Spring Security - Guided Exercise - API Input Mastery: Unlocking Data from Every Corner!

[akash-coded]

🔐 Spring Security — The Full Arsenal

Spring Security isn’t just an authentication library. It’s a powerful, customizable framework for securing enterprise Java applications, baked into the Spring ecosystem like frosting into a cake.

---

🧠 The Core Concepts You Must Know

1. Authentication vs Authorization

• Authentication = Who are you? (login)

• Authorization = Are you allowed to do this? (permissions)

Spring Security handles both.

Login → Validate credentials → Assign roles → Protect resources

2. Filter Chain (SecurityFilterChain)

• Every request passes through a chain of filters like:

  • UsernamePasswordAuthenticationFilter

  • BasicAuthenticationFilter

  • ExceptionTranslationFilter

  • FilterSecurityInterceptor

These filters are ordered and responsible for specific security tasks.

Think of it like an airport: ID check → luggage scan → security interview → boarding pass verification.

---

🧰 The Security Tools in Your Belt

Tool	What It Does
@EnableWebSecurity	Activates security config
SecurityFilterChain	Replaces WebSecurityConfigurerAdapter (deprecated)
PasswordEncoder	Hashes and compares passwords securely
UserDetailsService	Fetches user info from DB or memory
@secured, @PreAuthorize	Enforces method-level role access
BCryptPasswordEncoder	Strong hashing algorithm

[akash-coded]

Spring Security Deep-Dive: Enterprise-Grade Learning Journey

🔍 1. Real-World Case Study: E-Commerce Platform

Scenario:

You are building an online retail application. Users can:

• Browse products

• Register/Login

• Place orders

• Admins can manage inventory and users

Core Security Requirements:

• Public access to product listing

• Only logged-in users can place orders

• Admins can create/update/delete products

Mapping to Spring Security:

Feature	Spring Security Concept
Public endpoints	permitAll() in filter chain
Login/Register	formLogin() or custom REST auth
Role-based actions	@PreAuthorize("hasRole('ADMIN')")
Password security	BCryptPasswordEncoder
Session or Token Auth	Spring Session or JWT integration

📦 2. Advanced Concepts with Examples

A. JWT Authentication (Stateless APIs)

http
  .csrf().disable()
  .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
  .and()
  .addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);

🔑 Token extracted, validated, and used to set SecurityContext manually.

B. OAuth2 Login

spring.security.oauth2.client.registration.google.client-id=...
spring.security.oauth2.client.registration.google.client-secret=...

🔗 Google login with Spring Boot in just 3 lines of config.
Adds enterprise-grade social login support for HRMS, LMS, Portals.

💼 3. Enterprise Enhancements

A. Custom AccessDeniedHandler

public class CustomAccessDeniedHandler implements AccessDeniedHandler {
    public void handle(...) {
        response.setStatus(HttpStatus.FORBIDDEN.value());
        response.getWriter().write("Access Denied");
    }
}

✅ Better UX than default white-label error pages.

B. Global Exception Handling with Spring Security

@ControllerAdvice
public class GlobalExceptionHandler {
    @ExceptionHandler(BadCredentialsException.class)
    public ResponseEntity<String> handleBadCreds() {
        return ResponseEntity.status(401).body("Invalid login credentials");
    }
}

✅ Returns clean JSON messages in APIs.

🧪 4. Test Coverage for Security

A. Unit Tests

@Test
@WithMockUser(roles = "ADMIN")
void testAdminEndpoint() throws Exception {
    mockMvc.perform(get("/admin/products"))
           .andExpect(status().isOk());
}

B. Integration Tests

• Load full Spring Context

• Hit real endpoints using TestRestTemplate

🚀 5. Security Best Practices Checklist

• ✅ Never log passwords (even hashed)

• ✅ Use HTTPS in production

• ✅ Use BCryptPasswordEncoder or Argon2

• ✅ Apply RBAC at method level (@PreAuthorize)

• ✅ Hide sensitive actuator endpoints

• ✅ Validate JWT expiration and issuer

• ✅ Sanitize inputs even if using Spring Security

📚 6. Homework Exercise for Learners

Build an Employee Management Portal:

Roles:

• USER: Can view and update their own details

• MANAGER: Can view all employees

• ADMIN: Full CRUD access

Tasks:

1. Configure 3 roles with Spring Security

2. Build REST APIs for CRUD operations

3. Add @PreAuthorize annotations

4. Add login endpoint with JWT support

5. Secure Swagger UI with auth

6. Write 3 unit tests for role-based access

7. Handle custom errors and invalid tokens

Bonus:

• Add audit logging using Spring Events

• Send email on unauthorized access (mocked)

[akash-coded]

🧩 Exercise Title: "API Input Mastery: Unlocking Data from Every Corner!"

