Skip to content
This repository was archived by the owner on Mar 20, 2026. It is now read-only.

Metercedes/LAB10

BranchesTags

Repository files navigation

LAB10 - Secure Notes Application

A Spring Boot REST API application demonstrating secure web development practices including JWT authentication, authorization, input validation, and security headers.

Prerequisites

  • Java 17
  • Gradle (wrapper included)

How to Run

# Start the application
./gradlew bootRun

The application runs on:

Note: The application uses a self-signed SSL certificate for development. Your browser may show a security warning - this is expected for localhost testing.

Running Tests

./gradlew test

Tests include unit tests and integration tests (106 total tests).

Project Structure

src/main/java/com/example/LAB10/
├── config/          # Security and application configuration
├── controller/      # REST API endpoints
├── dto/             # Data Transfer Objects with validation
├── model/           # JPA entities
├── repository/      # Spring Data JPA repositories
├── security/        # JWT filter, rate limiting
├── service/         # Business logic
└── validator/       # Custom validation rules

Features Implemented

Lab 10: HTTP/REST API

  • RESTful endpoints using GET, POST, PUT, PATCH, DELETE
  • Proper HTTP status codes (200, 201, 400, 401, 403, 404, 429)
  • Content-Type handling and validation
  • Request header reading

Lab 11-12: Authentication

  • JWT-based authentication (stateless)
  • Access tokens (15 min expiry) and refresh tokens (24 hour expiry)
  • Token refresh with rotation (old tokens invalidated)
  • User registration and login
  • Logout with token revocation
  • BCrypt password hashing (strength 12)

Lab 13: Security

  • Input validation with custom validators
  • Strong password policy enforcement
  • SQL injection prevention (parameterized queries)
  • Security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
  • Rate limiting (60 req/min general, 10 req/min for auth endpoints)
  • User data isolation (users can only access their own data)
  • Role-based access control (USER, ADMIN roles)
  • Security event logging

Lab 14: Testing & CI/CD

  • Unit tests for services and validators
  • Integration tests for authentication and access control
  • JaCoCo code coverage reporting
  • GitHub Actions CI pipeline
  • OWASP dependency vulnerability scanning

Bonus Features

  • HTTPS with SSL/TLS
  • HTTP to HTTPS redirect
  • HSTS (Strict-Transport-Security) header

API Endpoints

Authentication (Public)

Method Endpoint Description
POST /api/auth/register Register new user
POST /api/auth/login Login and get tokens
POST /api/auth/refresh Refresh access token
POST /api/auth/logout Logout and revoke tokens

Notes (Requires Authentication)

Method Endpoint Description
GET /api/notes Get all user's notes
GET /api/notes/{id} Get specific note
POST /api/notes Create new note
PUT /api/notes/{id} Update note (full)
PATCH /api/notes/{id} Update note (partial)
DELETE /api/notes/{id} Delete note

Admin (Requires ADMIN role)

Method Endpoint Description
GET /api/admin/users List all users
GET /api/admin/stats System statistics

Example API Usage

Register a User

curl -k -X POST https://localhost:8443/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{"username":"testuser","email":"test@example.com","password":"SecurePass1!"}'

Login

curl -k -X POST https://localhost:8443/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"testuser","password":"SecurePass1!"}'

Create a Note (with token)

curl -k -X POST https://localhost:8443/api/notes \
  -H "Authorization: Bearer <your-access-token>" \
  -H "Content-Type: application/json" \
  -d '{"title":"My Note","content":"Note content here"}'

Password Requirements

Passwords must have:

  • Minimum 8 characters
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one digit
  • At least one special character (!@#$%^&* etc.)
  • Cannot be a common password (e.g., "password123")

Security Headers

The application includes these security headers:

  • X-Frame-Options: DENY - Prevents clickjacking
  • X-Content-Type-Options: nosniff - Prevents MIME sniffing
  • Content-Security-Policy - Controls resource loading
  • Referrer-Policy: strict-origin-when-cross-origin
  • Strict-Transport-Security - Forces HTTPS (HSTS)

Technologies Used

  • Java 17
  • Spring Boot 3.2
  • Spring Security
  • Spring Data JPA
  • JWT (jjwt library)
  • SQLite database
  • Flyway (database migrations)
  • JaCoCo (code coverage)
  • JUnit 5 & Mockito (testing)

Configuration

Key configuration in application.properties:

  • JWT expiration times
  • Rate limiting thresholds
  • SSL/HTTPS settings
  • Database connection

Author

Created for Web Security course - Labs 10, 11-12, 13, 14

About

Educational lab project implementing HTTP fundamentals with Java and Spring Boot. Demonstrates layered architecture (controllers, services, repositories), database migrations (Flyway), JPA persistence and basic authentication. Ideal as a learning reference or starting point for small REST services.

localhost:8080

Topics

java http web-server spring-boot authentication gradle maven jpa rest-api sqlite postgresql spring-security session-management flyway student-labs

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages