feat(security): enhance security filter chain and add custom exception handling

Co-authored-by: Copilot <copilot@github.com>

Author: 2 people

.github/workflows/sonar.yaml

@@ -43,4 +43,4 @@ jobs:
             printf '%s' "${{ secrets.APPLICATION_TEST_PROPERTIES }}" | base64 -d >> src/test/resources/application-test.properties
           fi
           echo "spring.sql.init.mode=never" >> src/test/resources/application-test.properties
-          mvn clean verify sonar:sonar -DskipDocker=true -Dsonar.qualitygate.wait=true -Dit.test="!CucumberIntegrationTest"
+          mvn clean verify sonar:sonar -DskipDocker=true -Dsonar.qualitygate.wait=true -Dit.test="!CucumberIntegrationTest

src/main/java/com/xpeho/spring_boot_java_random_user/config/SecurityConfig.java

@@ -1,8 +1,10 @@
 package com.xpeho.spring_boot_java_random_user.config;
 
+import jakarta.servlet.http.HttpServletRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -15,11 +17,16 @@
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.context.NullSecurityContextRepository;
 
 @Configuration
 @EnableWebSecurity
 public class SecurityConfig {
 
+        private static final String RANDOM_USERS_PATH = "/random-users/**";
+        private static final String RANDOM_USERS_PREFIX = "/random-users";
+        private static final String ADMIN_ROLE = "ADMIN";
+
         @Value("${app.security.admin.username}")
         private String adminUsername;
 
@@ -39,35 +46,50 @@ public class SecurityConfig {
         private String testPassword;
 
     @Bean
-    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-        http
-                .csrf(csrf -> csrf.ignoringRequestMatchers("/random-users/**"))
-                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
-                .httpBasic(Customizer.withDefaults())
-                .authorizeHttpRequests(auth -> auth
-                        .requestMatchers(
-                                "/api/**",
-                                "/swagger-ui/**",
-                                "/swagger-ui.html",
-                                "/v3/api-docs/**",
-                                "/actuator/health"
-                        ).permitAll()
-                        .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
-                        .requestMatchers(HttpMethod.GET, "/random-users/**").hasAnyRole("ADMIN", "USER", "TEST")
-                        .requestMatchers(HttpMethod.POST, "/random-users/**").hasRole("ADMIN")
-                        .requestMatchers(HttpMethod.PUT, "/random-users/**").hasRole("ADMIN")
-                        .requestMatchers(HttpMethod.DELETE, "/random-users/**").hasRole("ADMIN")
-                        .anyRequest().authenticated()
-                );
-
-        return http.build();
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) {
+        try {
+                return http
+                    .csrf(csrf -> csrf.ignoringRequestMatchers(this::isBasicAuthRequest))
+                    .securityContext(context -> context.securityContextRepository(new NullSecurityContextRepository()))
+                    .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                    .httpBasic(Customizer.withDefaults())
+                    .authorizeHttpRequests(auth -> auth
+                            .requestMatchers(getPublicEndpoints()).permitAll()
+                            .requestMatchers(HttpMethod.GET, RANDOM_USERS_PATH).hasAnyRole(ADMIN_ROLE, "USER", "TEST")
+                            .requestMatchers(HttpMethod.POST, RANDOM_USERS_PATH).hasRole(ADMIN_ROLE)
+                            .requestMatchers(HttpMethod.PUT, RANDOM_USERS_PATH).hasRole(ADMIN_ROLE)
+                            .requestMatchers(HttpMethod.DELETE, RANDOM_USERS_PATH).hasRole(ADMIN_ROLE)
+                            .anyRequest().authenticated()
+                    )
+                    .build();
+        } catch (Exception e) {
+            throw new SecurityConfigurationException("Failed to build Spring Security filter chain", e);
+        }
+    }
+
+
+    private boolean isBasicAuthRequest(HttpServletRequest request) {
+        String authHeader = request.getHeader(HttpHeaders.AUTHORIZATION);
+        String servletPath = request.getServletPath();
+        boolean isRandomUsersPath = servletPath != null && servletPath.startsWith(RANDOM_USERS_PREFIX);
+        return isRandomUsersPath && authHeader != null && authHeader.startsWith("Basic ");
+    }
+
+    private String[] getPublicEndpoints() {
+        return new String[]{
+                "/api/**",
+                "/swagger-ui/**",
+                "/swagger-ui.html",
+                "/v3/api-docs/**",
+                "/actuator/health"
+        };
     }
 
     @Bean
     UserDetailsService userDetailsService(PasswordEncoder passwordEncoder) {
         UserDetails admin = User.withUsername(adminUsername)
                 .password(passwordEncoder.encode(adminPassword))
-                .roles("ADMIN")
+                .roles(ADMIN_ROLE)
                 .build();
 
         UserDetails user = User.withUsername(userUsername)

src/main/java/com/xpeho/spring_boot_java_random_user/config/SecurityConfigurationException.java

@@ -0,0 +1,8 @@
+package com.xpeho.spring_boot_java_random_user.config;
+
+public class SecurityConfigurationException extends RuntimeException {
+
+    public SecurityConfigurationException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}

src/main/java/com/xpeho/spring_boot_java_random_user/presentation/handlers/UserHandler.java

