JAVA-12754: Moved 3 articles to spring-security-core-2

spring-security-modules/spring-security-core-2/README.md

@@ -5,6 +5,9 @@ This module contains articles about core Spring Security
 ### Relevant Articles:
 - [Handle Spring Security Exceptions](https://www.baeldung.com/spring-security-exceptions)
 - [Handle Spring Security Exceptions With @ExceptionHandler](https://www.baeldung.com/spring-security-exceptionhandler)
+- [Prevent Cross-Site Scripting (XSS) in a Spring Application](https://www.baeldung.com/spring-prevent-xss)
+- [Guide to the AuthenticationManagerResolver in Spring Security](https://www.baeldung.com/spring-security-authenticationmanagerresolver)
+- [A Custom Spring SecurityConfigurer|https://www.baeldung.com/spring-security-custom-configurer]
 
 ### Build the Project
 

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/authresolver/AuthResolverApplication.java

@@ -0,0 +1,11 @@
+package com.baeldung.authresolver;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class AuthResolverApplication {
+    public static void main(String[] args) {
+        SpringApplication.run(AuthResolverApplication.class, args);
+    }
+}

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/authresolver/AuthResolverController.java

@@ -0,0 +1,18 @@
+package com.baeldung.authresolver;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class AuthResolverController {
+    @GetMapping("/customer/welcome")
+    public String sayWelcomeToCustomer(Authentication authentication) {
+        return String.format("Welcome to our site, %s!", authentication.getPrincipal());
+    }
+
+    @GetMapping("/employee/welcome")
+    public String sayWelcomeToEmployee(Authentication authentication) {
+        return String.format("Welcome to our company, %s!", authentication.getPrincipal());
+    }
+}

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/authresolver/CustomWebSecurityConfigurer.java

@@ -0,0 +1,96 @@
+package com.baeldung.authresolver;
+
+import java.util.Collections;
+import javax.servlet.http.HttpServletRequest;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationManagerResolver;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.web.authentication.AuthenticationConverter;
+import org.springframework.security.web.authentication.AuthenticationFilter;
+import org.springframework.security.web.authentication.www.BasicAuthenticationConverter;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+
+@Configuration
+public class CustomWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
+
+    public AuthenticationConverter authenticationConverter() {
+        return new BasicAuthenticationConverter();
+    }
+
+    public AuthenticationManagerResolver<HttpServletRequest> resolver() {
+        return request -> {
+            if (request
+              .getPathInfo()
+              .startsWith("/employee")) {
+                return employeesAuthenticationManager();
+            }
+            return customersAuthenticationManager();
+        };
+    }
+
+    public AuthenticationManager customersAuthenticationManager() {
+        return authentication -> {
+            if (isCustomer(authentication)) {
+                return new UsernamePasswordAuthenticationToken(
+                  authentication.getPrincipal(),
+                  authentication.getCredentials(),
+                  Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER"))
+                );
+            }
+            throw new UsernameNotFoundException(authentication
+              .getPrincipal()
+              .toString());
+        };
+    }
+
+    private boolean isCustomer(Authentication authentication) {
+        return (authentication
+          .getPrincipal()
+          .toString()
+          .startsWith("customer"));
+    }
+
+    private boolean isEmployee(Authentication authentication) {
+        return (authentication
+          .getPrincipal()
+          .toString()
+          .startsWith("employee"));
+    }
+
+    private AuthenticationFilter authenticationFilter() {
+        AuthenticationFilter filter = new AuthenticationFilter(
+          resolver(), authenticationConverter());
+        filter.setSuccessHandler((request, response, auth) -> {});
+        return filter;
+    }
+
+    private AuthenticationManager employeesAuthenticationManager() {
+        return authentication -> {
+            if (isEmployee(authentication)) {
+                return new UsernamePasswordAuthenticationToken(
+                  authentication.getPrincipal(),
+                  authentication.getCredentials(),
+                  Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER"))
+                );
+            }
+            throw new UsernameNotFoundException(authentication
+              .getPrincipal()
+              .toString());
+        };
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) {
+        http.addFilterBefore(
+          authenticationFilter(),
+          BasicAuthenticationFilter.class
+        );
+    }
+
+}

