Spring Security

My implementation for the Spring Boot Security Course from Amigoscode.

• Description for each branch
  • Section 2 - Getting Started with Spring Security
    • Newly developed API calls
      • Obtain one of the students
  • Section 3 - Users Roles and Authorities
  • Section 4 - Permission Based Authentication
    • Newly developed API calls (management endpoints)
      • Obtain all students
      • Create a new student
      • Update student
      • Delete student
  • Section 5 - Cross Site Request Forgery
  • Section 6 - Form Based Authentication
  • Section 7 - Database Authentication
  • Section 8 - JSON Web Tokens
    • API calls
      • Login and receive token
      • Send token with each request
• Status

Description for each branch

Section 2 - Getting Started with Spring Security

git checkout section-2-getting-started-with-spring-security

The username available for this section is user and it is using the generated password available in the logs. (Using generated security password: bf5ac150-92d2-47de-9715-2db137874388)

The main page of the project http://localhost:8080 was whitelisted.

Newly developed API calls

Obtain one of the students

• URI: api/v1/students/:studentId

• Method: GET

• URL params:
  

  • required:
    studentId=[Integer]
  • optional: -
    

• Query params:
  

  • required: -
    
  • optional: -
    

• Successful call:

  (with Basic Auth)

  • Response:
    • Code: 200 OK
      
    • Content:

    {
        "studentId": 1,
        "name": "Student 1"
    }
    

• Failed call:

  (without authorization)

  • Response:
    • Code: 401 Unauthorized
      
    • Content:

    {
        "timestamp": "2020-09-22T12:30:01.402+0000",
        "status": 401,
        "error": "Unauthorized",
        "message": "Unauthorized",
        "path": "/api/v1/students/1"
    }
    

Section 3 - Users Roles and Authorities

git checkout section-3-user-roles-and-authorities

Under this section more users were added. Available users:

* The authorities that should be associated with the STUDENT role were not added.

The available roles can be found in the ApplicationUserRole enum, while the permissions are defined in the ApplicationUserAuthority enum.

Section 4 - Permission Based Authentication

git checkout section-4-permission-based-authentication

Available users:

* The authorities that should be associated with the STUDENT role were not added.

The available roles can be found in the ApplicationUserRole enum, while the permissions are defined in the ApplicationUserAuthority enum.

Newly developed API calls (management endpoints)

The defined endpoints evaluate the use of hasAuthority and preAuthorize with users with different roles and permissions and are not real CRUD implementations.

Obtain all students

For ADMIN and ADMINTRAINEE roles, for STUDENT:READ authority.

• URI: management/api/v1/students

• Method: GET

• URL params:
  

  • required: -
    
  • optional: -
    

• Query params:
  

  • required: -
    
  • optional: -
    

• Success response:

  • Code: 200 OK
    
  • Content:

  [
      {
          "studentId": 1,
          "name": "Student 1"
      },
      {
          "studentId": 2,
          "name": "Student 2"
      },
      {
          "studentId": 3,
          "name": "Student 3"
      }
  ]
  

Create a new student

For ADMIN role, for STUDENT:WRITE authority.

• URI: management/api/v1/students

• Method: POST

• URL params:
  

  • required: -
    
  • optional: -
    

• Query params:
  

  • required: -
    
  • optional: -
    

• Data params:
  

  • required:
    student=[Student]

    {
        "name": "Student X"
    }
    

  • optional: -
    

• Success response:

  • Code: 200 OK
    

• Fail response:

  • Code: 403 Forbidden for the other roles.

Update student

For ADMIN role, for STUDENT:WRITE authority.

• URI: management/api/v1/students/:studentId

• Method: PUT

• URL params:
  

  • required:
    studentId=[Integer]
    
  • optional: -
    

• Query params:
  

  • required: -
    
  • optional: -
    

• Data params:
  

  • required:
    student=[Student]

    {
        "name": "Student X"
    }
    

  • optional: -
    

• Success response:

  • Code: 200 OK
    

• Fail response:

  • Code: 403 Forbidden for the other roles.

Delete student

For ADMIN role, for STUDENT:WRITE authority.

• URI: management/api/v1/students/:studentId

• Method: DELETE

• URL params:
  

  • required:
    studentId=[Integer]
    
  • optional: -
    

• Query params:
  

  • required: -
    
  • optional: -
    

• Success response:

  • Code: 200 OK
    

• Fail response:

  • Code: 403 Forbidden for the other roles.

Section 5 - Cross Site Request Forgery

git checkout section-5-cross-site-request-forgery

Add the XSRF_TOKEN header in POST, PUT and DELETE requests when CSRF is not disabled in ApplicationSecurityConfig.configure method.

Section 6 - Form Based Authentication

git checkout section-6-form-based-authentication

Custom login page.
Added a "Course" page with logout button.
Played with SESSIONID and remember-me cookies.

Section 7 - Database Authentication

git checkout section-7-database-authentication

Adding custom UserDetailsService and custom UserDetails "faking" connecting to a database to obtain the users.

Section 8 - JSON Web Tokens

git checkout section-8-jwt

API calls

Login and receive token

• URI: login

• Method: PUT

• URL params:
  

  • required: -
    
  • optional: -
    

• Query params:
  

  • required: -
    
  • optional: -
    

• Data params:
  

  • required:
    usernameAndPasswordAuthenticationRequest=[UsernameAndPasswordAuthenticationRequest]

    {
        "username": "anna",
        "password": "pass"
    }
    

  • optional: -
    

• Success response:

  • Code: 200 OK
    
  • Added Header:

  Authorization: Bearer eyJhbGciOiJIUzM4NCJ9.eyJzdWIiOiJhbm5hIiwiYXV0aG9yaXRpZXMiOlt7ImF1dGhvcml0eSI6IlJPTEVfU1RVREVOVCJ9XSwiaWF0IjoxNjAwODc2Njc5LCJleHAiOjE2MDIwMjE2MDB9.vEYLlZgOl_TFQYxbCq3SIuKwgrs7_ilZ3VoUvqQvdXoOVPeYHd76hmfE9WUYoj2w
  

Send token with each request

For each request add Authorization Header with Bearer eyJhbGciOiJIUzM4NCJ9.eyJzdWIiOiJhbm5hIiwiYXV0aG9yaXRpZXMiOlt7ImF1dGhvcml0eSI6IlJPTEVfU1RVREVOVCJ9XSwiaWF0IjoxNjAwODc2Njc5LCJleHAiOjE2MDIwMjE2MDB9.vEYLlZgOl_TFQYxbCq3SIuKwgrs7_ilZ3VoUvqQvdXoOVPeYHd76hmfE9WUYoj2w.

Status

[COMPLETED] - As I finished the section of the course and the associated project, I am setting a personal status of "Completed" and will probably not update this repository in the near future as this was a learning project.