[BAEL-1410] Spring Boot Security auto-configuration (#3329)

* [BAEL-1410] Spring Boot Security Auto-Configuration

* [BAEL-1410] Added some tests for incorrect credentials use case

* [BAEL-1410] Added readme and some code improvements

pom.xml

@@ -152,6 +152,8 @@
         <module>spring-boot</module>
 	    <module>spring-boot-keycloak</module>
         <module>spring-boot-bootstrap</module>
+        <module>spring-boot-admin</module>
+        <module>spring-boot-security</module>
         <module>spring-cloud-data-flow</module>
         <module>spring-cloud</module>
         <module>spring-core</module>
@@ -263,7 +265,6 @@
         <module>vertx-and-rxjava</module>
         <module>saas</module>
         <module>deeplearning4j</module>
-        <module>spring-boot-admin</module>
         <module>lucene</module>
 		<module>vraptor</module>
     </modules>

spring-boot-security/README.md

@@ -0,0 +1,6 @@
+### Spring Boot Security Auto-Configuration
+
+- mvn clean install 
+- uncomment in application.properties spring.profiles.active=basic # for basic auth config
+- uncomment in application.properties spring.profiles.active=form # for form based auth config
+- uncomment actuator dependency simultaneously with the line from main class

spring-boot-security/pom.xml

@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<groupId>com.baeldung</groupId>
+	<artifactId>spring-boot-security</artifactId>
+	<version>0.0.1-SNAPSHOT</version>
+	<packaging>jar</packaging>
+
+	<name>spring-boot-security</name>
+	<description>Spring Boot Security Auto-Configuration</description>
+
+	<parent>
+		<groupId>com.baeldung</groupId>
+		<artifactId>parent-modules</artifactId>
+		<version>1.0.0-SNAPSHOT</version>
+	</parent>
+	<dependencyManagement>
+		<dependencies>
+			<dependency>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-dependencies</artifactId>
+				<version>1.5.9.RELEASE</version>
+				<type>pom</type>
+				<scope>import</scope>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
+
+	<properties>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+		<java.version>1.8</java.version>
+	</properties>
+
+	<dependencies>
+		<!--<dependency>-->
+			<!--<groupId>org.springframework.boot</groupId>-->
+			<!--<artifactId>spring-boot-starter-actuator</artifactId>-->
+		<!--</dependency>-->
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+
+
+</project>

spring-boot-security/src/main/java/com/baeldung/springbootsecurity/SpringBootSecurityApplication.java

@@ -0,0 +1,16 @@
+package com.baeldung.springbootsecurity;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration;
+
+@SpringBootApplication(exclude = {
+  SecurityAutoConfiguration.class
+  //    ,ManagementWebSecurityAutoConfiguration.class
+})
+public class SpringBootSecurityApplication {
+
+    public static void main(String[] args) {
+        SpringApplication.run(SpringBootSecurityApplication.class, args);
+    }
+}

spring-boot-security/src/main/java/com/baeldung/springbootsecurity/config/BasicConfiguration.java

@@ -0,0 +1,37 @@
+package com.baeldung.springbootsecurity.config;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@Configuration
+@EnableWebSecurity
+@Profile("basic")
+public class BasicConfiguration extends WebSecurityConfigurerAdapter {
+
+    @Override
+    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+        auth
+          .inMemoryAuthentication()
+          .withUser("user")
+          .password("password")
+          .roles("USER")
+          .and()
+          .withUser("admin")
+          .password("admin")
+          .roles("USER", "ADMIN");
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+          .authorizeRequests()
+          .anyRequest()
+          .authenticated()
+          .and()
+          .httpBasic();
+    }
+}

spring-boot-security/src/main/java/com/baeldung/springbootsecurity/config/FormLoginConfiguration.java

@@ -0,0 +1,39 @@
+package com.baeldung.springbootsecurity.config;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@Configuration
+@EnableWebSecurity
+@Profile("form")
+public class FormLoginConfiguration extends WebSecurityConfigurerAdapter {
+
+    @Override
+    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+        auth
+          .inMemoryAuthentication()
+          .withUser("user")
+          .password("password")
+          .roles("USER")
+          .and()
+          .withUser("admin")
+          .password("password")
+          .roles("USER", "ADMIN");
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+          .authorizeRequests()
+          .anyRequest()
+          .authenticated()
+          .and()
+          .formLogin()
+          .and()
+          .httpBasic();
+    }
+}

spring-boot-security/src/main/resources/application.properties

@@ -0,0 +1,4 @@
+#spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration
+#spring.profiles.active=form
+#spring.profiles.active=basic
+#security.user.password=password

spring-boot-security/src/main/resources/static/index.html

@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>Index</title>
+</head>
+<body>
+Welcome to Baeldung Secured Page !!!
+</body>
+</html>

spring-boot-security/src/test/java/com/baeldung/springbootsecurity/BasicConfigurationIntegrationTest.java

