18,11 @@ repositories {
 dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation 'org.springframework.boot:spring-boot-starter-security'
+
 	developmentOnly 'org.springframework.boot:spring-boot-devtools'
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+	testImplementation 'org.springframework.security:spring-security-test'
 }
 
 tasks.named('test') {

src/main/java/djmil/hellomvc/GreetingController.java

@@ -1,5 +1,7 @@
 package djmil.hellomvc;
 
+import java.security.Principal;
+
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -24,4 +26,18 @@ public class GreetingController {
         return "greeting"; // view tempalte
     }
 
+    @GetMapping("/login")
+    String login() {
+        return "login";
+    }
+
+    @GetMapping("/secret")
+    public String secret(Principal principal, Model model) {
+
+        model.addAttribute("name", principal.getName());
+        model.addAttribute("secret", 42);
+
+        return "secret";
+    }
+
 }

src/main/java/djmil/hellomvc/SecurityConfig.java

@@ -0,0 +1,54 @@
+package djmil.hellomvc;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+public class SecurityConfig {
+
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+
+        http
+        .authorizeHttpRequests(authz -> authz      
+            .requestMatchers("/secret").authenticated()
+            //.hasRole("CARD-OWNER") // <<-- enable RBAC
+            .anyRequest().permitAll()
+        );
+
+        http
+		.formLogin(form -> form
+			.loginPage("/login")
+			.permitAll()
+		);
+
+        return http.build();
+    }
+
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
+    @Bean
+    public UserDetailsService testOnlyUsers(PasswordEncoder passwordEncoder) {
+        User.UserBuilder users = User.builder();
+	
+        UserDetails sarah = users
+            .username("agent")
+            .password(passwordEncoder.encode("qaz123"))
+            //.roles("CARD-OWNER") // no roles for now
+            .build();
+        
+        return new InMemoryUserDetailsManager(sarah);
+    }
+}

src/main/resources/static/index.html

@@ -6,5 +6,6 @@
 </head>
 <body>
     <p>Get your greeting <a href="/greeting">here</a></p>
+    <p>Get your secret <a href="/secret">here</a></p>
 </body>
 </html>

src/main/resources/templates/login.html

@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
+	<head>
+		<title>Please Log In</title>
+	</head>
+	<body>
+		<h1>Please Log In</h1>
+		<div th:if="${param.error}">
+			Invalid username and password.</div>
+		<div th:if="${param.logout}">
+			You have been logged out.</div>
+		<form th:action="@{/login}" method="post">
+			<div>
+			<input type="text" name="username" placeholder="Username"/>
+			</div>
+			<div>
+			<input type="password" name="password" placeholder="Password"/>
+			</div>
+			<input type="submit" value="Log in" />
+		</form>
+	</body>
+</html>

src/main/resources/templates/secret.html

@@ -0,0 +1,11 @@
+<!DOCTYPE HTML>
+<html xmlns:th="http://www.thymeleaf.org">
+<head> 
+    <title>TOP SECRET</title> 
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+</head>
+<body>
+    <p th:text="'Greetings ' + ${name} + '!'" />
+    <p th:text="' the seecret you are looking for is [' + ${secret} + ']. Use this knowledge wisely.'" />
+</body>
+</html>

src/test/java/djmil/hellomvc/CreetingControllerTests.java

@@ -12,8 +12,9 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
 import org.springframework.boot.test.mock.mockito.MockBean;
 import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.security.test.context.support.WithMockUser;
 
-@WebMvcTest(GreetingController.class)
+@WebMvcTest(controllers = GreetingController.class)
 public class CreetingControllerTests {
 
 	@Autowired
@@ -31,11 +32,22 @@ public class CreetingControllerTests {
 	// }
 
 	@Test
+	@WithMockUser
 	public void greetingShouldReturnMessageFromService() throws Exception {
 		when(service.nameLength("World")).thenReturn(7);
 		this.mockMvc.perform(get("/greeting"))
 				.andDo(print())
 				.andExpect(status().isOk())
-				.andExpect(content().string(containsString("Length of a given name is 7 characters.")));
+				.andExpect(content().string(containsString("Length of your name is 7 characters.")));
+	}
+
+	@Test
+	@WithMockUser(username = "user1", password = "pwd", roles = "USER")
+	public void secret() throws Exception {
+		when(service.nameLength("World")).thenReturn(7);
+		this.mockMvc.perform(get("/secret"))
+				.andDo(print())
+				.andExpect(status().isOk())
+				.andExpect(content().string(containsString("Greetings user1!")));
 	}
 }