Spring Boot Security, In Memory auth and end Points security is done.

Author: manirDev

pom.xml

@@ -48,7 +48,10 @@
 			<artifactId>modelmapper</artifactId>
 			<version>3.1.0</version>
 		</dependency>
-
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-test</artifactId>

src/main/java/com/manir/springbootecommercerestapi/config/SecurityConfig.java

@@ -0,0 +1,54 @@
+package com.manir.springbootecommercerestapi.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+
+@Configuration
+@EnableWebSecurity
+/***
+    global security is used for enable security at method level for example permitting get methods
+    Ex: PreAuthorize("hasRole('ADMIN')")
+ ***/
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+                .csrf().disable()
+                .authorizeRequests()
+                //to permit all get request and secure post put and delete methods
+                .antMatchers(HttpMethod.GET, "/api/**").permitAll()
+                .anyRequest()
+                .authenticated()
+                .and()
+                .httpBasic();
+
+    }
+
+    //In memory Auth
+    @Override
+    @Bean
+    protected UserDetailsService userDetailsService() {
+        UserDetails user =  User.builder().username("user").password(passwordEncoder().encode("user")).roles("USER").build();
+        UserDetails admin =  User.builder().username("admin").password(passwordEncoder().encode("admin")).roles("ADMIN").build();
+
+        return new InMemoryUserDetailsManager(user, admin);
+    }
+
+    @Bean
+    PasswordEncoder passwordEncoder(){
+        return new BCryptPasswordEncoder();
+    }
+}

src/main/java/com/manir/springbootecommercerestapi/controller/CategoryController.java

@@ -7,6 +7,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 
@@ -18,6 +19,7 @@ public class CategoryController {
     private CategoryService categoryService;
 
     //create category api
+    @PreAuthorize("hasRole('ADMIN')")
     @PostMapping("/createCategory")
     public ResponseEntity<CategoryDto> createCategory(@RequestBody CategoryDto categoryDto){
         CategoryDto responseCategory = categoryService.createCategory(categoryDto);
@@ -42,6 +44,7 @@ public ResponseEntity<CategoryDto> getCatecoryById(@PathVariable Long categoryId
     }
 
     //update category api
+    @PreAuthorize("hasRole('ADMIN')")
     @PutMapping("/updateCategory/{categoryId}")
     public ResponseEntity<CategoryDto> updateCategory(@RequestBody CategoryDto categoryDto,
                                                       @PathVariable Long categoryId){
@@ -50,6 +53,7 @@ public ResponseEntity<CategoryDto> updateCategory(@RequestBody CategoryDto categ
     }
 
     //delete category api
+    @PreAuthorize("hasRole('ADMIN')")
     @DeleteMapping("/deleteCategory/{categoryId}")
     public ResponseEntity<String> deleteCategory(@PathVariable Long categoryId){
         categoryService.deleteCategory(categoryId);

src/main/java/com/manir/springbootecommercerestapi/controller/ProductController.java

@@ -9,6 +9,7 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 
@@ -22,6 +23,7 @@ public class ProductController {
     private ProductService productService;
 
     //product create api
+    @PreAuthorize("hasRole('ADMIN')")
     @RequestMapping(value = "/createProduct", method = RequestMethod.POST, consumes = {MediaType.APPLICATION_JSON_VALUE, MediaType.MULTIPART_FORM_DATA_VALUE})
     public ResponseEntity<ProductDto> createProduct(@RequestPart("productDto") ProductDto productDto,
                                                     @RequestPart("file") MultipartFile file){
@@ -30,6 +32,7 @@ public ResponseEntity<ProductDto> createProduct(@RequestPart("productDto") Produ
     }
 
     //create product with category
+    @PreAuthorize("hasRole('ADMIN')")
     @PostMapping("/{categoryId}/saveProductByCategoryId")
     public ResponseEntity<ProductDto> saveProductByCategoryId(@PathVariable Long categoryId,
                                                               @RequestBody ProductDto productDto){
@@ -57,6 +60,7 @@ public ResponseEntity<ProductDto> getProductById(@PathVariable Long productId){
     }
 
     //update product api
+    @PreAuthorize("hasRole('ADMIN')")
     @PutMapping("/{categoryId}/updateProduct/{productId}")
     public ResponseEntity<ProductDto> updateProduct(@PathVariable Long categoryId,
                                                     @RequestBody ProductDto productDto,
@@ -66,6 +70,7 @@ public ResponseEntity<ProductDto> updateProduct(@PathVariable Long categoryId,
     }
 
     //delete product api
+    @PreAuthorize("hasRole('ADMIN')")
     @DeleteMapping("/deleteProduct/{productId}")
     public  ResponseEntity<String> deleteProduct(@PathVariable Long productId){
         productService.deleteProduct(productId);

src/main/java/com/manir/springbootecommercerestapi/service/Impl/ShoppingCartServiceImpl.java

@@ -135,4 +135,6 @@ private Product findProductById(Long productId){
                 );
         return product;
     }
+
+
 }

src/main/resources/application.properties

@@ -6,5 +6,10 @@ spring.datasource.username=root
 spring.datasource.url=jdbc:mysql://localhost:3306/springBootEcommerceRestApi?serverTimezone=UTC
 spring.jpa.hibernate.ddl-auto=update
 
-#logging.level.org.springframework.security=DEBUG
+#TO see security is working on the console
+logging.level.org.springframework.security=DEBUG
+#Spring security default auth credential
+#spring.security.user.password= user
+#spring.security.user.name= user
+#spring.security.user.roles= ADMIN