DEV Community: Ginto P The latest articles on DEV Community by Ginto P (@bytegrapher). https://dev.to/bytegrapher https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1528069%2F3bf849b8-b88c-4cc1-88cc-777b163f4c7d.png DEV Community: Ginto P https://dev.to/bytegrapher en Spring Security Basics: Implementing Authentication and Authorization-PART 4 Ginto P Thu, 06 Jun 2024 23:55:00 +0000 https://dev.to/bytegrapher/spring-security-basics-implementing-authentication-and-authorization-part-4-1830 https://dev.to/bytegrapher/spring-security-basics-implementing-authentication-and-authorization-part-4-1830 <h2> Integrate the database with Spring Security </h2> <p>Up to this point, we have used the default user provided by Spring Security to log in to the application. In the previous sections, we added some sample users to the <code>application_users</code> table. Moving forward, we will use this table for logging in to the application. To achieve this, we need to configure Spring Security to recognize that the details of the application users are stored in the <code>application_users</code> table. This will enable Spring Security to retrieve and verify user credentials during authentication and authorization.</p> <p>For that let's do the following steps:</p> <ol> <li><p>Add the password encoder bean</p></li> <li><p>Update the plain text password to encrypted password</p></li> <li><p>Configure user details service</p></li> <li><p>Configure the authentication provider</p></li> </ol> <h3> Add the password encoder bean </h3> <p>In the <code>SecurityConfig</code> class add a bean of type <code>PasswordEncoder</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.gintophilip.springauth.web</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Bean</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Configuration</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.Customizer</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.builders.HttpSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.EnableWebSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.crypto.password.PasswordEncoder</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.SecurityFilterChain</span><span class="o">;</span> <span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">securityConfig</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="k">return</span> <span class="n">securityConfig</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">(</span><span class="n">auth</span><span class="o">-&gt;</span> <span class="n">auth</span><span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/api/hello"</span><span class="o">)</span> <span class="o">.</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/api/admin"</span><span class="o">).</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">)</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">).</span><span class="na">formLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">PasswordEncoder</span> <span class="nf">passwordEncoder</span><span class="o">(){</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">BCryptPasswordEncoder</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The <code>BCryptPasswordEncoder</code> is the preferred method for encoding passwords.</p> <h3> Update the plain text password to encrypted password. </h3> <p>While creating the sample users, the passwords were stored as plain text. In this step, let's update the passwords to an encrypted form.</p> <blockquote> <p>You may wonder why user creation is handled in this manner and not through an API. The reason is, to minimize the overhead of creating APIs for every function. The primary goal of this article is to demonstrate the fundamentals of integrating authentication and authorization mechanisms.</p> </blockquote> <ol> <li><p>Drop the <code>user_roles</code> table</p></li> <li><p>Drop the <code>roles</code> table</p></li> <li><p>Drop the <code>application_user</code> table</p></li> <li><p>Add the <code>PasswordEncoder</code> class dependency in <code>DataBaseUtilityRunner</code></p></li> <li><p>Encode the password</p></li> </ol> <p><strong>Drop the</strong><code>user_roles</code><strong>table</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">spring_access_db</span><span class="o">=</span><span class="c"># drop table user_roles;</span> </code></pre> </div> <p><strong>Drop the</strong><code>roles</code><strong>table</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">spring_access_db</span><span class="o">=</span><span class="c"># drop table roles;</span> </code></pre> </div> <p><strong>Drop the</strong><code>application_user</code><strong>table</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">spring_access_db</span><span class="o">=</span><span class="c"># drop table application_user;</span> </code></pre> </div> <blockquote> <p>The drop tables command were executed via psql CLI</p> </blockquote> <p>And also, do the following in <code>DataBaseUtilityRunner</code> class.</p> <p><em>update the lines</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="n">user1</span><span class="o">.</span><span class="na">setPassword</span><span class="o">(</span><span class="s">"123456"</span><span class="o">);</span> <span class="n">adminUser</span><span class="o">.</span><span class="na">setPassword</span><span class="o">(</span><span class="s">"12345"</span><span class="o">);</span> </code></pre> </div> <p>as follows.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="n">user1</span><span class="o">.</span><span class="na">setPassword</span><span class="o">(</span><span class="n">passwordEncoder</span><span class="o">.</span><span class="na">encode</span><span class="o">(</span><span class="s">"123456"</span><span class="o">));</span> <span class="n">adminUser</span><span class="o">.</span><span class="na">setPassword</span><span class="o">(</span><span class="n">passwordEncoder</span><span class="o">.</span><span class="na">encode</span><span class="o">(</span><span class="s">"12345"</span><span class="o">));</span> </code></pre> </div> <p>The <code>DataBaseUtilityRunner</code> after modification is as follows,<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.gintophilip.springauth</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.gintophilip.springauth.entities.ApplicationUser</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.gintophilip.springauth.entities.Roles</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.gintophilip.springauth.repository.RoleRepository</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.gintophilip.springauth.repository.UserRepository</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.beans.factory.annotation.Autowired</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.boot.CommandLineRunner</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.crypto.password.PasswordEncoder</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.stereotype.Component</span><span class="o">;</span> <span class="nd">@Component</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">DataBaseUtilityRunner</span> <span class="kd">implements</span> <span class="nc">CommandLineRunner</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="nc">PasswordEncoder</span> <span class="n">passwordEncoder</span><span class="o">;</span> <span class="nd">@Autowired</span> <span class="nc">UserRepository</span> <span class="n">usersRepository</span><span class="o">;</span> <span class="nd">@Autowired</span> <span class="nc">RoleRepository</span> <span class="n">rolesRepository</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">run</span><span class="o">(</span><span class="nc">String</span><span class="o">...