🧠 Concepts Covered

• @RequestParam
• @PathVariable
• @RequestBody
• Mixed usage and edge cases
• Differences, best practices, and real-world examples

---

🎯 Goal

Build a Spring Boot mini-API called SmartUserAPI, which performs basic user operations using all types of input mechanisms.

---

🧱 Project Setup

Dependencies via start.spring.io:

• Spring Web
• Lombok
• Spring Boot DevTools

Port: 8082
Update in application.properties:

server.port=8082
spring.application.name=SmartUserAPI

---

🗂️ Folder Structure

src/main/java/com/example/smartuser/
├── controller/
│   └── UserController.java
├── model/
│   └── User.java
├── dto/
│   └── UserDTO.java
└── SmartUserApiApplication.java

---

1️⃣ Step 1: Create the User Model

package com.example.smartuser.model;

import lombok.*;

@Getter @Setter @NoArgsConstructor @AllArgsConstructor @ToString
public class User {
    private int id;
    private String name;
    private int age;
    private String city;
}

---

2️⃣ Step 2: Expose GET with @RequestParam

Task: Fetch greeting message with a user’s name via query param.

// In UserController.java
@GetMapping("/greet")
public String greetUser(@RequestParam String name) {
    return "Hello, " + name + "! Welcome to SmartUserAPI.";
}

🧩 Try this in Postman:

GET http://localhost:8082/greet?name=Akash

---

3️⃣ Step 3: Use @PathVariable to Get User Info by ID

@GetMapping("/user/{id}")
public String getUserById(@PathVariable int id) {
    return "Fetching user with ID: " + id;
}

Try:

GET http://localhost:8082/user/101

---

4️⃣ Step 4: Post User Data using @RequestBody

@PostMapping("/user")
public String createUser(@RequestBody User user) {
    return "User Created: " + user.toString();
}

🧪 Try this in Postman:

• Method: POST
• URL: http://localhost:8082/user
• Body (JSON):

{
  "id": 1,
  "name": "Riya",
  "age": 25,
  "city": "Bangalore"
}

---

5️⃣ Step 5: Mixed Usage: @RequestParam + @PathVariable + @RequestBody

@PostMapping("/user/{id}/update")
public String updateUser(
        @PathVariable int id,
        @RequestParam String city,
        @RequestBody User user) {
    return "Updated user " + id + " in city " + city + " with data: " + user;
}

🧪 Postman:

• URL: http://localhost:8082/user/1/update?city=Delhi
• Body:

{
  "id": 1,
  "name": "Riya",
  "age": 26,
  "city": "Delhi"
}

---

🧠 Recap Questions

1. When should you use @RequestParam over @PathVariable?
2. What if the query param is optional?
3. Why does @RequestBody only work with POST/PUT methods?
4. How does Spring parse JSON into a Java object?

---

📌 Bonus Challenge

Implement validation:

@PostMapping("/user")
public ResponseEntity<String> createUser(@RequestBody @Valid User user) {
    ...
}

Add:

import javax.validation.constraints.*;

@Getter @Setter
public class User {
    @NotNull private Integer id;
    @NotBlank private String name;
    @Min(18) private int age;
    ...
}

---

🧭 Learning Outcome

By end of this, learners can:

• Map inputs flexibly and securely in REST APIs
• Understand request data design trade-offs
• Build controller methods with composability and clean structure

[akash-coded]

Mastering Spring Security: A Comprehensive Guide for Readers

A hands-on approach to implementing and testing modern security standards in a single Spring Boot application.