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/dsl/ClientErrorLoggingConfigurer.java

@@ -0,0 +1,32 @@
+package com.baeldung.dsl;
+
+import java.util.List;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
+
+public class ClientErrorLoggingConfigurer extends AbstractHttpConfigurer<ClientErrorLoggingConfigurer, HttpSecurity> {
+
+    private List<HttpStatus> errorCodes;
+
+    public ClientErrorLoggingConfigurer(List<HttpStatus> errorCodes) {
+        this.errorCodes = errorCodes;
+    }
+
+    public ClientErrorLoggingConfigurer() {
+
+    }
+
+    @Override
+    public void init(HttpSecurity http) throws Exception {
+        // initialization code
+    }
+
+    @Override
+    public void configure(HttpSecurity http) throws Exception {
+        http.addFilterAfter(new ClientErrorLoggingFilter(errorCodes), FilterSecurityInterceptor.class);
+    }
+
+}

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/dsl/ClientErrorLoggingFilter.java

@@ -0,0 +1,57 @@
+package com.baeldung.dsl;
+
+import java.io.IOException;
+import java.util.List;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.filter.GenericFilterBean;
+
+public class ClientErrorLoggingFilter extends GenericFilterBean {
+
+    private static final Logger logger = LogManager.getLogger(ClientErrorLoggingFilter.class);
+
+    private List<HttpStatus> errorCodes;
+
+    public ClientErrorLoggingFilter(List<HttpStatus> errorCodes) {
+        this.errorCodes = errorCodes;
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+
+        Authentication auth = SecurityContextHolder.getContext()
+            .getAuthentication();
+
+        if (auth == null) {
+            chain.doFilter(request, response);
+            return;
+        }
+        int status = ((HttpServletResponse) response).getStatus();
+        if (status < 400 || status >= 500) {
+            chain.doFilter(request, response);
+            return;
+        }
+
+        if (errorCodes == null) {
+            logger.debug("User " + auth.getName() + " encountered error " + status);
+        } else {
+            if (errorCodes.stream()
+                .anyMatch(s -> s.value() == status)) {
+                logger.debug("User " + auth.getName() + " encountered error " + status);
+            }
+        }
+
+        chain.doFilter(request, response);
+    }
+
+}

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/dsl/CustomConfigurerApplication.java

@@ -0,0 +1,13 @@
+package com.baeldung.dsl;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class CustomConfigurerApplication {
+
+    public static void main(String[] args) {
+        SpringApplication.run(CustomConfigurerApplication.class, args);
+    }
+
+}

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/dsl/MyController.java

@@ -0,0 +1,14 @@
+package com.baeldung.dsl;
+
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class MyController {
+
+    @GetMapping("/admin")
+    public String getAdminPage() {
+        return "Hello Admin";
+    }
+
+}

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/dsl/SecurityConfig.java

@@ -0,0 +1,50 @@
+package com.baeldung.dsl;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+@Configuration
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.authorizeRequests()
+            .antMatchers("/admin*")
+            .hasAnyRole("ADMIN")
+            .anyRequest()
+            .authenticated()
+            .and()
+            .formLogin()
+            .and()
+            .apply(clientErrorLogging());
+    }
+
+    @Bean
+    public ClientErrorLoggingConfigurer clientErrorLogging() {
+        return new ClientErrorLoggingConfigurer();
+    }
+
+    @Override
+    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+        auth.inMemoryAuthentication()
+            .passwordEncoder(passwordEncoder())
+            .withUser("user1")
+            .password(passwordEncoder().encode("user"))
+            .roles("USER")
+            .and()
+            .withUser("admin")
+            .password(passwordEncoder().encode("admin"))
+            .roles("ADMIN");
+    }
+
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
+}

