Expression-Based Access Control (#517)

* Expression-Based Access Control

PermitAll, hasRole, hasAnyRole etc.
I modified classes regards to Security

* Added test cases for Spring Security Expressions

spring-security-rest-full/src/main/java/org/baeldung/spring/SecurityWithoutCsrfConfig.java

@@ -44,8 +44,9 @@ public class SecurityWithoutCsrfConfig extends WebSecurityConfigurerAdapter {
         http
         .csrf().disable()
         .authorizeRequests()
-        .antMatchers("/admin/*").hasAnyRole("ROLE_ADMIN")
+        .antMatchers("/auth/admin/*").hasRole("ADMIN")
-        .anyRequest().authenticated()
+        .antMatchers("/auth/*").hasAnyRole("ADMIN","USER")
+        .antMatchers("/*").permitAll()
         .and()
         .httpBasic()
         .and()

spring-security-rest-full/src/main/java/org/baeldung/spring/WebConfig.java

@@ -32,6 +32,7 @@ public class WebConfig extends WebMvcConfigurerAdapter {
 		super.addViewControllers(registry);
 		registry.addViewController("/graph.html");
 		registry.addViewController("/csrfHome.html");
+		registry.addViewController("/homepage.html");
 	}
 
 }

spring-security-rest-full/src/main/java/org/baeldung/web/controller/BankController.java

@@ -12,6 +12,7 @@ import org.springframework.web.bind.annotation.ResponseStatus;
 
 // to test csrf
 @Controller
+@RequestMapping(value = "/auth/")
 public class BankController {
 	private final Logger logger = LoggerFactory.getLogger(getClass());
 

spring-security-rest-full/src/main/java/org/baeldung/web/controller/FooController.java

@@ -29,7 +29,7 @@ import org.springframework.web.util.UriComponentsBuilder;
 import com.google.common.base.Preconditions;
 
 @Controller
-@RequestMapping(value = "/foos")
+@RequestMapping(value = "/auth/foos")
 public class FooController {
 
 	@Autowired

spring-security-rest-full/src/main/java/org/baeldung/web/controller/HomeController.java

@@ -0,0 +1,14 @@
+package org.baeldung.web.controller;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+@Controller
+@RequestMapping(value = "/")
+public class HomeController {
+
+	public String index() {
+		return "homepage";
+	}
+
+}

spring-security-rest-full/src/main/java/org/baeldung/web/controller/RootController.java

@@ -20,6 +20,7 @@ import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.util.UriTemplate;
 
 @Controller
+@RequestMapping(value = "/auth/")
 public class RootController {
 
 	@Autowired

spring-security-rest-full/src/main/java/org/baeldung/web/controller/UserController.java

@@ -37,6 +37,7 @@ import cz.jirutka.rsql.parser.ast.Node;
 
 //@EnableSpringDataWebSupport
 @Controller
+@RequestMapping(value = "/auth/")
 public class UserController {
 
 	@Autowired

spring-security-rest-full/src/test/java/org/baeldung/security/csrf/CsrfAbstractIntegrationTest.java

@@ -42,6 +42,10 @@ public class CsrfAbstractIntegrationTest {
 		return user("user").password("userPass").roles("USER");
 	}
 
+	protected RequestPostProcessor testAdmin() {
+		return user("admin").password("adminPass").roles("USER", "ADMIN");
+	}
+
 	protected String createFoo() throws JsonProcessingException {
 		return new ObjectMapper().writeValueAsString(new Foo(randomAlphabetic(6)));
 	}

spring-security-rest-full/src/test/java/org/baeldung/security/csrf/CsrfDisabledIntegrationTest.java

@@ -1,5 +1,6 @@
 package org.baeldung.security.csrf;
 
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
@@ -15,12 +16,31 @@ public class CsrfDisabledIntegrationTest extends CsrfAbstractIntegrationTest {
 
 	@Test
 	public void givenNotAuth_whenAddFoo_thenUnauthorized() throws Exception {
-        mvc.perform(post("/foos").contentType(MediaType.APPLICATION_JSON).content(createFoo())).andExpect(status().isUnauthorized());
+		mvc.perform(post("/auth/foos").contentType(MediaType.APPLICATION_JSON).content(createFoo())).andExpect(status().isUnauthorized());
 	}
 
 	@Test
 	public void givenAuth_whenAddFoo_thenCreated() throws Exception {
-        mvc.perform(post("/foos").contentType(MediaType.APPLICATION_JSON).content(createFoo()).with(testUser())).andExpect(status().isCreated());
+		mvc.perform(post("/auth/foos").contentType(MediaType.APPLICATION_JSON).content(createFoo()).with(testUser())).andExpect(status().isCreated());
+	}
+
+	@Test
+	public void accessMainPageWithoutAuthorization() throws Exception {
+		mvc.perform(get("/graph.html").contentType(MediaType.APPLICATION_JSON)).andExpect(status().isOk());
+	}
+
+	@Test
+	public void accessOtherPages() throws Exception {
+		mvc.perform(get("/auth/transfer").contentType(MediaType.APPLICATION_JSON).param("accountNo", "1").param("amount", "100"))
+				.andExpect(status().isUnauthorized()); // without authorization
+		mvc.perform(get("/auth/transfer").contentType(MediaType.APPLICATION_JSON).param("accountNo", "1").param("amount", "100").with(testUser()))
+				.andExpect(status().isOk()); // with authorization
+	}
+
+	@Test
+	public void accessAdminPage() throws Exception {
+		mvc.perform(get("/auth/admin/x").contentType(MediaType.APPLICATION_JSON)).andExpect(status().isUnauthorized()); //without authorization
+		mvc.perform(get("/auth/admin/x").contentType(MediaType.APPLICATION_JSON).with(testAdmin())).andExpect(status().isOk()); //with authorization
 	}
 
 }