feat(security): enhance security filter chain and add custom exception handling

Co-authored-by: Copilot <copilot@github.com>

Author: Theo-lbg

src/main/java/com/xpeho/spring_boot_java_random_user/config/SecurityConfig.java

@@ -1,8 +1,10 @@
 package com.xpeho.spring_boot_java_random_user.config;
 
+import jakarta.servlet.http.HttpServletRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -13,13 +15,19 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.context.NullSecurityContextRepository;
 
 @Configuration
 @EnableWebSecurity
 public class SecurityConfig {
 
+        private static final String RANDOM_USERS_PATH = "/random-users/**";
+        private static final String RANDOM_USERS_PREFIX = "/random-users";
+        private static final String ADMIN_ROLE = "ADMIN";
+
         @Value("${app.security.admin.username}")
         private String adminUsername;
 
@@ -39,35 +47,47 @@ public class SecurityConfig {
         private String testPassword;
 
     @Bean
-    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-        http
-                .csrf(csrf -> csrf.ignoringRequestMatchers("/random-users/**"))
-                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
-                .httpBasic(Customizer.withDefaults())
-                .authorizeHttpRequests(auth -> auth
-                        .requestMatchers(
-                                "/api/**",
-                                "/swagger-ui/**",
-                                "/swagger-ui.html",
-                                "/v3/api-docs/**",
-                                "/actuator/health"
-                        ).permitAll()
-                        .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
-                        .requestMatchers(HttpMethod.GET, "/random-users/**").hasAnyRole("ADMIN", "USER", "TEST")
-                        .requestMatchers(HttpMethod.POST, "/random-users/**").hasRole("ADMIN")
-                        .requestMatchers(HttpMethod.PUT, "/random-users/**").hasRole("ADMIN")
-                        .requestMatchers(HttpMethod.DELETE, "/random-users/**").hasRole("ADMIN")
-                        .anyRequest().authenticated()
-                );
-
-        return http.build();
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) {
+        try {
+                return http
+                    .csrf(csrf -> csrf.ignoringRequestMatchers(this::isBasicAuthRequest))
+                    .securityContext(context -> context.securityContextRepository(new NullSecurityContextRepository()))
+                    .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                    .httpBasic(Customizer.withDefaults())
+                    .authorizeHttpRequests(auth -> auth
+                            .requestMatchers(getPublicEndpoints()).permitAll()
+                            .requestMatchers(HttpMethod.GET, RANDOM_USERS_PATH).hasAnyRole(ADMIN_ROLE, "USER", "TEST")
+                            .anyRequest().authenticated()
+                    )
+                    .build();
+        } catch (Exception e) {
+            throw new SecurityConfigurationException("Failed to build Spring Security filter chain", e);
+        }
+    }
+
+
+    private boolean isBasicAuthRequest(HttpServletRequest request) {
+        String authHeader = request.getHeader(HttpHeaders.AUTHORIZATION);
+        String servletPath = request.getServletPath();
+        boolean isRandomUsersPath = servletPath != null && servletPath.startsWith(RANDOM_USERS_PREFIX);
+        return isRandomUsersPath && authHeader != null && authHeader.startsWith("Basic ");
+    }
+
+    private String[] getPublicEndpoints() {
+        return new String[]{
+                "/api/**",
+                "/swagger-ui/**",
+                "/swagger-ui.html",
+                "/v3/api-docs/**",
+                "/actuator/health"
+        };
     }
 
     @Bean
     UserDetailsService userDetailsService(PasswordEncoder passwordEncoder) {
         UserDetails admin = User.withUsername(adminUsername)
                 .password(passwordEncoder.encode(adminPassword))
-                .roles("ADMIN")
+                .roles(ADMIN_ROLE)
                 .build();
 
         UserDetails user = User.withUsername(userUsername)

src/main/java/com/xpeho/spring_boot_java_random_user/config/SecurityConfigurationException.java

@@ -0,0 +1,8 @@
+package com.xpeho.spring_boot_java_random_user.config;
+
+public class SecurityConfigurationException extends RuntimeException {
+
+    public SecurityConfigurationException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}

src/test/java/com/xpeho/spring_boot_java_random_user/config/SecurityConfigTest.java

