feat(springSecurity): add spring security in app

Author: Theo-lbg

.env.template

@@ -3,6 +3,10 @@ POSTGRES_PASSWORD=your_postgres_password
 POSTGRES_DB=your_postgres_db
 POSTGRES_PORT=5432
 
+# Spring Security
+APP_SECURITY_USER=your_api_username
+APP_SECURITY_PASSWORD=your_api_password
+
 # Liquibase configuration
 LB_CHANGELOG=your_changelog_file.yaml
 LB_OUTPUT_CHANGELOG=your_output_changelog.yaml

pom.xml

@@ -69,6 +69,10 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-webmvc</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.springdoc</groupId>
 			<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>

src/main/java/com/xpeho/spring_boot_java_random_user/config/SecurityConfig.java

@@ -0,0 +1,37 @@
+package com.xpeho.spring_boot_java_random_user.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+@EnableWebSecurity
+public class SecurityConfig {
+
+    @Bean
+    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        http
+                .csrf(AbstractHttpConfigurer::disable)
+                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .httpBasic(Customizer.withDefaults())
+                .authorizeHttpRequests(auth -> auth
+                        .requestMatchers(
+                                "/api/**",
+                                "/swagger-ui/**",
+                                "/swagger-ui.html",
+                                "/v3/api-docs/**",
+                                "/actuator/health"
+                        ).permitAll()
+                        .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
+                        .anyRequest().authenticated()
+                );
+
+        return http.build();
+    }
+}

src/main/resources/application.properties

@@ -1,5 +1,10 @@
 spring.application.name=spring_boot_java_random_user
 
+# Security
+spring.security.user.name=${APP_SECURITY_USER}
+spring.security.user.password=${APP_SECURITY_PASSWORD}
+spring.security.user.roles=USER
+
 # Swagger UI custom path
 springdoc.swagger-ui.path=/api
 

src/test/java/com/xpeho/spring_boot_java_random_user/presentation/UserGetByIdContainerTest.java

@@ -26,11 +26,17 @@
         webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT,
         properties = {
                 "spring.sql.init.mode=never",
-                "spring.jpa.hibernate.ddl-auto=create-drop"
+        "spring.jpa.hibernate.ddl-auto=create-drop",
+        "spring.security.user.name=testuser",
+        "spring.security.user.password=testpass",
+        "spring.security.user.roles=USER"
         }
 )
 class UserGetByIdContainerTest {
 
+    private static final String TEST_USERNAME = "testuser";
+    private static final String TEST_PASSWORD = "testpass";
+
     @Container
     @ServiceConnection
     static PostgreSQLContainer postgres = new PostgreSQLContainer("postgres:17-alpine");
@@ -61,8 +67,8 @@ void shouldReturnUserByIdWhenUserExists() {
 
         User saved = userRepository.saveAndFlush(user);
 
-        ResponseEntity<UserEntity> response = restTemplate.getForEntity(
-            "/random-users/{id}",
+        ResponseEntity<UserEntity> response = restTemplate.withBasicAuth(TEST_USERNAME, TEST_PASSWORD).getForEntity(
+                "/random-users/{id}",
                 UserEntity.class,
                 saved.getId()
         );
@@ -77,10 +83,10 @@ void shouldReturnUserByIdWhenUserExists() {
     @Test
     @DisplayName("GET /random-users/{id} should return 404 when user does not exist")
     void shouldReturnNotFoundWhenUserDoesNotExist() {
-        ResponseEntity<UserEntity> response = restTemplate.getForEntity(
-            "/random-users/{id}",
+        ResponseEntity<UserEntity> response = restTemplate.withBasicAuth(TEST_USERNAME, TEST_PASSWORD).getForEntity(
+                "/random-users/{id}",
                 UserEntity.class,
-            -1
+                -1
         );
 
         assertThat(response.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND);

src/test/java/feature/SpringIntegrationTest.java

@@ -27,6 +27,9 @@
 )
 public class SpringIntegrationTest {
 
+    private static final String TEST_USERNAME = "testuser";
+    private static final String TEST_PASSWORD = "testpass";
+
     @Autowired
     protected TestRestTemplate restTemplate;
 
@@ -37,19 +40,25 @@ public class SpringIntegrationTest {
 
     protected void executeGet(String path) {
         String url = "http://localhost:" + port + path;
-        latestResponse = restTemplate.getForEntity(url, String.class);
+        latestResponse = restTemplate
+            .withBasicAuth(TEST_USERNAME, TEST_PASSWORD)
+            .getForEntity(url, String.class);
     }
 
     protected void executePost(String path, Object payload) {
         String url = "http://localhost:" + port + path;
         HttpHeaders headers = new HttpHeaders();
         headers.setContentType(MediaType.APPLICATION_JSON);
         HttpEntity<Object> request = new HttpEntity<>(payload, headers);
-        latestResponse = restTemplate.postForEntity(url, request, String.class);
+        latestResponse = restTemplate
+            .withBasicAuth(TEST_USERNAME, TEST_PASSWORD)
+            .postForEntity(url, request, String.class);
     }
 
     protected void executeDelete(String path) {
         String url = "http://localhost:" + port + path;
-        latestResponse = restTemplate.exchange(url, HttpMethod.DELETE, HttpEntity.EMPTY, String.class);
+        latestResponse = restTemplate
+            .withBasicAuth(TEST_USERNAME, TEST_PASSWORD)
+            .exchange(url, HttpMethod.DELETE, HttpEntity.EMPTY, String.class);
     }
 }

src/test/resources/application-test.properties

@@ -1,6 +1,9 @@
-spring.datasource.url=${H2_URL};MODE=PostgreSQL;DATABASE_TO_UPPER=false;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE
+spring.datasource.url=${H2_URL:jdbc:h2:mem:mydb};MODE=PostgreSQL;DATABASE_TO_UPPER=false;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE
 spring.datasource.driver-class-name=org.h2.Driver
-spring.datasource.username=${H2_USERNAME}
-spring.datasource.password=${H2_PASSWORD}
+spring.datasource.username=${H2_USERNAME:myusername}
+spring.datasource.password=${H2_PASSWORD:mypassword}
+spring.security.user.name=testuser
+spring.security.user.password=testpass
+spring.security.user.roles=USER
 spring.sql.init.mode=never
 spring.docker.compose.enabled=false