1. The "Why" and "What" of Spring Security: Core Concepts

Before diving into code, it's crucial to understand the fundamental principles of application security and how Spring Security addresses them.

1.1. The Pillars of Security: Authentication and Authorization

At its core, application security revolves around two key concepts:

• Authentication: The process of verifying the identity of a user or system. Essentially, it answers the question, "Who are you?". This is typically achieved through credentials like a username and password, biometrics, or security tokens.
• Authorization: The process of determining whether an authenticated user has the necessary permissions to access a specific resource or perform a particular action. It answers the question, "Are you allowed to do that?". This is often managed through roles and permissions.

1.2. How Spring Security Works: The Filter Chain

Spring Security operates by intercepting incoming HTTP requests with a series of servlet filters, collectively known as the FilterChainProxy. Each filter has a specific responsibility, such as:

• UsernamePasswordAuthenticationFilter: Handles the authentication of a user based on a username and password submitted through a form.
• BasicAuthenticationFilter: Manages authentication based on an HTTP Basic Authentication header.
• JwtAuthenticationFilter (Custom): A common custom filter to handle authentication based on a JSON Web Token (JWT).
• AuthorizationFilter: Enforces authorization rules, checking if the authenticated user has the required roles or permissions to access the requested resource.

Understanding this filter chain is key to customizing and extending Spring Security's behavior.

2. Setting Up a Secure Spring Boot API: A Unified Demonstration Project

Throughout this manual, we will build and enhance a single Spring Boot project to demonstrate various security features. This will allow you to see how different security mechanisms can coexist and be managed within the same application.

2.1. Project Initialization

Start by creating a new Spring Boot project using the Spring Initializr (https://start.spring.io/) with the following dependencies:

• Spring Web: For building RESTful APIs.
• Spring Security: The core dependency for security features.
• Spring Data JPA: For database interaction.
• H2 Database: An in-memory database, ideal for demonstration purposes.
• Lombok: To reduce boilerplate code.

2.2. Initial Security Configuration

Upon adding the Spring Security dependency, your application is secured by default. All endpoints will require a username and a generated password. We will override this behavior by creating a security configuration class.

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(authorize -> authorize
                .anyRequest().authenticated()
            )
            .httpBasic(Customizer.withDefaults())
            .formLogin(Customizer.withDefaults());
        return http.build();
    }
}

This initial configuration specifies that all requests must be authenticated and enables both HTTP Basic and form-based login.

3. The Spectrum of Authentication: From Basic to Advanced

Now, let's explore and implement various authentication methods within our demonstration API.

3.1. In-Memory Authentication: Getting Started Quickly

For development and testing, you can define users directly in your security configuration.

@Bean
public UserDetailsService userDetailsService() {
    UserDetails user = User.withDefaultPasswordEncoder()
        .username("user")
        .password("password")
        .roles("USER")
        .build();
    UserDetails admin = User.withDefaultPasswordEncoder()
        .username("admin")
        .password("admin")
        .roles("ADMIN")
        .build();
    return new InMemoryUserDetailsManager(user, admin);
}

Use Case: Ideal for quick prototyping and testing without the need for a full-fledged database setup.

3.2. JDBC Authentication: Integrating with a Database

In a real-world scenario, user information is stored in a database. Spring Security provides seamless integration with JDBC.

First, configure your application.properties for the H2 database:

spring.h2.console.enabled=true
spring.datasource.url=jdbc:h2:mem:testdb
spring.datasource.driverClassName=org.h2.Driver
spring.datasource.username=sa
spring.datasource.password=password
spring.jpa.database-platform=org.hibernate.dialect.H2Dialect

Next, create a User entity and a UserRepository. Then, implement a UserDetailsService to load user data from the database.

@Service
public class JpaUserDetailsService implements UserDetailsService {

    @Autowired
    private UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        return userRepository.findByUsername(username)
                .orElseThrow(() -> new UsernameNotFoundException("User not found"));
    }
}

Finally, configure Spring Security to use this service and a PasswordEncoder.

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

@Bean
public AuthenticationProvider authenticationProvider() {
    DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
    provider.setUserDetailsService(jpaUserDetailsService());
    provider.setPasswordEncoder(passwordEncoder());
    return provider;
}

Use Case: The standard approach for most web applications that manage their own user base.