</span> <span class="n">args</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">Roles</span> <span class="n">userRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Roles</span><span class="o">();</span> <span class="n">userRole</span><span class="o">.</span><span class="na">setRoleName</span><span class="o">(</span><span class="s">"USER"</span><span class="o">);</span> <span class="nc">Roles</span> <span class="n">adminRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Roles</span><span class="o">();</span> <span class="n">adminRole</span><span class="o">.</span><span class="na">setRoleName</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">);</span> <span class="n">rolesRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">userRole</span><span class="o">);</span> <span class="n">rolesRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">adminRole</span><span class="o">);</span> <span class="nc">ApplicationUser</span> <span class="n">user1</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ApplicationUser</span><span class="o">();</span> <span class="n">user1</span><span class="o">.</span><span class="na">setFirstName</span><span class="o">(</span><span class="s">"John"</span><span class="o">);</span> <span class="n">user1</span><span class="o">.</span><span class="na">setEmail</span><span class="o">(</span><span class="s">"john@test.com"</span><span class="o">);</span> <span class="n">user1</span><span class="o">.</span><span class="na">setPassword</span><span class="o">(</span><span class="n">passwordEncoder</span><span class="o">.</span><span class="na">encode</span><span class="o">(</span><span class="s">"123456"</span><span class="o">));</span> <span class="n">user1</span><span class="o">.</span><span class="na">setRole</span><span class="o">(</span><span class="n">userRole</span><span class="o">);</span> <span class="nc">ApplicationUser</span> <span class="n">adminUser</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ApplicationUser</span><span class="o">();</span> <span class="n">adminUser</span><span class="o">.</span><span class="na">setFirstName</span><span class="o">(</span><span class="s">"sam"</span><span class="o">);</span> <span class="n">adminUser</span><span class="o">.</span><span class="na">setEmail</span><span class="o">(</span><span class="s">"sam@test.com"</span><span class="o">);</span> <span class="n">adminUser</span><span class="o">.</span><span class="na">setPassword</span><span class="o">(</span><span class="n">passwordEncoder</span><span class="o">.</span><span class="na">encode</span><span class="o">(</span><span class="s">"12345"</span><span class="o">));</span> <span class="n">adminUser</span><span class="o">.</span><span class="na">setRole</span><span class="o">(</span><span class="n">adminRole</span><span class="o">);</span> <span class="n">usersRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">user1</span><span class="o">);</span> <span class="n">usersRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">adminUser</span><span class="o">);</span> <span class="o">}</span><span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">exception</span><span class="o">){</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Run the application and query the <code>application_user</code> table. You will see the passwords are encoded now instead of plain text.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">spring_access_db</span><span class="o">=</span><span class="c"># select * from application_user;</span> <span class="nb">id</span> | email | first_name | last_name | password <span class="nt">-----</span>+---------------+------------+-----------+-------------------------------------------------------------- 102 | john@test.com | John | | <span class="nv">$2a$10$IBP9g8pOvNCvkEc7</span>/EG6TO3j6gh49QMuO6uuw9Dd/P9dPRi5mxbiAsnG 103 | sam@test.com | sam | | <span class="nv">$2a$10$WxM0l4qnjbYn1Vkgmrbte</span>.hgYqPyHLm/y.9IGvEoiRkrL8.h47QKu <span class="o">(</span>2 rows<span class="o">)</span> </code></pre> </div> <h3> Configure user details service </h3> <p>For making spring security to use the database for authentication and authorization a user details service needs to be implemented. This is nothing but a class which implements the interface <code>UserDetailsService</code> .</p> <p>This interface has a method named <code>loadUserByUsername</code> which accepts a string parameter and returns a <code>UserDetails</code> object.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">org.springframework.security.core.userdetails</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">UserDetailsService</span> <span class="o">{</span> <span class="nc">UserDetails</span> <span class="nf">loadUserByUsername</span><span class="o">(</span><span class="nc">String</span> <span class="n">username</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">UsernameNotFoundException</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p>Create a class named <code>DatabaseUserDetailsService.java</code> which implements the <code>UserDetailsService</code> interface.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">DatabaseUserDetailsService</span> <span class="kd">implements</span> <span class="nc">UserDetailsService</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">UserDetails</span> <span class="nf">loadUserByUsername</span><span class="o">(</span><span class="nc">String</span> <span class="n">username</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">UsernameNotFoundException</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>In the overridden method we do the following</p> <ol> <li><p>Fetch the user from database based on the parameter username.</p></li> <li><p>Retrieve the roles associated with the user</p></li> <li><p>Create an instance of class <code>User</code> with the user details and the associated roles</p></li> <li><p>Return the <code>User</code> object<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.gintophilip.springauth.service</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.gintophilip.springauth.entities.ApplicationUser</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.gintophilip.springauth.repository.UserRepository</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.beans.factory.annotation.Autowired</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.GrantedAuthority</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.authority.SimpleGrantedAuthority</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.userdetails.User</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.userdetails.UserDetails</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.userdetails.UserDetailsService</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.userdetails.UsernameNotFoundException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.stereotype.Service</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Collections</span><span class="o">;</span> <span class="nd">@Service</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">DatabaseUserDetailsService</span> <span class="kd">implements</span> <span class="nc">UserDetailsService</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="nc">UserRepository</span> <span class="n">userRepository</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">UserDetails</span> <span class="nf">loadUserByUsername</span><span class="o">(</span><span class="nc">String</span> <span class="n">username</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">UsernameNotFoundException</span> <span class="o">{</span> <span class="nc">ApplicationUser</span> <span class="n">user</span> <span class="o">=</span> <span class="n">userRepository</span><span class="o">.