Merge pull request #8354 from martinvw/feature/BAEL-3495-deny-on-missing-annotation

[BAEL-3495] Added code for new article

spring-security-modules/spring-security-core/.gitignore

@@ -1,13 +1 @@
-*.class
-
-#folders#
-/target
-/neoDb*
-/data
-/src/main/webapp/WEB-INF/classes
-*/META-INF/*
-
-# Packaged files #
-*.jar
-*.war
-*.ear
+target/

spring-security-modules/spring-security-core/README.md

@@ -8,8 +8,6 @@ This module contains articles about core Spring Security
 - [Introduction to Spring Method Security](https://www.baeldung.com/spring-security-method-security)
 - [Overview and Need for DelegatingFilterProxy in Spring](https://www.baeldung.com/spring-delegating-filter-proxy)
 
-### @PreFilter and @PostFilter annotations
-
-#### Build the Project
+### Build the Project
 
 `mvn clean install`

spring-security-modules/spring-security-core/src/main/java/com/baeldung/app/App.java

@@ -12,9 +12,6 @@ import org.springframework.web.filter.DelegatingFilterProxy;
 import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
 
 @SpringBootApplication
-@EnableJpaRepositories("com.baeldung.repository")
-@ComponentScan("com.baeldung")
-@EntityScan("com.baeldung.entity")
 public class App extends SpringBootServletInitializer {
     public static void main(String[] args) {
         SpringApplication.run(App.class, args);
@@ -31,19 +28,16 @@ public class App extends SpringBootServletInitializer {
 
         @Override
         protected Class<?>[] getRootConfigClasses() {
-            // TODO Auto-generated method stub
             return null;
         }
 
         @Override
         protected Class<?>[] getServletConfigClasses() {
-            // TODO Auto-generated method stub
             return null;
         }
 
         @Override
         protected String[] getServletMappings() {
-            // TODO Auto-generated method stub
             return null;
         }
     }

spring-security-modules/spring-security-core/src/main/java/com/baeldung/app/auditing/ExposeAttemptedPathAuthorizationAuditListener.java

@@ -1,4 +1,4 @@
-package com.baeldung.auditing;
+package com.baeldung.app.auditing;
 
 import org.springframework.boot.actuate.audit.AuditEvent;
 import org.springframework.boot.actuate.security.AbstractAuthorizationAuditListener;

spring-security-modules/spring-security-core/src/main/java/com/baeldung/app/auditing/LoginAttemptsLogger.java

@@ -1,4 +1,4 @@
-package com.baeldung.auditing;
+package com.baeldung.app.auditing;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

spring-security-modules/spring-security-core/src/main/java/com/baeldung/app/config/DatabaseLoader.java

@@ -1,11 +1,11 @@
-package com.baeldung.config;
+package com.baeldung.app.config;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.CommandLineRunner;
 import org.springframework.stereotype.Component;
 
-import com.baeldung.entity.Task;
-import com.baeldung.repository.TaskRepository;
+import com.baeldung.app.entity.Task;
+import com.baeldung.app.repository.TaskRepository;
 
 @Component
 public class DatabaseLoader implements CommandLineRunner {

spring-security-modules/spring-security-core/src/main/java/com/baeldung/app/config/WebSecurityConfig.java

@@ -1,4 +1,4 @@
-package com.baeldung.config;
+package com.baeldung.app.config;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;

spring-security-modules/spring-security-core/src/main/java/com/baeldung/app/controller/TaskController.java

@@ -1,4 +1,4 @@
-package com.baeldung.controller;
+package com.baeldung.app.controller;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
@@ -7,8 +7,8 @@ import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 
-import com.baeldung.entity.Task;
-import com.baeldung.service.TaskService;
+import com.baeldung.app.entity.Task;
+import com.baeldung.app.service.TaskService;
 
 @Controller
 @RequestMapping("api/tasks")

spring-security-modules/spring-security-core/src/main/java/com/baeldung/app/entity/Task.java

@@ -1,4 +1,4 @@
-package com.baeldung.entity;
+package com.baeldung.app.entity;
 
 import javax.persistence.Entity;
 import javax.persistence.GeneratedValue;

spring-security-modules/spring-security-core/src/main/java/com/baeldung/app/filter/CustomFilter.java

@@ -1,4 +1,4 @@
-package com.baeldung.filter;
+package com.baeldung.app.filter;
 
 import java.io.IOException;
 

spring-security-modules/spring-security-core/src/main/java/com/baeldung/app/repository/TaskRepository.java

@@ -1,8 +1,8 @@
-package com.baeldung.repository;
+package com.baeldung.app.repository;
 
 import org.springframework.data.repository.CrudRepository;
 
-import com.baeldung.entity.Task;
+import com.baeldung.app.entity.Task;
 
 public interface TaskRepository extends CrudRepository<Task, Long> {
 

spring-security-modules/spring-security-core/src/main/java/com/baeldung/app/service/TaskService.java

@@ -1,12 +1,12 @@
-package com.baeldung.service;
+package com.baeldung.app.service;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.prepost.PostFilter;
 import org.springframework.security.access.prepost.PreFilter;
 import org.springframework.stereotype.Service;
 
-import com.baeldung.entity.Task;
-import com.baeldung.repository.TaskRepository;
+import com.baeldung.app.entity.Task;
+import com.baeldung.app.repository.TaskRepository;
 
 @Service
 public class TaskService {

spring-security-modules/spring-security-core/src/main/java/com/baeldung/denyonmissing/CustomPermissionAllowedMethodSecurityMetadataSource.java