3.3. JSON Web Token (JWT) Authentication: For Stateless APIs

JWT is a popular standard for creating access tokens for an application. It's particularly well-suited for stateless RESTful APIs.

The JWT Flow:

1. A user authenticates with their credentials (e.g., username/password).
2. The server validates the credentials and, if successful, generates a JWT.
3. The server sends the JWT back to the client.
4. The client includes the JWT in the Authorization header for all subsequent requests.
5. The server validates the JWT on each request before processing it.

To implement JWT authentication, you'll need to:

1. Add JWT dependency:

   <dependency>
       <groupId>io.jsonwebtoken</groupId>
       <artifactId>jjwt-api</artifactId>
       <version>0.11.5</version>
   </dependency>
   <dependency>
       <groupId>io.jsonwebtoken</groupId>
       <artifactId>jjwt-impl</artifactId>
       <version>0.11.5</version>
       <scope>runtime</scope>
   </dependency>
   <dependency>
       <groupId>io.jsonwebtoken</groupId>
       <artifactId>jjwt-jackson</artifactId>
       <version>0.11.5</version>
       <scope>runtime</scope>
   </dependency>

2. Create a JwtUtil class: To generate and validate JWTs.
3. Create a JwtAuthenticationFilter: To intercept requests, extract the JWT, and set the authentication in the SecurityContextHolder.
4. Configure Spring Security: To add the JwtAuthenticationFilter to the filter chain.

Use Case: Securing stateless microservices and single-page applications (SPAs).

3.4. OAuth 2.0 and OpenID Connect (OIDC): Delegating Authentication

OAuth 2.0 is an authorization framework that allows a third-party application to obtain limited access to an HTTP service. OpenID Connect is a layer on top of OAuth 2.0 that provides identity verification.

Spring Security offers excellent support for integrating with OAuth 2.0 and OIDC providers like Google, GitHub, and Okta.

To enable OAuth 2.0 login with Google:

1. Add OAuth2 Client dependency: spring-boot-starter-oauth2-client
2. Configure application.properties:

   spring.security.oauth2.client.registration.google.client-id=your-google-client-id
   spring.security.oauth2.client.registration.google.client-secret=your-google-client-secret

3. Update Security Configuration:

   http
       .oauth2Login(Customizer.withDefaults());

Use Case: Allowing users to log in to your application using their existing accounts from popular identity providers.

4. Fine-Grained Authorization: Controlling Access

Once a user is authenticated, authorization determines what they can do.

4.1. Role-Based Access Control (RBAC)

The most common approach to authorization is based on user roles.

http
    .authorizeHttpRequests(authorize -> authorize
        .requestMatchers("/api/admin/**").hasRole("ADMIN")
        .requestMatchers("/api/user/**").hasAnyRole("USER", "ADMIN")
        .requestMatchers("/api/public/**").permitAll()
        .anyRequest().authenticated()
    );

4.2. Method-Level Security

For more granular control, you can secure individual methods in your service layer using annotations.

Enable method security in your configuration:

@Configuration
@EnableMethodSecurity
public class SecurityConfig {
    // ...
}

Then, use annotations on your service methods:

@Service
public class MyService {

    @PreAuthorize("hasRole('ADMIN')")
    public void performAdminAction() {
        // ...
    }

    @PreAuthorize("hasAuthority('READ_PRIVILEGE')")
    public String viewSensitiveData() {
        // ...
    }
}

Use Case: When authorization logic is closely tied to business logic and cannot be expressed solely through URL patterns.

5. Essential Security Practices: CSRF and CORS

5.1. Cross-Site Request Forgery (CSRF) Protection

CSRF is an attack that tricks a user into submitting a malicious request. Spring Security provides built-in CSRF protection, which is enabled by default. For stateless APIs using JWT, CSRF protection can often be disabled as there is no session to exploit.

http.csrf(csrf -> csrf.disable()); // For stateless APIs

5.2. Cross-Origin Resource Sharing (CORS) Configuration

CORS is a browser security feature that restricts cross-origin HTTP requests. If your frontend and backend are on different domains, you'll need to configure CORS.