</span><span class="na">findByEmail</span><span class="o">(</span><span class="n">username</span><span class="o">);</span> <span class="c1">//fetch user from db</span> <span class="k">if</span><span class="o">(</span><span class="n">user</span> <span class="o">==</span> <span class="kc">null</span><span class="o">){</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">UsernameNotFoundException</span><span class="o">(</span><span class="s">"User Not found"</span><span class="o">);</span> <span class="o">}</span> <span class="c1">//Retrieve user roles</span> <span class="nc">GrantedAuthority</span> <span class="n">authority</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SimpleGrantedAuthority</span><span class="o">(</span><span class="s">"ROLE_"</span><span class="o">+</span><span class="n">user</span><span class="o">.</span><span class="na">getRole</span><span class="o">().</span><span class="na">getRoleName</span><span class="o">());</span> <span class="c1">//create User object</span> <span class="nc">User</span> <span class="n">applicationUser</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">User</span><span class="o">(</span><span class="n">user</span><span class="o">.</span><span class="na">getEmail</span><span class="o">(),</span><span class="n">user</span><span class="o">.</span><span class="na">getPassword</span><span class="o">(),</span> <span class="nc">Collections</span><span class="o">.</span><span class="na">singleton</span><span class="o">(</span><span class="n">authority</span><span class="o">));</span> <span class="k">return</span> <span class="n">applicationUser</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <blockquote> <p>The <code>User</code> class implements the <code>UserDetails</code> interface. Spring utilizes the <code>UserDetails</code> to generate an Authentication object. This Authentication object indicates whether the user is authenticated.</p> </blockquote> <p>Next we need to configure an authentication provider.</p> <h3> Configure the authentication provider </h3> <p>For Spring Security to utilize the <code>DatabaseUserDetailsService</code> for retrieving user details, it must be linked with an authentication provider. For that we will create a bean of type <code>DaoAuthenticationProvider</code> in the <code>SecurityConfig</code> and bind it with <code>DatabaseUserDetailsService</code> within the <code>SecurityConfig</code>.</p> <p>Bind the <code>DatabaseUserDetailsService</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Autowired</span> <span class="nc">DatabaseUserDetailsService</span> <span class="n">databaseUserDetailsService</span><span class="o">;</span> </code></pre> </div> <p>Next, create an instance of <code>DaoAuthenticationProvider</code> which is an implementation of <code>AUthenticationProvider</code> given by Spring security. Then,</p> <ol> <li><p>Link the <code>databaseUserDetailsService</code></p></li> <li><p>Link the <code>passwordEncoder</code><br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">DaoAuthenticationProvider</span> <span class="nf">daoAuthenticationProvider</span><span class="o">()</span> <span class="o">{</span> <span class="nc">DaoAuthenticationProvider</span> <span class="n">authenticationProvider</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DaoAuthenticationProvider</span><span class="o">();</span> <span class="c1">//set the user details object </span> <span class="n">authenticationProvider</span><span class="o">.</span><span class="na">setUserDetailsService</span><span class="o">(</span><span class="n">databaseUserDetailsService</span><span class="o">);</span> <span class="c1">//set the password encoder </span> <span class="n">authenticationProvider</span><span class="o">.</span><span class="na">setPasswordEncoder</span><span class="o">(</span><span class="n">passwordEncoder</span><span class="o">());</span> <span class="k">return</span> <span class="n">authenticationProvider</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p>After this the <code>SecurityConfig</code> looks like below.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.gintophilip.springauth.web</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.gintophilip.springauth.service.DatabaseUserDetailsService</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.beans.factory.annotation.Autowired</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Bean</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Configuration</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.authentication.dao.DaoAuthenticationProvider</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.Customizer</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.builders.HttpSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.EnableWebSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.crypto.password.PasswordEncoder</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.SecurityFilterChain</span><span class="o">;</span> <span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="nc">DatabaseUserDetailsService</span> <span class="n">databaseUserDetailsService</span><span class="o">;</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">securityConfig</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="k">return</span> <span class="n">securityConfig</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">(</span><span class="n">auth</span><span class="o">-&gt;</span> <span class="n">auth</span><span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/api/hello"</span><span class="o">)</span> <span class="o">.</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/api/admin"</span><span class="o">).</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">)</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">).</span><span class="na">formLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">PasswordEncoder</span> <span class="nf">passwordEncoder</span><span class="o">(){</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">BCryptPasswordEncoder</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">DaoAuthenticationProvider</span> <span class="nf">daoAuthenticationProvider</span><span class="o">()</span> <span class="o">{</span> <span class="nc">DaoAuthenticationProvider</span> <span class="n">authenticationProvider</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DaoAuthenticationProvider</span><span class="o">();</span> <span class="c1">//set the user details object</span> <span class="n">authenticationProvider</span><span class="o">.