Skip to content
This repository has been archived by the owner on Jun 16, 2023. It is now read-only.

[COMPLETED] My implementation of the Spring Security tutorial from Amigoscode.

Notifications You must be signed in to change notification settings

mariamihai/spring-security-amigoscode-tutorial

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

55 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Spring Security

My implementation for the Spring Boot Security Course from Amigoscode.

Description for each branch

Section 2 - Getting Started with Spring Security

git checkout section-2-getting-started-with-spring-security

The username available for this section is user and it is using the generated password available in the logs. (Using generated security password: bf5ac150-92d2-47de-9715-2db137874388)

The main page of the project http://localhost:8080 was whitelisted.

Newly developed API calls

Obtain one of the students
  • URI: api/v1/students/:studentId

  • Method: GET

  • URL params:

    • required:
      studentId=[Integer]
    • optional: -
  • Query params:

    • required: -
    • optional: -
  • Successful call:

    (with Basic Auth)

    • Response:
      • Code: 200 OK
      • Content:
      {
          "studentId": 1,
          "name": "Student 1"
      }
      
  • Failed call:

    (without authorization)

    • Response:
      • Code: 401 Unauthorized
      • Content:
      {
          "timestamp": "2020-09-22T12:30:01.402+0000",
          "status": 401,
          "error": "Unauthorized",
          "message": "Unauthorized",
          "path": "/api/v1/students/1"
      }
      

Section 3 - Users Roles and Authorities

git checkout section-3-user-roles-and-authorities

Under this section more users were added. Available users:

Username Password Role Authorities
student1 pass STUDENT* STUDENT:READ, STUDENT:WRITE, COURSES:READ
steve pass012 ADMIN STUDENT:READ, STUDENT:WRITE, COURSES:READ, COURSES:WRITE

* The authorities that should be associated with the STUDENT role were not added.

The available roles can be found in the ApplicationUserRole enum, while the permissions are defined in the ApplicationUserAuthority enum.

Section 4 - Permission Based Authentication

git checkout section-4-permission-based-authentication

Available users:

Username Password Role Authorities
student1 pass STUDENT* STUDENT:READ, STUDENT:WRITE, COURSES:READ
steve pass012 ADMIN STUDENT:READ, STUDENT:WRITE, COURSES:READ, COURSES:WRITE
tom pass012 ADMINTRAINEE STUDENT:READ, COURSES:READ

* The authorities that should be associated with the STUDENT role were not added.

The available roles can be found in the ApplicationUserRole enum, while the permissions are defined in the ApplicationUserAuthority enum.

Newly developed API calls (management endpoints)

The defined endpoints evaluate the use of hasAuthority and preAuthorize with users with different roles and permissions and are not real CRUD implementations.

Obtain all students

For ADMIN and ADMINTRAINEE roles, for STUDENT:READ authority.

  • URI: management/api/v1/students

  • Method: GET

  • URL params:

    • required: -
    • optional: -
  • Query params:

    • required: -
    • optional: -
  • Success response:

    • Code: 200 OK
    • Content:
    [
        {
            "studentId": 1,
            "name": "Student 1"
        },
        {
            "studentId": 2,
            "name": "Student 2"
        },
        {
            "studentId": 3,
            "name": "Student 3"
        }
    ]
    
Create a new student

For ADMIN role, for STUDENT:WRITE authority.

  • URI: management/api/v1/students

  • Method: POST

  • URL params:

    • required: -
    • optional: -
  • Query params:

    • required: -
    • optional: -
  • Data params:

    • required:
      student=[Student]
      {
          "name": "Student X"
      }
      
    • optional: -
  • Success response:

    • Code: 200 OK
  • Fail response:

    • Code: 403 Forbidden for the other roles.
Update student

For ADMIN role, for STUDENT:WRITE authority.

  • URI: management/api/v1/students/:studentId

  • Method: PUT

  • URL params:

    • required:
      studentId=[Integer]
    • optional: -
  • Query params:

    • required: -
    • optional: -
  • Data params:

    • required:
      student=[Student]
      {
          "name": "Student X"
      }
      
    • optional: -
  • Success response:

    • Code: 200 OK
  • Fail response:

    • Code: 403 Forbidden for the other roles.
Delete student

For ADMIN role, for STUDENT:WRITE authority.

  • URI: management/api/v1/students/:studentId

  • Method: DELETE

  • URL params:

    • required:
      studentId=[Integer]
    • optional: -
  • Query params:

    • required: -
    • optional: -
  • Success response:

    • Code: 200 OK
  • Fail response:

    • Code: 403 Forbidden for the other roles.

Section 5 - Cross Site Request Forgery

git checkout section-5-cross-site-request-forgery

Add the XSRF_TOKEN header in POST, PUT and DELETE requests when CSRF is not disabled in ApplicationSecurityConfig.configure method.

Section 6 - Form Based Authentication

git checkout section-6-form-based-authentication

Custom login page.
Added a "Course" page with logout button.
Played with SESSIONID and remember-me cookies.

Section 7 - Database Authentication

git checkout section-7-database-authentication

Adding custom UserDetailsService and custom UserDetails "faking" connecting to a database to obtain the users.

Section 8 - JSON Web Tokens

git checkout section-8-jwt

API calls

Login and receive token
  • URI: login

  • Method: PUT

  • URL params:

    • required: -
    • optional: -
  • Query params:

    • required: -
    • optional: -
  • Data params:

    • required:
      usernameAndPasswordAuthenticationRequest=[UsernameAndPasswordAuthenticationRequest]
      {
          "username": "anna",
          "password": "pass"
      }
      
    • optional: -
  • Success response:

    • Code: 200 OK
    • Added Header:
    Authorization: Bearer eyJhbGciOiJIUzM4NCJ9.eyJzdWIiOiJhbm5hIiwiYXV0aG9yaXRpZXMiOlt7ImF1dGhvcml0eSI6IlJPTEVfU1RVREVOVCJ9XSwiaWF0IjoxNjAwODc2Njc5LCJleHAiOjE2MDIwMjE2MDB9.vEYLlZgOl_TFQYxbCq3SIuKwgrs7_ilZ3VoUvqQvdXoOVPeYHd76hmfE9WUYoj2w
    
Send token with each request

For each request add Authorization Header with Bearer eyJhbGciOiJIUzM4NCJ9.eyJzdWIiOiJhbm5hIiwiYXV0aG9yaXRpZXMiOlt7ImF1dGhvcml0eSI6IlJPTEVfU1RVREVOVCJ9XSwiaWF0IjoxNjAwODc2Njc5LCJleHAiOjE2MDIwMjE2MDB9.vEYLlZgOl_TFQYxbCq3SIuKwgrs7_ilZ3VoUvqQvdXoOVPeYHd76hmfE9WUYoj2w.

Status

[COMPLETED] - As I finished the section of the course and the associated project, I am setting a personal status of "Completed" and will probably not update this repository in the near future as this was a learning project.