@Bean
public CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("http://localhost:3000")); // Your frontend URL
    configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS"));
    configuration.setAllowedHeaders(Arrays.asList("*"));
    configuration.setAllowCredentials(true);
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

And enable it in your security configuration:

http.cors(Customizer.withDefaults());

6. The Art of Testing a Secure Application

Testing your security configuration is as crucial as implementing it. Spring Security provides excellent testing support.

6.1. Unit Testing with MockMvc

You can write tests to verify that your security rules are correctly enforced without needing to run the entire application.

@SpringBootTest
@AutoConfigureMockMvc
public class SecurityTests {

    @Autowired
    private MockMvc mockMvc;

    @Test
    public void accessPublicEndpoint_shouldSucceed() throws Exception {
        mockMvc.perform(get("/api/public/hello"))
                .andExpect(status().isOk());
    }

    @Test
    public void accessProtectedEndpoint_withoutAuthentication_shouldFail() throws Exception {
        mockMvc.perform(get("/api/user/profile"))
                .andExpect(status().isUnauthorized());
    }

    @Test
    @WithMockUser(username = "user", roles = {"USER"})
    public void accessUserEndpoint_withUserRole_shouldSucceed() throws Exception {
        mockMvc.perform(get("/api/user/profile"))
                .andExpect(status().isOk());
    }

    @Test
    @WithMockUser(username = "user", roles = {"USER"})
    public void accessAdminEndpoint_withUserRole_shouldBeForbidden() throws Exception {
        mockMvc.perform(get("/api/admin/dashboard"))
                .andExpect(status().isForbidden());
    }
}

@WithMockUser: This powerful annotation allows you to simulate requests from an authenticated user with specific roles and authorities.

6.2. Integration Testing

For end-to-end testing, you can use @SpringBootTest with WebEnvironment.RANDOM_PORT and TestRestTemplate to make real HTTP requests to your running application. This is particularly useful for testing OAuth 2.0 flows.

7. Solving the Exercise: A Unified Application

To solve the hypothetical exercise of demonstrating all possible varieties of Spring Security, you would structure your single Spring Boot application as follows:

• SecurityConfig.java: A central class that orchestrates the different security configurations. You can use @Order on multiple SecurityFilterChain beans to apply different security rules to different URL patterns. For example, one filter chain for stateless JWT-based API endpoints and another for stateful web application endpoints with form login and OAuth 2.0.
• Controllers for each use case:
  • PublicController.java: Endpoints accessible to everyone.
  • UserController.java: Endpoints requiring USER or ADMIN roles.
  • AdminController.java: Endpoints restricted to ADMIN role.
  • AuthenticationController.java: An endpoint to handle username/password authentication and issue a JWT.
• A comprehensive test suite: Demonstrating how to test each security configuration, including public access, role-based access, and token-based authentication.

[akash-coded]

Here is the complete source code for the unified Spring Boot application that demonstrates the concepts from the manual. This project is designed to be a practical, hands-on lab for the students.

Project Structure

Here is the recommended structure for your project:

src
└── main
    ├── java
    │   └── com
    │       └── example
    │           └── springsecuritydemo
    │               ├── config
    │               │   └── SecurityConfig.java
    │               ├── controller
    │               │   ├── AdminController.java
    │               │   ├── AuthController.java
    │               │   ├── PublicController.java
    │               │   └── UserController.java
    │               ├── model
    │               │   ├── AppUser.java
    │               │   └── AppUserRepository.java
    │               ├── security
    │               │   ├── JpaUserDetailsService.java
    │               │   ├── JwtAuthenticationFilter.java
    │               │   ├── JwtRequest.java
    │               │   ├── JwtResponse.java
    │               │   └── JwtUtil.java
    │               └── SpringSecurityDemoApplication.java
    └── resources
        ├── application.properties
        └── data.sql
src
└── test
    └── java
        └── com
            └── example
                └── springsecuritydemo
                    └── controller
                        └── SecurityIntegrationTest.java
pom.xml