</span><span class="na">setUserDetailsService</span><span class="o">(</span><span class="n">databaseUserDetailsService</span><span class="o">);</span> <span class="c1">//set the password encoder</span> <span class="n">authenticationProvider</span><span class="o">.</span><span class="na">setPasswordEncoder</span><span class="o">(</span><span class="n">passwordEncoder</span><span class="o">());</span> <span class="k">return</span> <span class="n">authenticationProvider</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Next, run the application and access the APIs. When the login page appears, use the user details from the <code>application_user</code> table.</p> <ol> <li><p><a href="http://localhost:8080/api/hello">http://localhost:8080/api/hello</a></p></li> <li><p><a href="http://localhost:8080/api/protected">http://localhost:8080/api/protected</a></p></li> <li><p><a href="http://localhost:8080/api/admin">http://localhost:8080/api/admin</a></p></li> </ol> <p>You will be successfully authenticated and able to view the response.</p> <p>The <code>/api/admin</code> is only accessible to the user <strong><em>sam</em></strong>.</p> Spring Security Basics: Implementing Authentication and Authorization-PART 3 Ginto P Thu, 06 Jun 2024 23:47:00 +0000 https://dev.to/bytegrapher/spring-security-basics-implementing-authentication-and-authorization-part-3-kpo https://dev.to/bytegrapher/spring-security-basics-implementing-authentication-and-authorization-part-3-kpo <h2> Configuring security of the API end points </h2> <p>In this section, to configure the security of the API end points a custom security configuration needs to be created. To achieve this let's go through the following steps.</p> <ol> <li><p>Create the security configuration class</p></li> <li><p>Make all APIs to be accessed only by logged in users</p></li> <li><p>Allow /api/hello to be accessed by anyone</p></li> <li><p>Restrict access to /api/admin to user with ADMIN role only</p></li> </ol> <p>Access to the end points will be configured as follows.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>API</th> <th>Who can access</th> </tr> </thead> <tbody> <tr> <td>api/hello</td> <td>anyone</td> </tr> <tr> <td>api/protected</td> <td>authenticated users</td> </tr> <tr> <td>api/admin</td> <td>admin user</td> </tr> </tbody> </table></div> <h3> Create the security configuration class </h3> <p>To implement a custom security configuration by overriding the default one we need to create a configuration class. This can be done with the help of <code>@Configuration</code> annotation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.gintophilip.springauth.web</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Bean</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Configuration</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.Customizer</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.builders.HttpSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.EnableWebSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.SecurityFilterChain</span><span class="o">;</span> <span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">securityConfig</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="k">return</span> <span class="n">securityConfig</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">(</span><span class="n">auth</span><span class="o">-&gt;</span> <span class="n">auth</span><span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">).</span><span class="na">formLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>This will serve as our initial configuration. Here, we have mandated that every request must be authenticated. In the coming steps, we will configure the security settings as required.</p> <blockquote> <p>For logging in use the default user created by the Spring Security.</p> </blockquote> <h3> Make all APIs to be accessed only by logged in users </h3> <p>There is nothing to do. Because the initial configuration we created satisfied the requirement. Hence we don't need to specify any special configuration for the API endpoint <code>/api/protected</code></p> <h3> Allow <code>/api/hello</code> to be accessed by anyone </h3> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">securityConfig</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="k">return</span> <span class="n">securityConfig</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">(</span><span class="n">auth</span><span class="o">-&gt;</span> <span class="n">auth</span><span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/api/hello"</span><span class="o">).</span><span class="na">permitAll</span><span class="o">().</span> <span class="n">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">).</span><span class="na">formLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>Now run the application and attempt to access the APIs. The endpoint <code>/api/hello</code> is now accessible to everyone, while all other endpoints still require users to log in.</p> <h3> Restrict access to <code>/api/admin</code> to user with the ADMIN role only. </h3> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">securityConfig</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="k">return</span> <span class="n">securityConfig</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">(</span><span class="n">auth</span><span class="o">-&gt;</span> <span class="n">auth</span><span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/api/hello"</span><span class="o">)</span> <span class="o">.</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/api/admin"</span><span class="o">).</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">)</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">).</span><span class="na">formLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>At this point, the only API endpoint accessible to users is <code>/api/hello</code>. All other endpoints are restricted by a login screen.</p> <h2> <a href="https://blog.gintophilip.com/series/spring-security-authentication-and-authorization">https://blog.gintophilip.com/series/spring-security-authentication-and-authorization</a> </h2> springboot springsecurity java backend Spring Security Basics: Implementing Authentication and Authorization-PART 2 Ginto P Thu, 06 Jun 2024 23:45:00 +0000 https://dev.to/bytegrapher/spring-security-basics-implementing-authentication-and-authorization-part-2-3b6l https://dev.to/bytegrapher/spring-security-basics-implementing-authentication-and-authorization-part-2-3b6l <h2> Enable Spring Security </h2> <p>In the previous section, we built a foundational application. In this section, we will enable Spring Security in the application. For that let's do the following steps:</p> <ol> <li><p>Add the Spring Security dependency</p></li> <li><p>Restart the application</p></li> <li><p>Verify Spring Security is enabled</p></li> </ol> <h3> Add the Spring Security dependency </h3> <p>To Enable spring security the library <code>org.springframework.boot:spring-boot-starter-security</code> must be present in the Classpath. This can be achieved by adding the library as a dependency in the <code>build.gradle</code> file. Note the first item in the dependencies list<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dependencies { implementation 'org.springframework.boot:spring-boot-starter-security' implementation 'org.springframework.boot:spring-boot-starter-data-jpa' implementation 'org.springframework.boot:spring-boot-starter-web' runtimeOnly 'com.h2database:h2' testImplementation 'org.springframework.boot:spring-boot-starter-test' } </code></pre> </div> <h3> Restart the application </h3> <p>Just restart the application. Then go to the next step.</p> <h3> Verify Spring Security is enabled </h3> <p>Open the browser and attempt to access the API endpoints. If a login page appears for each endpoint you try to access, it confirms that Spring Security is enabled and functioning as expected.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnklcyf44bygaju7j7c2u.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnklcyf44bygaju7j7c2u.png" alt="Image description" width="800" height="371"></a></p> <p>Yeah that's it.</p> <p>At this point the application is running with the default implementation of Spring Security. You will not able to access the APIs without entering login credentials. In the default implementation, Spring Security provides a default user with username as <strong>“user”</strong> and a randomly generated password . This generated password can be obtained from the console logs.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl1aviwthg1ruvnaza6md.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl1aviwthg1ruvnaza6md.png" alt="Image description" width="800" height="195"></a></p> <p>Note the line <strong><em>Using generated security password: dd05314d-2856-48b4-9c81-fcc480e0b4bf</em></strong></p> <p>The default behavior of Spring Security, unless configured otherwise is as follows:</p> <ul> <li><p>All end points are protected by default when the library <code>org.springframework.boot:spring-boot-starter-security</code> is present in the Classpath</p></li> <li><p>One cannot access the resources without authentication.</p></li> <li><p>Provides a default user that can be overridden.</p></li> </ul> <p>In this default setup the APIs can be accessed by entering the username as <strong>user</strong> and password as the one which is printed in the console. Try accessing the APIs by entering the default credentials.</p> <ol> <li><p><a href="http://localhost:8080/api/hello">http://localhost:8080/api/hello</a></p></li> <li><p><a href="http://localhost:8080/api/protected">http://localhost:8080/api/protected</a></p></li> <li><p><a href="http://localhost:8080/api/admin">http://localhost:8080/api/admin</a></p></li> </ol> Spring Security Basics: Implementing Authentication and Authorization-PART 1 Ginto P Thu, 06 Jun 2024 23:35:00 +0000 https://dev.to/bytegrapher/spring-security-basics-implementing-authentication-and-authorization-part-1-3b91 https://dev.to/bytegrapher/spring-security-basics-implementing-authentication-and-authorization-part-1-3b91 <h2> Create the base application </h2> <p>Before proceeding to the implementation of authentication and authorization , let's create a simple application to serve as a foundation. The application will have the following API end points.</p> <ol> <li><p><code>GET /api/hello</code></p></li> <li><p><code>GET /api/protected</code></p></li> <li><p><code>GET /api/admin</code></p></li> </ol> <p>Also a database software is required. Here the setup uses <strong>PostgreSQL</strong> database. You are free to choose yours.</p> <blockquote> <p>Don't forget to create a database named <code>spring_access_db</code> in your favorite database tool.</p> </blockquote> <p>Let's go through the following steps to build the foundation.</p> <ol> <li><p>Create the project</p></li> <li><p>Implement the API end points</p></li> <li><p>Create user and role entities</p></li> <li><p>Create user and role repositories</p></li> <li><p>Configure database connectivity</p></li> <li><p>Populate database with sample users</p></li> <li><p>Run the application</p></li> <li><p>Verify users and roles are created by querying the database</p></li> <li><p>Try accessing the API end points</p></li> </ol> <h3> Create the project </h3> <p>To create the project go to <a href="https://start.spring.io/">https://start.spring.io/</a> and create the sample project with the following dependencies.</p> <ul> <li><p><strong>Spring Web</strong></p></li> <li><p><strong>Spring Data JPA</strong></p></li> <li><p><strong>PostgreSQL Driver</strong></p></li> </ul> <blockquote> <p>If you are using <strong><em>IntelliJ IDEA Ultimate</em></strong> or <strong><em>Visual Studio Code</em></strong> you can create the project within the IDE.</p> <p>Create project with IntelliJ IDEA Ultimate : <a rel="noopener noreferrer nofollow" href="https://www.jetbrains.com/help/idea/your-first-spring-application.html">Click here for doc</a></p> <p>Create project with Visual Studio Code: <a rel="noopener noreferrer nofollow" href="https://code.visualstudio.com/docs/java/java-spring-boot">Click here for doc</a></p> </blockquote> <p>Here I used the Spring initializer and opened the project in IntelliJ IDEA (Community Edition)</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1547uvcjawkv17k5kpsm.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1547uvcjawkv17k5kpsm.png" alt="Image description" width="800" height="424"></a></p> <ol> <li><p>Add the dependencies</p></li> <li><p>Fill up the project metadata</p></li> <li><p>Generate the Zip file and extract it.</p></li> <li><p>Then open it in your IDE.</p></li> </ol> <h3> Implement the API end points </h3> <p>Create a class named <strong>ApiController</strong> and implement the APIs there.</p> <ul> <li> <p><strong>ApiController.java</strong><br> </p> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.gintophilip.springauth.controller</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.http.ResponseEntity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.GetMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RequestMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RestController</span><span class="o">;</span> <span class="nd">@RestController</span> <span class="nd">@RequestMapping</span><span class="o">(</span><span class="s">"/api"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ApiController</span> <span class="o">{</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/hello"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="nf">hello</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">ok</span><span class="o">(</span><span class="s">"Hello"</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/protected"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="nf">protectedResource</span><span class="o">()</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">message</span> <span class="o">=</span> <span class="sh">""" This is a protected resource &lt;br&gt; You are seeing this because you are an authenticated user """</span><span class="o">;</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">ok</span><span class="o">(</span><span class="n">message</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/admin"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="nf">admin</span><span class="o">()</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">message</span> <span class="o">=</span> <span class="s">"Hello Admin"</span><span class="o">;</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">ok</span><span class="o">(</span><span class="n">message</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </li> </ul> <h3> Create user and role entities </h3> <p>Create two classes for modeling the user and role entities.</p> <p><strong>ApplicationUser.java</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.gintophilip.springauth.entities</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jakarta.persistence.*</span><span class="o">;</span> <span class="nd">@Entity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ApplicationUser</span> <span class="o">{</span> <span class="nd">@Id</span> <span class="nd">@GeneratedValue</span><span class="o">(</span><span class="n">strategy</span> <span class="o">=</span> <span class="nc">GenerationType</span><span class="o">.</span><span class="na">AUTO</span><span class="o">)</span> <span class="kd">private</span> <span class="nc">Long</span> <span class="n">id</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">firstName</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">lastName</span><span class="o">;</span> <span class="nd">@Column</span><span class="o">(</span><span class="n">unique</span> <span class="o">=</span> <span class="kc">true</span><span class="o">)</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">email</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">password</span><span class="o">;</span> <span class="nd">@ManyToOne</span> <span class="nd">@JoinTable</span><span class="o">(</span><span class="n">name</span> <span class="o">=</span> <span class="s">"user_roles"</span><span class="o">)</span> <span class="kd">private</span> <span class="nc">Roles</span> <span class="n">role</span><span class="o">;</span> <span class="kd">public</span> <span class="nc">Long</span> <span class="nf">getId</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">id</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">setId</span><span class="o">(</span><span class="nc">Long</span> <span class="n">id</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">id</span> <span class="o">=</span> <span class="n">id</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getFirstName</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">firstName</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">setFirstName</span><span class="o">(</span><span class="nc">String</span> <span class="n">firstName</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">firstName</span> <span class="o">=</span> <span class="n">firstName</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getLastName</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">lastName</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">setLastName</span><span class="o">(</span><span class="nc">String</span> <span class="n">lastName</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">lastName</span> <span class="o">=</span> <span class="n">lastName</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getEmail</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">email</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">setEmail</span><span class="o">(</span><span class="nc">String</span> <span class="n">email</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">email</span> <span class="o">=</span> <span class="n">email</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getPassword</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">password</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">setPassword</span><span class="o">(</span><span class="nc">String</span> <span class="n">password</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">password</span> <span class="o">=</span> <span class="n">password</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">Roles</span> <span class="nf">getRole</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">role</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">setRole</span><span class="o">(</span><span class="nc">Roles</span> <span class="n">role</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">role</span> <span class="o">=</span> <span class="n">role</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p><strong>Roles.java</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.gintophilip.springauth.entities</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jakarta.persistence.*</span><span class="o">;</span> <span class="nd">@Entity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">Roles</span> <span class="o">{</span> <span class="nd">@Id</span> <span class="nd">@GeneratedValue</span><span class="o">(</span><span class="n">strategy</span> <span class="o">=</span> <span class="nc">GenerationType</span><span class="o">.</span><span class="na">AUTO</span><span class="o">)</span> <span class="kd">private</span> <span class="nc">Long</span> <span class="n">id</span><span class="o">;</span> <span class="nd">@Column</span><span class="o">(</span><span class="n">unique</span> <span class="o">=</span> <span class="kc">true</span><span class="o">)</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">roleName</span><span class="o">;</span> <span class="kd">public</span> <span class="nc">Long</span> <span class="nf">getId</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">id</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">setId</span><span class="o">(</span><span class="nc">Long</span> <span class="n">id</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">id</span> <span class="o">=</span> <span class="n">id</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getRoleName</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">roleName</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">setRoleName</span><span class="o">(</span><span class="nc">String</span> <span class="n">roleName</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">roleName</span> <span class="o">=</span> <span class="n">roleName</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Create user and role repositories </h3> <p><strong>UserRepository.java</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.gintophilip.springauth.repository</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.gintophilip.springauth.entities.ApplicationUser</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.data.jpa.repository.JpaRepository</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">UserRepository</span> <span class="kd">extends</span> <span class="nc">JpaRepository</span><span class="o">&lt;</span><span class="nc">ApplicationUser</span><span class="o">,</span><span class="nc">Long</span><span class="o">&gt;</span> <span class="o">{</span> <span class="nc">ApplicationUser</span> <span class="nf">findByEmail</span><span class="o">(</span><span class="nc">String</span> <span class="n">email</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p><strong>RoleRepository.java</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.gintophilip.springauth.repository</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.gintophilip.springauth.entities.Roles</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.data.jpa.repository.JpaRepository</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">RoleRepository</span> <span class="kd">extends</span> <span class="nc">JpaRepository</span><span class="o">&lt;</span><span class="nc">Roles</span><span class="o">,</span><span class="nc">Long</span><span class="o">&gt;</span> <span class="o">{</span> <span class="o">}</span> </code></pre> </div> <h3> Configure database connectivity </h3> <p>Let's configure the connection to the database named <code>spring_access_db</code> with the following settings:</p> <p>username: <strong>postgres</strong></p> <p>password: <strong>12345</strong></p> <p>For configuring the database connectivity update the <strong>application.properties</strong> file as follows.