@@ -0,0 +1,49 @@
+package com.baeldung.denyonmissing;
+
+import static org.springframework.security.access.annotation.Jsr250SecurityConfig.DENY_ALL_ATTRIBUTE;
+
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.springframework.core.annotation.AnnotationUtils;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource;
+import org.springframework.security.access.prepost.PostAuthorize;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.stereotype.Controller;
+
+public class CustomPermissionAllowedMethodSecurityMetadataSource extends AbstractFallbackMethodSecurityMetadataSource {
+    @Override
+    protected Collection<ConfigAttribute> findAttributes(Class<?> clazz) {
+        return null;
+    }
+
+    @Override
+    protected Collection<ConfigAttribute> findAttributes(Method method, Class<?> targetClass) {
+        Annotation[] annotations = AnnotationUtils.getAnnotations(method);
+        List<ConfigAttribute> attributes = new ArrayList<>();
+
+        // if the class is annotated as @Controller we should by default deny access to every method
+        if (AnnotationUtils.findAnnotation(targetClass, Controller.class) != null) {
+            attributes.add(DENY_ALL_ATTRIBUTE);
+        }
+
+        if (annotations != null) {
+            for (Annotation a : annotations) {
+                // but not if the method has at least a PreAuthorize or PostAuthorize annotation
+                if (a instanceof PreAuthorize || a instanceof PostAuthorize) {
+                    return null;
+                }
+            }
+        }
+        return attributes;
+    }
+
+    @Override
+    public Collection<ConfigAttribute> getAllConfigAttributes() {
+        return null;
+    }
+}

spring-security-modules/spring-security-core/src/main/java/com/baeldung/denyonmissing/DenyApplication.java

@@ -0,0 +1,11 @@
+package com.baeldung.denyonmissing;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class DenyApplication {
+    public static void main(String[] args) {
+        SpringApplication.run(DenyApplication.class, args);
+    }
+}

spring-security-modules/spring-security-core/src/main/java/com/baeldung/denyonmissing/DenyMethodSecurityConfig.java

@@ -0,0 +1,29 @@
+package com.baeldung.denyonmissing;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.access.method.MethodSecurityMetadataSource;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+
+@Configuration
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+public class DenyMethodSecurityConfig extends GlobalMethodSecurityConfiguration {
+    @Override
+    protected MethodSecurityMetadataSource customMethodSecurityMetadataSource() {
+        return new CustomPermissionAllowedMethodSecurityMetadataSource();
+    }
+
+    @Bean
+    public UserDetailsService userDetailsService() {
+        return new InMemoryUserDetailsManager(
+                User.withUsername("user").password("{noop}password").roles("USER").build(),
+                User.withUsername("guest").password("{noop}password").roles().build()
+        );
+    }
+}

spring-security-modules/spring-security-core/src/main/java/com/baeldung/denyonmissing/DenyOnMissingController.java

@@ -0,0 +1,19 @@
+package com.baeldung.denyonmissing;
+
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class DenyOnMissingController {
+    @GetMapping(path = "hello")
+    @PreAuthorize("hasRole('USER')")
+    public String hello() {
+        return "Hello world!";
+    }
+
+    @GetMapping(path = "bye")
+    public String bye() {
+        return "Bye bye world!";
+    }
+}

spring-security-modules/spring-security-core/src/test/java/com/baeldung/app/SpringContextTest.java

@@ -1,4 +1,4 @@
-package com.baeldung;
+package com.baeldung.app;
 
 import org.junit.Test;
 import org.junit.runner.RunWith;

spring-security-modules/spring-security-core/src/test/java/com/baeldung/app/test/LiveTest.java

@@ -1,4 +1,4 @@
-package com.baeldung.test;
+package com.baeldung.app.test;
 
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
@@ -22,7 +22,7 @@ import org.springframework.web.context.WebApplicationContext;
 import com.baeldung.app.App;
 
 @RunWith(SpringJUnit4ClassRunner.class)
-@SpringBootTest(classes = App.class, webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+@SpringBootTest(classes = App.class)
 @FixMethodOrder(MethodSorters.NAME_ASCENDING)
 public class LiveTest {
 

spring-security-modules/spring-security-core/src/test/java/com/baeldung/denyonmissing/DenyOnMissingControllerIntegrationTest.java

@@ -0,0 +1,53 @@
+package com.baeldung.denyonmissing;
+
+import static org.hamcrest.core.Is.isA;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.context.WebApplicationContext;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@SpringBootTest(classes = DenyApplication.class)
+public class DenyOnMissingControllerIntegrationTest {
+    @Rule
+    public ExpectedException expectedException = ExpectedException.none();
+
+    @Autowired
+    private WebApplicationContext context;
+    private MockMvc mockMvc;
+
+    @Before
+    public void setUp() {
+        mockMvc = MockMvcBuilders.webAppContextSetup(context)
+                .build();
+    }
+
+    @Test
+    @WithMockUser(username = "user")
+    public void givenANormalUser_whenCallingHello_thenAccessDenied() throws Exception {
+        mockMvc.perform(get("/hello"))
+                .andExpect(status().isOk())
+                .andExpect(content().string("Hello world!"));
+    }
+
+    @Test
+    @WithMockUser(username = "user")
+    public void givenANormalUser_whenCallingBye_thenAccessDenied() throws Exception {
+        expectedException.expectCause(isA(AccessDeniedException.class));
+
+        mockMvc.perform(get("/bye"));
+    }
+}

spring-security-modules/spring-security-core/src/test/resources/.gitignore

@@ -1,13 +0,0 @@
-*.class
-
-#folders#
-/target
-/neoDb*
-/data
-/src/main/webapp/WEB-INF/classes
-*/META-INF/*
-
-# Packaged files #
-*.jar
-*.war
-*.ear