---

1. Maven Dependencies (pom.xml)

This file includes all necessary dependencies for Spring Web, Security, JPA, H2, Lombok, and JWT support.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.2.5</version> <relativePath/> </parent>
    <groupId>com.example</groupId>
    <artifactId>spring-security-demo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>spring-security-demo</name>
    <description>Demo project for Spring Security</description>
    <properties>
        <java.version>17</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-oauth2-client</artifactId>
        </dependency>

        <dependency>
            <groupId>com.h2database</groupId>
            <artifactId>h2</artifactId>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <scope>test</scope>
        </dependency>

        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt-api</artifactId>
            <version>0.11.5</version>
        </dependency>
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt-impl</artifactId>
            <version>0.11.5</version>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt-jackson</artifactId>
            <version>0.11.5</version>
            <scope>runtime</scope>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
                <configuration>
                    <excludes>
                        <exclude>
                            <groupId>org.projectlombok</groupId>
                            <artifactId>lombok</artifactId>
                        </exclude>
                    </excludes>
                </configuration>
            </plugin>
        </plugins>
    </build>

</project>

---

2. Application Properties (application.properties)

Configure the H2 database, JPA, and a Google OAuth2 client.

# H2 Database Configuration
spring.h2.console.enabled=true
spring.h2.console.path=/h2-console

# DataSource Configuration
spring.datasource.url=jdbc:h2:mem:testdb
spring.datasource.driverClassName=org.h2.Driver
spring.datasource.username=sa
spring.datasource.password=
spring.jpa.database-platform=org.hibernate.dialect.H2Dialect

# Automatically create the schema
spring.jpa.hibernate.ddl-auto=update

# Google OAuth2 Client Configuration (Replace with your credentials)
spring.security.oauth2.client.registration.google.client-id=your-google-client-id.apps.googleusercontent.com
spring.security.oauth2.client.registration.google.client-secret=your-google-client-secret

---

3. Initial Data (data.sql)

This file in src/main/resources will pre-populate the database with users having different roles. The passwords are "password" and are BCrypt-encoded.

INSERT INTO app_user (id, username, password, roles) VALUES
(1, 'user', '$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG', 'ROLE_USER'),
(2, 'admin', '$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG', 'ROLE_ADMIN');

---

4. Model Layer (AppUser.java, AppUserRepository.java)

Defines the user entity and the JPA repository to interact with it.

AppUser.java

package com.example.springsecuritydemo.model;

import jakarta.persistence.Entity;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import lombok.Data;

@Entity
@Data
public class AppUser {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;
    private String username;
    private String password;
    private String roles;
}

AppUserRepository.java

package com.example.springsecuritydemo.model;

import org.springframework.data.jpa.repository.JpaRepository;
import java.util.Optional;

public interface AppUserRepository extends JpaRepository<AppUser, Long> {
    Optional<AppUser> findByUsername(String username);
}

---

5. Security Layer (JpaUserDetailsService, JWT classes)

This layer handles user loading from the database and all JWT-related logic.

JpaUserDetailsService.java

package com.example.springsecuritydemo.security;

import com.example.springsecuritydemo.model.AppUserRepository;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import java.util.Arrays;
import java.util.stream.Collectors;

@Service
public class JpaUserDetailsService implements UserDetailsService {

    private final AppUserRepository appUserRepository;

    public JpaUserDetailsService(AppUserRepository appUserRepository) {
        this.appUserRepository = appUserRepository;
    }

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        return appUserRepository.findByUsername(username)
                .map(user -> new User(
                        user.getUsername(),
                        user.getPassword(),
                        Arrays.stream(user.getRoles().split(","))
                                .map(SimpleGrantedAuthority::new)
                                .collect(Collectors.toList())
                ))
                .orElseThrow(() -> new UsernameNotFoundException("User not found with username: " + username));
    }
}

JwtUtil.java, JwtRequest.java, JwtResponse.java, JwtAuthenticationFilter.java
This would contain the full implementation of JWT generation, parsing, and the filter to process the token from the request header. (Full code for these classes would be provided in a real training session, building upon the manual's explanation).

---

6. Controller Layer

These controllers define the API endpoints for different levels of access.