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>spring.datasource.url=jdbc:postgresql://localhost:5432/spring_access_db spring.datasource.username=postgres spring.datasource.password=12345 spring.jpa.properties.hibernate.dialect = org.hibernate.dialect.PostgreSQLDialect spring.jpa.hibernate.ddl-auto = update </code></pre> </div> <blockquote> <p>If you are using a different database, please ensure that the connection URL is updated to correspond with your specific database. also the hibernate dialect</p> </blockquote> <h3> Populate database with sample users </h3> <p>Let's Create a class which implements the <code>CommandLineRunner</code> interface. The method <code>run</code> will be executed once the application is ready.</p> <p><strong>DatabaseUtilityRunner.java</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.gintophilip.springauth</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.gintophilip.springauth.entities.ApplicationUser</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.gintophilip.springauth.entities.Roles</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.gintophilip.springauth.repository.RoleRepository</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.gintophilip.springauth.repository.UserRepository</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.beans.factory.annotation.Autowired</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.boot.CommandLineRunner</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.stereotype.Component</span><span class="o">;</span> <span class="nd">@Component</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">DataBaseUtilityRunner</span> <span class="kd">implements</span> <span class="nc">CommandLineRunner</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="nc">UserRepository</span> <span class="n">usersRepository</span><span class="o">;</span> <span class="nd">@Autowired</span> <span class="nc">RoleRepository</span> <span class="n">rolesRepository</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">run</span><span class="o">(</span><span class="nc">String</span><span class="o">...</span> <span class="n">args</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">Roles</span> <span class="n">userRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Roles</span><span class="o">();</span> <span class="n">userRole</span><span class="o">.</span><span class="na">setRoleName</span><span class="o">(</span><span class="s">"USER"</span><span class="o">);</span> <span class="nc">Roles</span> <span class="n">adminRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Roles</span><span class="o">();</span> <span class="n">adminRole</span><span class="o">.</span><span class="na">setRoleName</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">);</span> <span class="n">rolesRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">userRole</span><span class="o">);</span> <span class="n">rolesRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">adminRole</span><span class="o">);</span> <span class="nc">ApplicationUser</span> <span class="n">user1</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ApplicationUser</span><span class="o">();</span> <span class="n">user1</span><span class="o">.</span><span class="na">setFirstName</span><span class="o">(</span><span class="s">"John"</span><span class="o">);</span> <span class="n">user1</span><span class="o">.</span><span class="na">setEmail</span><span class="o">(</span><span class="s">"john@test.com"</span><span class="o">);</span> <span class="n">user1</span><span class="o">.</span><span class="na">setPassword</span><span class="o">(</span><span class="s">"123456"</span><span class="o">);</span> <span class="n">user1</span><span class="o">.</span><span class="na">setRole</span><span class="o">(</span><span class="n">userRole</span><span class="o">);</span> <span class="nc">ApplicationUser</span> <span class="n">adminUser</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ApplicationUser</span><span class="o">();</span> <span class="n">adminUser</span><span class="o">.</span><span class="na">setFirstName</span><span class="o">(</span><span class="s">"sam"</span><span class="o">);</span> <span class="n">adminUser</span><span class="o">.</span><span class="na">setEmail</span><span class="o">(</span><span class="s">"sam@test.com"</span><span class="o">);</span> <span class="n">adminUser</span><span class="o">.</span><span class="na">setPassword</span><span class="o">(</span><span class="s">"12345"</span><span class="o">);</span> <span class="n">adminUser</span><span class="o">.</span><span class="na">setRole</span><span class="o">(</span><span class="n">adminRole</span><span class="o">);</span> <span class="n">usersRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">user1</span><span class="o">);</span> <span class="n">usersRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">adminUser</span><span class="o">);</span> <span class="o">}</span><span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">exception</span><span class="o">){</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Verify users and roles are created by querying the database </h3> <p>As a result of the previous step three tables will be created with the provided data in the database <code>spring_access_db</code>;</p> <p>Here I use the psql CLI client to view and query the database.</p> <p><strong>List of tables</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>spring_access_db-# <span class="se">\d</span>t List of relations Schema | Name | Type | Owner <span class="nt">--------</span>+------------------+-------+---------- public | application_user | table | postgres public | roles | table | postgres public | user_roles | table | postgres <span class="o">(</span>3 rows<span class="o">)</span> </code></pre> </div> <p><strong>Table: application_user</strong></p> <p><strong>Query</strong>: <code>select * from application_user;</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">spring_access_db</span><span class="o">=</span><span class="c"># select * from application_user;</span> <span class="nb">id</span> | email | first_name | last_name | password <span class="nt">----</span>+---------------+------------+-----------+---------- 1 | john@test.com | John | | 123456 2 | sam@test.com | sam | | 12345 <span class="o">(</span>2 rows<span class="o">)</span> </code></pre> </div> <p>In this example, the password is stored in clear text. In a real-world scenario, it is essential to store passwords in an encrypted form rather than as plain text. We'll do this later.