@@ -0,0 +1,86 @@
+package com.xpeho.spring_boot_java_random_user.config;
+
+import jakarta.servlet.http.HttpServletRequest;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.test.util.ReflectionTestUtils;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class SecurityConfigTest {
+
+    private final SecurityConfig securityConfig = new SecurityConfig();
+
+    @BeforeEach
+    void setUp() {
+        ReflectionTestUtils.setField(securityConfig, "adminUsername", "admin");
+        ReflectionTestUtils.setField(securityConfig, "adminPassword", "admin123");
+        ReflectionTestUtils.setField(securityConfig, "userUsername", "apiuser");
+        ReflectionTestUtils.setField(securityConfig, "userPassword", "changeit");
+        ReflectionTestUtils.setField(securityConfig, "testUsername", "testuser");
+        ReflectionTestUtils.setField(securityConfig, "testPassword", "testpass");
+    }
+
+    @Test
+    void shouldEncodePasswordsWithBcrypt() {
+        PasswordEncoder passwordEncoder = securityConfig.passwordEncoder();
+
+        assertThat(passwordEncoder).isInstanceOf(BCryptPasswordEncoder.class);
+        assertThat(passwordEncoder.matches("admin123", passwordEncoder.encode("admin123"))).isTrue();
+    }
+
+    @Test
+    void shouldCreateInMemoryUsersWithExpectedRoles() {
+        PasswordEncoder passwordEncoder = securityConfig.passwordEncoder();
+
+        UserDetailsService userDetailsService = securityConfig.userDetailsService(passwordEncoder);
+
+        UserDetails admin = userDetailsService.loadUserByUsername("admin");
+        UserDetails user = userDetailsService.loadUserByUsername("apiuser");
+        UserDetails test = userDetailsService.loadUserByUsername("testuser");
+
+        assertThat(admin.getAuthorities()).extracting("authority").containsExactly("ROLE_ADMIN");
+        assertThat(user.getAuthorities()).extracting("authority").containsExactly("ROLE_USER");
+        assertThat(test.getAuthorities()).extracting("authority").containsExactly("ROLE_TEST");
+    }
+
+    @Test
+    void shouldRecognizeBasicAuthRequestsOnRandomUsersPath() {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setServletPath("/random-users/123");
+        request.addHeader("Authorization", "Basic dGVzdDp0ZXN0");
+
+        boolean result = ReflectionTestUtils.invokeMethod(securityConfig, "isBasicAuthRequest", request);
+
+        assertThat(result).isTrue();
+    }
+
+    @Test
+    void shouldRejectNonBasicAuthOrNonRandomUsersRequests() {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setServletPath("/health");
+        request.addHeader("Authorization", "Bearer token");
+
+        boolean result = ReflectionTestUtils.invokeMethod(securityConfig, "isBasicAuthRequest", request);
+
+        assertThat(result).isFalse();
+    }
+
+    @Test
+    void shouldExposePublicEndpoints() {
+        String[] endpoints = ReflectionTestUtils.invokeMethod(securityConfig, "getPublicEndpoints");
+
+        assertThat(endpoints).contains(
+                "/api/**",
+                "/swagger-ui/**",
+                "/swagger-ui.html",
+                "/v3/api-docs/**",
+                "/actuator/health"
+        );
+    }
+}

src/test/java/com/xpeho/spring_boot_java_random_user/config/SecurityConfigurationExceptionTest.java

@@ -0,0 +1,17 @@
+package com.xpeho.spring_boot_java_random_user.config;
+
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class SecurityConfigurationExceptionTest {
+
+    @Test
+    void shouldExposeMessageAndCause() {
+        IllegalStateException cause = new IllegalStateException("boom");
+        SecurityConfigurationException exception = new SecurityConfigurationException("Failed to build Spring Security filter chain", cause);
+
+        assertThat(exception).hasMessage("Failed to build Spring Security filter chain");
+        assertThat(exception).hasCause(cause);
+    }
+}