feat(security): enhance security configuration with multiple user roles and credentials

Co-authored-by: Copilot <copilot@github.com>

Author: Theo-lbg

.env.template

@@ -4,8 +4,12 @@ POSTGRES_DB=your_postgres_db
 POSTGRES_PORT=5432
 
 # Spring Security
+APP_SECURITY_ADMIN_USER=your_admin_username
+APP_SECURITY_ADMIN_PASSWORD=your_admin_password
 APP_SECURITY_USER=your_api_username
 APP_SECURITY_PASSWORD=your_api_password
+APP_SECURITY_TEST_USER=your_test_username
+APP_SECURITY_TEST_PASSWORD=your_test_password
 
 # Liquibase configuration
 LB_CHANGELOG=your_changelog_file.yaml

README.md

@@ -120,12 +120,36 @@ POSTGRES_PASSWORD=your_password
 POSTGRES_DB=your_database
 POSTGRES_PORT=5432
 
+# Spring Security
+APP_SECURITY_ADMIN_USER=admin
+APP_SECURITY_ADMIN_PASSWORD=admin123
+APP_SECURITY_USER=apiuser
+APP_SECURITY_PASSWORD=changeit
+APP_SECURITY_TEST_USER=testuser
+APP_SECURITY_TEST_PASSWORD=testpass
+
 # Liquibase (optional, defaults provided)
 LB_CHANGELOG=db/changelog/db.changelog-master.yaml
 LB_SCHEMA=public
 SPRING_LIQUIBASE_ENABLED=true
 ```
 
+### Spring Security
+
+The API uses HTTP Basic authentication with three in-memory roles:
+
+- `ADMIN`: can read, create, update and delete users
+- `USER`: can read users
+- `TEST`: can read users and is used by automated tests
+
+Protected endpoints require credentials. Example:
+
+```bash
+curl -u apiuser:changeit "http://localhost:8080/random-users"
+```
+
+Swagger UI remains publicly accessible, while API endpoints are protected according to the role rules above.
+
 ### External API Configuration
 
 `application.properties` uses:

src/main/java/com/xpeho/spring_boot_java_random_user/config/SecurityConfig.java

@@ -2,22 +2,46 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpMethod;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
 
 @Configuration
 @EnableWebSecurity
 public class SecurityConfig {
 
+        @Value("${app.security.admin.username}")
+        private String adminUsername;
+
+        @Value("${app.security.admin.password}")
+        private String adminPassword;
+
+        @Value("${app.security.user.username}")
+        private String userUsername;
+
+        @Value("${app.security.user.password}")
+        private String userPassword;
+
+        @Value("${app.security.test.username}")
+        private String testUsername;
+
+        @Value("${app.security.test.password}")
+        private String testPassword;
+
     @Bean
     SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         http
-                .csrf(AbstractHttpConfigurer::disable)
+                .csrf(csrf -> csrf.ignoringRequestMatchers("/random-users/**"))
                 .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .httpBasic(Customizer.withDefaults())
                 .authorizeHttpRequests(auth -> auth
@@ -29,9 +53,38 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                                 "/actuator/health"
                         ).permitAll()
                         .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
+                        .requestMatchers(HttpMethod.GET, "/random-users/**").hasAnyRole("ADMIN", "USER", "TEST")
+                        .requestMatchers(HttpMethod.POST, "/random-users/**").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.PUT, "/random-users/**").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.DELETE, "/random-users/**").hasRole("ADMIN")
                         .anyRequest().authenticated()
                 );
 
         return http.build();
     }
+
+    @Bean
+    UserDetailsService userDetailsService(PasswordEncoder passwordEncoder) {
+        UserDetails admin = User.withUsername(adminUsername)
+                .password(passwordEncoder.encode(adminPassword))
+                .roles("ADMIN")
+                .build();
+
+        UserDetails user = User.withUsername(userUsername)
+                .password(passwordEncoder.encode(userPassword))
+                .roles("USER")
+                .build();
+
+        UserDetails test = User.withUsername(testUsername)
+                .password(passwordEncoder.encode(testPassword))
+                .roles("TEST")
+                .build();
+
+        return new InMemoryUserDetailsManager(admin, user, test);
+    }
+
+    @Bean
+    PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
 }

src/main/resources/application.properties

@@ -1,9 +1,12 @@
 spring.application.name=spring_boot_java_random_user
 
 # Security
-spring.security.user.name=${APP_SECURITY_USER}
-spring.security.user.password=${APP_SECURITY_PASSWORD}
-spring.security.user.roles=USER
+app.security.admin.username=${APP_SECURITY_ADMIN_USER}
+app.security.admin.password=${APP_SECURITY_ADMIN_PASSWORD}
+app.security.user.username=${APP_SECURITY_USER}
+app.security.user.password=${APP_SECURITY_PASSWORD}
+app.security.test.username=${APP_SECURITY_TEST_USER}
+app.security.test.password=${APP_SECURITY_TEST_PASSWORD}
 
 # Swagger UI custom path
 springdoc.swagger-ui.path=/api

src/test/java/com/xpeho/spring_boot_java_random_user/presentation/UserGetByIdContainerTest.java

@@ -26,10 +26,13 @@
         webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT,
         properties = {
                 "spring.sql.init.mode=never",
-        "spring.jpa.hibernate.ddl-auto=create-drop",
-        "spring.security.user.name=testuser",
-        "spring.security.user.password=testpass",
-        "spring.security.user.roles=USER"
+            "spring.jpa.hibernate.ddl-auto=create-drop",
+            "app.security.admin.username=testadmin",
+            "app.security.admin.password=testadminpass",
+            "app.security.user.username=testuser",
+            "app.security.user.password=testpass",
+            "app.security.test.username=testviewer",
+            "app.security.test.password=testviewerpass"
         }
 )
 class UserGetByIdContainerTest {

src/test/java/feature/SpringIntegrationTest.java

@@ -27,8 +27,8 @@
 )
 public class SpringIntegrationTest {
 
-    private static final String TEST_USERNAME = "testuser";
-    private static final String TEST_PASSWORD = "testpass";
+    private static final String TEST_USERNAME = "testadmin";
+    private static final String TEST_PASSWORD = "testadminpass";
 
     @Autowired
     protected TestRestTemplate restTemplate;

src/test/resources/application-test.properties

@@ -2,8 +2,11 @@ spring.datasource.url=${H2_URL:jdbc:h2:mem:mydb};MODE=PostgreSQL;DATABASE_TO_UPP
 spring.datasource.driver-class-name=org.h2.Driver
 spring.datasource.username=${H2_USERNAME:myusername}
 spring.datasource.password=${H2_PASSWORD:mypassword}
-spring.security.user.name=testuser
-spring.security.user.password=testpass
-spring.security.user.roles=USER
+app.security.admin.username=testadmin
+app.security.admin.password=testadminpass
+app.security.user.username=testuser
+app.security.user.password=testpass
+app.security.test.username=testviewer
+app.security.test.password=testviewerpass
 spring.sql.init.mode=never
 spring.docker.compose.enabled=false