</p> <p><strong>Table: roles</strong></p> <p><strong>Query:</strong><code>select * from roles;</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">spring_access_db</span><span class="o">=</span><span class="c"># select * from roles;</span> <span class="nb">id</span> | role_name <span class="nt">-----</span>+----------- 802 | USER 803 | ADMIN <span class="o">(</span>2 rows<span class="o">)</span> </code></pre> </div> <p><strong>Table: user_roles</strong></p> <p><strong>Query:</strong><code>select * from user_roles;</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">spring_access_db</span><span class="o">=</span><span class="c"># select * from user_roles;</span> role_id | <span class="nb">id</span> <span class="nt">---------</span>+---- 802 | 1 803 | 2 <span class="o">(</span>2 rows<span class="o">)</span> </code></pre> </div> <h3> Run the application </h3> <p>Now run the application. Once it is up and running, open the browser and try to access the API endpoints.</p> <ol> <li><p><a href="http://localhost:8080/api/hello">http://localhost:8080/api/hello</a></p></li> <li><p><a href="http://localhost:8080/api/protected">http://localhost:8080/api/protected</a></p></li> <li><p><a href="http://localhost:8080/api/admin">http://localhost:8080/api/admin</a></p></li> </ol> <p>You will be able to access all the APIs without any restrictions. This completes the setup of base application.</p> <p>In the comings steps we'll see how to protect these end points by integrating authentication and authorization mechanisms using Spring Security.</p> Spring Security Basics: Implementing Authentication and Authorization Ginto P Thu, 06 Jun 2024 23:30:00 +0000 https://dev.to/bytegrapher/spring-security-basics-implementing-authentication-and-authorization-5ebn https://dev.to/bytegrapher/spring-security-basics-implementing-authentication-and-authorization-5ebn <p>Hello everyone, this document will guide you through the process of integrating authentication and authorization mechanisms into a Spring Boot web application using Spring Security. The following topics will be covered:.</p> <ol> <li> <h3> PART 1: Create the base application. </h3> <ol> <li>Create the project.</li> <li>Implement the API end points.</li> <li>Create user and role entities.</li> <li>Create user and role repositories.</li> <li>Configure database connectivity.</li> <li>Populate database with sample users.</li> <li>Verify users and roles are created by querying the database.</li> <li>Run the application.</li> </ol> </li> <li> <h3> PART 2: Enable Spring Security </h3> <ol> <li>Add the Spring Security dependency</li> <li>Restart the application</li> <li>Verify Spring Security is enabled</li> </ol> </li> <li> <h3> PART 3: Configuring security of the API end points </h3> <ol> <li>Create the security configuration class</li> <li>Make all APIs to be accessed only by logged in users</li> <li>Allow /api/hello to be accessed by anyone</li> <li>Restrict access to /api/admin to user with ADMIN role only</li> </ol> </li> <li> <h3> PART 4: Integrate the database with Spring Security. </h3> <ol> <li>Add the password encoder bean.</li> <li>Update the plain text password to encrypted password.</li> <li>Configure user details service.</li> <li>Configure the authentication provider.</li> </ol> </li> </ol> <p>Before going in let's see what is,</p> <ul> <li><p>Authentication</p></li> <li><p>Authorization</p></li> <li><p>User details service</p></li> <li><p>Authentication provider</p></li> </ul> <h3> Authentication </h3> <p>Authentication is the process of proving that someone is who they claim to be. The authentication can be done via certain ways such as Username and password, fingerprint. token etc...</p> <p>To authenticate against an application, a user must have valid credentials. When these credentials are provided to the application for access, the application verifies them against the database where the credentials are stored. If the credentials match, the authentication is successful and the user can proceed to use the application.</p> <h3> Authorization. </h3> <p>While authentication verifies the identity of a user in an application, authorization determines what actions the user is permitted to perform. This means it addresses the permissions assigned to a user.</p> <p>In an application, there may be multiple users, each with different levels of operational rights. For example, an ADMIN user may have the right to delete a user, whereas a regular user will not have this capability.</p> <p>A basic flow of user authentication and authorization</p> <p><strong>Authentication</strong></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy5bik7on0e3sovfdtj6m.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy5bik7on0e3sovfdtj6m.png" alt="authentication" width="800" height="300"></a></p> <ol> <li><p>User submits the credentials to the application.</p></li> <li><p>The application verifies the credentials by checking in the database.</p></li> <li><p>If the credentials are valid allow access to the application.</p></li> </ol> <p><strong>Authorization</strong></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4n2u5y511y749iot00f2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4n2u5y511y749iot00f2.png" alt="authorization" width="800" height="300"></a></p> <ol> <li><p>User requests a resource.</p></li> <li><p>The authorization module checks if the user has rights to access the resource.</p></li> <li><p>If user has rights the resource is given to the user.</p></li> <li><p>Else the access to resource is denied.</p></li> </ol> <h3> <strong>User details service</strong> </h3> <p>This service provides the necessary data, such as username, password, or other details required for authentication. In Spring Security, we configure a <code>UserDetailsService</code> object, which instructs Spring Security on where to load the required data for authentication. For example, when a username is provided as "<a href="mailto:test@test.com">test@test.com</a>," Spring Security needs to look up the user data where the username is "<a href="mailto:test@test.com">test@test.com</a>." This lookup is typically performed on a database. The database required for this lookup is configured using the user details service.</p> <p>In essence, the user details service is a service that retrieves user data from the database based on a given key.</p> <h3> <strong>Authentication provider</strong> </h3> <p>The authentication provider is responsible for authenticating users based on the provided credentials.</p> <p>The authentication provider requests the user's details from the user details service using the received username. The user details service fetches and returns the user information if a user with the requested name is found. Then, it proceeds to compare the password.</p> <p>The authentication provider and the user details service collaborate to authenticate a user effectively.</p> <p><a href="https://blog.gintophilip.com/series/spring-security-authentication-and-authorization">https://blog.gintophilip.com/series/spring-security-authentication-and-authorization</a></p> beginners java springboot springsecurity