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/xss/Application.java

@@ -0,0 +1,14 @@
+package com.baeldung.xss;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+
+@SpringBootApplication
+@EnableWebSecurity
+public class Application {
+
+    public static void main(String[] args) {
+        SpringApplication.run(Application.class, args);
+    }
+}

spring-security-modules/spring-security-core-2/src/main/java/com/baeldung/xss/SecurityConf.java

@@ -0,0 +1,25 @@
+package com.baeldung.xss;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@Configuration
+public class SecurityConf extends WebSecurityConfigurerAdapter {
+
+    @Override
+    public void configure(WebSecurity web) {
+        // Ignoring here is only for this example. Normally people would apply their own authentication/authorization policies
+        web.ignoring().antMatchers("/**");
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            .headers()
+            .xssProtection()
+            .and()
+            .contentSecurityPolicy("script-src 'self'");
+    }
+}

spring-security-modules/spring-security-core-2/src/test/java/com/baeldung/SpringContextTest.java

@@ -0,0 +1,18 @@
+package com.baeldung;
+
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import com.baeldung.dsl.CustomConfigurerApplication;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest(classes = CustomConfigurerApplication.class)
+public class SpringContextTest {
+
+    @Test
+    public void whenSpringContextIsBootstrapped_thenNoExceptions() {
+    }
+}

spring-security-modules/spring-security-core-2/src/test/java/com/baeldung/authresolver/AuthResolverIntegrationTest.java

@@ -0,0 +1,82 @@
+package com.baeldung.authresolver;
+
+import org.junit.Before;
+import org.junit.FixMethodOrder;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.MethodSorters;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.security.web.FilterChainProxy;
+import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.util.Base64Utils;
+import org.springframework.web.context.WebApplicationContext;
+
+import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = AuthResolverApplication.class)
+@FixMethodOrder(MethodSorters.NAME_ASCENDING)
+public class AuthResolverIntegrationTest {
+
+    @Autowired
+    private FilterChainProxy springSecurityFilterChain;
+
+    @Autowired
+    private WebApplicationContext wac;
+
+    private MockMvc mockMvc;
+
+    @Before
+    public void setup() {
+        this.mockMvc = MockMvcBuilders
+          .webAppContextSetup(wac)
+          .apply(springSecurity(springSecurityFilterChain))
+          .build();
+    }
+
+    @Test
+    public void givenCustomerCredential_whenWelcomeCustomer_thenExpectOk() throws Exception {
+        this.mockMvc
+          .perform(get("/customer/welcome")
+            .header(
+              "Authorization", String.format("Basic %s", Base64Utils.encodeToString("customer1:pass1".getBytes()))
+            )
+          )
+          .andExpect(status().is2xxSuccessful());
+    }
+
+    @Test
+    public void givenEmployeeCredential_whenWelcomeCustomer_thenExpect401Status() throws Exception {
+        this.mockMvc
+          .perform(get("/customer/welcome")
+            .header(
+              "Authorization", "Basic " + Base64Utils.encodeToString("employee1:pass1".getBytes()))
+          )
+          .andExpect(status().isUnauthorized());
+    }
+
+    @Test
+    public void givenEmployeeCredential_whenWelcomeEmployee_thenExpectOk() throws Exception {
+        this.mockMvc
+          .perform(get("/employee/welcome")
+            .header(
+              "Authorization", "Basic " + Base64Utils.encodeToString("employee1:pass1".getBytes()))
+          )
+          .andExpect(status().is2xxSuccessful());
+    }
+
+    @Test
+    public void givenCustomerCredential_whenWelcomeEmployee_thenExpect401Status() throws Exception {
+        this.mockMvc
+          .perform(get("/employee/welcome")
+            .header(
+              "Authorization", "Basic " + Base64Utils.encodeToString("customer1:pass1".getBytes()))
+          )
+          .andExpect(status().isUnauthorized());
+    }
+}