feat(security): enhance security filter chain and add custom exception handling

Co-authored-by: Copilot <copilot@github.com>

Author: Theo-lbg

src/main/java/com/xpeho/spring_boot_java_random_user/config/SecurityConfig.java

@@ -1,8 +1,10 @@
 package com.xpeho.spring_boot_java_random_user.config;
 
+import jakarta.servlet.http.HttpServletRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -13,13 +15,20 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.context.NullSecurityContextRepository;
 
 @Configuration
 @EnableWebSecurity
 public class SecurityConfig {
 
+        // Constants for security configuration
+        private static final String RANDOM_USERS_PATH = "/random-users/**";
+        private static final String RANDOM_USERS_PREFIX = "/random-users";
+        private static final String ADMIN_ROLE = "ADMIN";
+
         @Value("${app.security.admin.username}")
         private String adminUsername;
 
@@ -39,35 +48,56 @@ public class SecurityConfig {
         private String testPassword;
 
     @Bean
-    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-        http
-                .csrf(csrf -> csrf.ignoringRequestMatchers("/random-users/**"))
-                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
-                .httpBasic(Customizer.withDefaults())
-                .authorizeHttpRequests(auth -> auth
-                        .requestMatchers(
-                                "/api/**",
-                                "/swagger-ui/**",
-                                "/swagger-ui.html",
-                                "/v3/api-docs/**",
-                                "/actuator/health"
-                        ).permitAll()
-                        .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
-                        .requestMatchers(HttpMethod.GET, "/random-users/**").hasAnyRole("ADMIN", "USER", "TEST")
-                        .requestMatchers(HttpMethod.POST, "/random-users/**").hasRole("ADMIN")
-                        .requestMatchers(HttpMethod.PUT, "/random-users/**").hasRole("ADMIN")
-                        .requestMatchers(HttpMethod.DELETE, "/random-users/**").hasRole("ADMIN")
-                        .anyRequest().authenticated()
-                );
-
-        return http.build();
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) {
+        try {
+            return http
+                    .csrf(csrf -> csrf.ignoringRequestMatchers(this::isBasicAuthOnRandomUsers))
+                    .securityContext(context -> context.securityContextRepository(new NullSecurityContextRepository()))
+                    .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                    .requestCache(AbstractHttpConfigurer::disable)
+                    .formLogin(AbstractHttpConfigurer::disable)
+                    .logout(AbstractHttpConfigurer::disable)
+                    .httpBasic(Customizer.withDefaults())
+                    .authorizeHttpRequests(auth -> auth
+                            .requestMatchers(getPublicEndpoints()).permitAll()
+                            .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
+                            .requestMatchers(HttpMethod.GET, RANDOM_USERS_PATH).hasAnyRole(ADMIN_ROLE, "USER", "TEST")
+                            .requestMatchers(HttpMethod.POST, RANDOM_USERS_PATH).hasRole(ADMIN_ROLE)
+                            .requestMatchers(HttpMethod.PUT, RANDOM_USERS_PATH).hasRole(ADMIN_ROLE)
+                            .requestMatchers(HttpMethod.DELETE, RANDOM_USERS_PATH).hasRole(ADMIN_ROLE)
+                            .anyRequest().authenticated()
+                    )
+                    .build();
+        } catch (Exception e) {
+            throw new SecurityConfigurationException("Failed to build Spring Security filter chain", e);
+        }
+    }
+
+
+    private boolean isBasicAuthOnRandomUsers(HttpServletRequest request) {
+        String authHeader = request.getHeader(HttpHeaders.AUTHORIZATION);
+        boolean isBasicAuth = authHeader != null && authHeader.startsWith("Basic ");
+        String servletPath = request.getServletPath();
+        boolean isRandomUsersPath = servletPath != null && servletPath.startsWith(RANDOM_USERS_PREFIX);
+        return isRandomUsersPath && isBasicAuth;
+    }
+
+    private String[] getPublicEndpoints() {
+        return new String[]{
+                "/api/**",
+                "/swagger-ui/**",
+                "/swagger-ui.html",
+                "/v3/api-docs/**",
+                "/actuator/health"
+        };
     }
 
+    // UserDetailsService bean to define in-memory users with roles and encoded passwords
     @Bean
     UserDetailsService userDetailsService(PasswordEncoder passwordEncoder) {
         UserDetails admin = User.withUsername(adminUsername)
                 .password(passwordEncoder.encode(adminPassword))
-                .roles("ADMIN")
+                .roles(ADMIN_ROLE)
                 .build();
 
         UserDetails user = User.withUsername(userUsername)

src/main/java/com/xpeho/spring_boot_java_random_user/config/SecurityConfigurationException.java

@@ -0,0 +1,8 @@
+package com.xpeho.spring_boot_java_random_user.config;
+
+public class SecurityConfigurationException extends RuntimeException {
+
+    public SecurityConfigurationException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}