Java project with Spring and Gradle for basic in-memory authentication with authorization for routes.
UML Class Diagram:
Routes:
/
/users
/admins
/accessDenied
The steps of project implementation:
- Create project (in IntelliJ) with:
- Java language (17);
- Spring Framework (6.2.3);
- Dependencies: Web and Security.
- Create the
RoutesController
class:
- in the
controllers
package; - with the annotation
@RestController
; - with the routes
/
,/users
,/admins
,/accessDenied
of type GET.
- Create the
SecurityConfig
class:
- in the
security
package; - with the annotations
@Configuration
and@EnableWebSecurity
; - with all methods annotated with
@Bean
; - with the following public methods:
SecurityFilterChain securityFilterChain(HttpSecurity http)
to configure authorization for each route;UserDetailsService userDetailsService()
to create users;PasswordEncoder passwordEncoder()
to return an instance ofBCryptPasswordEncoder
;AuthenticationManager authenticationManager(UserDetailsService UserDetailsService, PasswordEncoder passwordEncoder)
to customize the authenticator with passwordEncoder;
@RestController
public class RoutesController {
@GetMapping("/")
public String home(){
return "Home Page - Allowed for everyone";
}
@GetMapping("/users")
public String users(){
return "Users Page - Allowed for logged-in users and administrators";
}
@GetMapping("/admins")
public String admins(){
return "Admins Page - Allowed for logged-in admins";
}
@GetMapping("/accessDenied")
public String accessDenied(){
return "Access denied Page";
}
}
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/").permitAll()
.requestMatchers("/users").hasAnyRole("USER", "ADMIN")
.requestMatchers("/admins").hasRole("ADMIN")
.anyRequest().authenticated())
.exceptionHandling(ex -> ex.accessDeniedPage("/accessDenied"))
.httpBasic(Customizer.withDefaults())
.formLogin(AbstractHttpConfigurer::disable)
.logout(AbstractHttpConfigurer::disable)
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
);
return http.build();
}
@Bean
public UserDetailsService userDetailsService() {
UserDetails user = User
.withDefaultPasswordEncoder()
.username("usuario")
.password("senha")
.roles("USER")
.build();
UserDetails admin = User
.withDefaultPasswordEncoder()
.username("administrador")
.password("codigo")
.roles("ADMIN")
.build();
return new InMemoryUserDetailsManager(user, admin);
}
@Bean
public PasswordEncoder passwordEncoder() {
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}
@Bean
public AuthenticationManager authenticationManager(UserDetailsService UserDetailsService,
PasswordEncoder passwordEncoder) {
DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
daoAuthenticationProvider.setUserDetailsService(UserDetailsService);
daoAuthenticationProvider.setPasswordEncoder(passwordEncoder);
return new ProviderManager(daoAuthenticationProvider);
}
}
https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/index.html