@@ -0,0 +1,56 @@
+package com.baeldung.springbootsecurity;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.boot.context.embedded.LocalServerPort;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.springframework.boot.test.context.SpringBootTest.WebEnvironment.RANDOM_PORT;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest(webEnvironment = RANDOM_PORT)
+@ActiveProfiles("basic")
+public class BasicConfigurationIntegrationTest {
+
+    TestRestTemplate restTemplate;
+    URL base;
+
+    @LocalServerPort int port;
+
+    @Before
+    public void setUp() throws MalformedURLException {
+        restTemplate = new TestRestTemplate("user", "password");
+        base = new URL("http://localhost:" + port);
+    }
+
+    @Test
+    public void whenLoggedUserRequestsHomePage_ThenSuccess() throws IllegalStateException, IOException {
+        ResponseEntity<String> response = restTemplate.getForEntity(base.toString(), String.class);
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+        assertTrue(response
+          .getBody()
+          .contains("Baeldung"));
+    }
+
+    @Test
+    public void whenUserWithWrongCredentialsRequestsHomePage_ThenUnauthorizedPage() throws IllegalStateException, IOException {
+        restTemplate = new TestRestTemplate("user", "wrongpassword");
+        ResponseEntity<String> response = restTemplate.getForEntity(base.toString(), String.class);
+        assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
+        assertTrue(response
+          .getBody()
+          .contains("Unauthorized"));
+    }
+}

spring-boot-security/src/test/java/com/baeldung/springbootsecurity/FormConfigurationIntegrationTest.java

@@ -0,0 +1,106 @@
+package com.baeldung.springbootsecurity;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.context.embedded.LocalServerPort;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.http.*;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+
+import java.util.Collections;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import static org.junit.Assert.*;
+import static org.springframework.boot.test.context.SpringBootTest.WebEnvironment.RANDOM_PORT;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest(webEnvironment = RANDOM_PORT)
+@ActiveProfiles("form")
+public class FormConfigurationIntegrationTest {
+
+    @Autowired TestRestTemplate restTemplate;
+    @LocalServerPort int port;
+
+    @Test
+    public void whenLoginPageIsRequested_ThenSuccess() {
+        HttpHeaders httpHeaders = new HttpHeaders();
+        httpHeaders.setAccept(Collections.singletonList(MediaType.TEXT_HTML));
+        ResponseEntity<String> responseEntity = restTemplate.exchange("/login", HttpMethod.GET, new HttpEntity<Void>(httpHeaders), String.class);
+        assertEquals(HttpStatus.OK, responseEntity.getStatusCode());
+        assertTrue(responseEntity
+          .getBody()
+          .contains("_csrf"));
+    }
+
+    @Test
+    public void whenTryingToLoginWithCorrectCredentials_ThenAuthenticateWithSuccess() {
+        HttpHeaders httpHeaders = getHeaders();
+        httpHeaders.setAccept(Collections.singletonList(MediaType.TEXT_HTML));
+        httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
+        MultiValueMap<String, String> form = getFormSubmitCorrectCredentials();
+        ResponseEntity<String> responseEntity = this.restTemplate.exchange("/login", HttpMethod.POST, new HttpEntity<>(form, httpHeaders), String.class);
+        assertEquals(responseEntity.getStatusCode(), HttpStatus.FOUND);
+        assertTrue(responseEntity
+          .getHeaders()
+          .getLocation()
+          .toString()
+          .endsWith(this.port + "/"));
+        assertNotNull(responseEntity
+          .getHeaders()
+          .get("Set-Cookie"));
+    }
+
+    @Test
+    public void whenTryingToLoginWithInorrectCredentials_ThenAuthenticationFailed() {
+        HttpHeaders httpHeaders = getHeaders();
+        httpHeaders.setAccept(Collections.singletonList(MediaType.TEXT_HTML));
+        httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
+        MultiValueMap<String, String> form = getFormSubmitIncorrectCredentials();
+        ResponseEntity<String> responseEntity = this.restTemplate.exchange("/login", HttpMethod.POST, new HttpEntity<>(form, httpHeaders), String.class);
+        assertEquals(responseEntity.getStatusCode(), HttpStatus.FOUND);
+        assertTrue(responseEntity
+          .getHeaders()
+          .getLocation()
+          .toString()
+          .endsWith(this.port + "/login?error"));
+        assertNull(responseEntity
+          .getHeaders()
+          .get("Set-Cookie"));
+    }
+
+    private MultiValueMap<String, String> getFormSubmitCorrectCredentials() {
+        MultiValueMap<String, String> form = new LinkedMultiValueMap<>();
+        form.set("username", "user");
+        form.set("password", "password");
+        return form;
+    }
+
+    private MultiValueMap<String, String> getFormSubmitIncorrectCredentials() {
+        MultiValueMap<String, String> form = new LinkedMultiValueMap<>();
+        form.set("username", "user");
+        form.set("password", "wrongpassword");
+        return form;
+    }
+
+    private HttpHeaders getHeaders() {
+        HttpHeaders headers = new HttpHeaders();
+        ResponseEntity<String> page = this.restTemplate.getForEntity("/login", String.class);
+        assertEquals(page.getStatusCode(), HttpStatus.OK);
+        String cookie = page
+          .getHeaders()
+          .getFirst("Set-Cookie");
+        headers.set("Cookie", cookie);
+        Pattern pattern = Pattern.compile("(?s).*name=\"_csrf\".*?value=\"([^\"]+).*");
+        Matcher matcher = pattern.matcher(page.getBody());
+        assertTrue(matcher.matches());
+        headers.set("X-CSRF-TOKEN", matcher.group(1));
+        return headers;
+    }
+
+}