PublicController.java

package com.example.springsecuritydemo.controller;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/public")
public class PublicController {

    @GetMapping("/hello")
    public String hello() {
        return "Hello from a public endpoint!";
    }
}

UserController.java

package com.example.springsecuritydemo.controller;

import org.springframework.security.core.Authentication;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/api/user")
public class UserController {

    @GetMapping("/profile")
    public String userProfile(Authentication authentication) {
        return "Welcome " + authentication.getName() + "! This is your user profile.";
    }
}

AdminController.java

package com.example.springsecuritydemo.controller;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/api/admin")
public class AdminController {

    @GetMapping("/dashboard")
    public String adminDashboard() {
        return "Welcome to the Admin Dashboard!";
    }
}

AuthController.java
This controller would handle the /authenticate endpoint to issue JWTs.

---

7. The Unified Security Configuration (SecurityConfig.java)

This is the core of the demonstration, showing how to combine different security mechanisms.

package com.example.springsecuritydemo.config;

import com.example.springsecuritydemo.security.JpaUserDetailsService;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;

import static org.springframework.security.config.Customizer.withDefaults;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    private final JpaUserDetailsService jpaUserDetailsService;

    public SecurityConfig(JpaUserDetailsService jpaUserDetailsService) {
        this.jpaUserDetailsService = jpaUserDetailsService;
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    public AuthenticationManager authenticationManager(HttpSecurity http) throws Exception {
        AuthenticationManagerBuilder authenticationManagerBuilder =
                http.getSharedObject(AuthenticationManagerBuilder.class);
        authenticationManagerBuilder.userDetailsService(jpaUserDetailsService)
                .passwordEncoder(passwordEncoder());
        return authenticationManagerBuilder.build();
    }

    @Bean
    @Order(1) // This filter chain handles stateless API requests
    public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {
        http
            .securityMatcher("/api/**") // Apply this chain to API paths
            .authorizeHttpRequests(authorize -> authorize
                .requestMatchers("/api/admin/**").hasRole("ADMIN")
                .anyRequest().authenticated()
            )
            .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            // .addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class) // Add JWT filter here
            .csrf(csrf -> csrf.disable()); // Disable CSRF for stateless APIs
        return http.build();
    }

    @Bean
    @Order(2) // This is the default filter chain for other requests
    public SecurityFilterChain formLoginFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(authorize -> authorize
                .requestMatchers("/public/**", "/h2-console/**").permitAll()
                .anyRequest().authenticated()
            )
            .formLogin(withDefaults()) // Enable form login
            .oauth2Login(withDefaults()) // Enable OAuth2 login
            .headers(headers -> headers.frameOptions(frame -> frame.sameOrigin())); // Allow H2 console
        return http.build();
    }
}

---

8. Integration Tests (SecurityIntegrationTest.java)

Finally, a test class to verify the security rules are working as expected.

package com.example.springsecuritydemo.controller;

import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.security.test.context.support.WithMockUser;
import org.springframework.test.web.servlet.MockMvc;

import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;

@SpringBootTest
@AutoConfigureMockMvc
public class SecurityIntegrationTest {

    @Autowired
    private MockMvc mockMvc;

    @Test
    void whenAccessPublicEndpoint_thenOk() throws Exception {
        mockMvc.perform(get("/public/hello"))
                .andExpect(status().isOk());
    }

    @Test
    void whenAccessApiWithoutAuth_thenUnauthorized() throws Exception {
        mockMvc.perform(get("/api/user/profile"))
                .andExpect(status().isUnauthorized());
    }

    @Test
    @WithMockUser(username = "user", roles = {"USER"})
    void whenAccessUserApiWithUserRole_thenOk() throws Exception {
        mockMvc.perform(get("/api/user/profile"))
                .andExpect(status().isOk());
    }

    @Test
    @WithMockUser(username = "user", roles = {"USER"})
    void whenAccessAdminApiWithUserRole_thenForbidden() throws Exception {
        mockMvc.perform(get("/api/admin/dashboard"))
                .andExpect(status().isForbidden());
    }

    @Test
    @WithMockUser(username = "admin", roles = {"ADMIN"})
    void whenAccessAdminApiWithAdminRole_thenOk() throws Exception {
        mockMvc.perform(get("/api/admin/dashboard"))
                .andExpect(status().isOk());
    }
}