@@ -27,7 +27,7 @@
 public class UserHandler implements UserController {
 
     private static final Logger logger = LoggerFactory.getLogger(UserHandler.class);
-    private static final String USER_NOT_FOUND_LOG = "warning: the requested user does not exist : {}";
+    private static final String USER_NOT_FOUND_LOG = "warning: the requested user does not exist: {}";
 
     private final FetchAndSaveRandomUsersUseCase fetchAndSaveRandomUsersUseCase;
     private final UpdateRandomUserUseCase updateRandomUserUseCase;
@@ -119,6 +119,6 @@ public void deleteUserById(int id) {
     }
 
     private void logUserNotFound(UserNotFoundException e) {
-        logger.warn(USER_NOT_FOUND_LOG, e);
+        logger.warn(USER_NOT_FOUND_LOG, e.getMessage());
     }
 }

src/test/java/com/xpeho/spring_boot_java_random_user/config/SecurityConfigTest.java

@@ -0,0 +1,129 @@
+package com.xpeho.spring_boot_java_random_user.config;
+
+import jakarta.servlet.http.HttpServletRequest;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.test.util.ReflectionTestUtils;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+class SecurityConfigTest {
+
+    private final SecurityConfig securityConfig = new SecurityConfig();
+
+    @BeforeEach
+    void setUp() {
+        ReflectionTestUtils.setField(securityConfig, "adminUsername", "admin");
+        ReflectionTestUtils.setField(securityConfig, "adminPassword", "admin123");
+        ReflectionTestUtils.setField(securityConfig, "userUsername", "apiuser");
+        ReflectionTestUtils.setField(securityConfig, "userPassword", "changeit");
+        ReflectionTestUtils.setField(securityConfig, "testUsername", "testuser");
+        ReflectionTestUtils.setField(securityConfig, "testPassword", "testpass");
+    }
+
+    @Test
+    void shouldEncodePasswordsWithBcrypt() {
+        PasswordEncoder passwordEncoder = securityConfig.passwordEncoder();
+
+        assertThat(passwordEncoder).isInstanceOf(BCryptPasswordEncoder.class);
+        assertThat(passwordEncoder.matches("admin123", passwordEncoder.encode("admin123"))).isTrue();
+    }
+
+    @Test
+    void shouldCreateInMemoryUsersWithExpectedRoles() {
+        PasswordEncoder passwordEncoder = securityConfig.passwordEncoder();
+
+        UserDetailsService userDetailsService = securityConfig.userDetailsService(passwordEncoder);
+
+        UserDetails admin = userDetailsService.loadUserByUsername("admin");
+        UserDetails user = userDetailsService.loadUserByUsername("apiuser");
+        UserDetails test = userDetailsService.loadUserByUsername("testuser");
+
+        assertThat(admin.getAuthorities()).extracting("authority").containsExactly("ROLE_ADMIN");
+        assertThat(user.getAuthorities()).extracting("authority").containsExactly("ROLE_USER");
+        assertThat(test.getAuthorities()).extracting("authority").containsExactly("ROLE_TEST");
+    }
+
+    @Test
+    void shouldRecognizeBasicAuthRequestsOnRandomUsersPath() {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setServletPath("/random-users/123");
+        request.addHeader("Authorization", "Basic dGVzdDp0ZXN0");
+
+        boolean result = ReflectionTestUtils.invokeMethod(securityConfig, "isBasicAuthRequest", request);
+
+        assertThat(result).isTrue();
+    }
+
+    @Test
+    void shouldRejectNonBasicAuthOrNonRandomUsersRequests() {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setServletPath("/health");
+        request.addHeader("Authorization", "Bearer token");
+
+        boolean result = ReflectionTestUtils.invokeMethod(securityConfig, "isBasicAuthRequest", request);
+
+        assertThat(result).isFalse();
+    }
+
+    @Test
+    void shouldRejectRandomUsersRequestWithoutAuthHeader() {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setServletPath("/random-users/123");
+
+        boolean result = ReflectionTestUtils.invokeMethod(securityConfig, "isBasicAuthRequest", request);
+
+        assertThat(result).isFalse();
+    }
+
+    @Test
+    void shouldRejectRandomUsersRequestWithNonBasicAuthHeader() {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setServletPath("/random-users/123");
+        request.addHeader("Authorization", "Bearer token");
+
+        boolean result = ReflectionTestUtils.invokeMethod(securityConfig, "isBasicAuthRequest", request);
+
+        assertThat(result).isFalse();
+    }
+
+    @Test
+    void shouldRejectWhenServletPathIsNull() {
+        HttpServletRequest request = mock(HttpServletRequest.class);
+        when(request.getServletPath()).thenReturn(null);
+        when(request.getHeader("Authorization")).thenReturn("Basic dGVzdDp0ZXN0");
+
+        boolean result = ReflectionTestUtils.invokeMethod(securityConfig, "isBasicAuthRequest", request);
+
+        assertThat(result).isFalse();
+    }
+
+    @Test
+    void shouldExposePublicEndpoints() {
+        String[] endpoints = ReflectionTestUtils.invokeMethod(securityConfig, "getPublicEndpoints");
+
+        assertThat(endpoints).contains(
+                "/api/**",
+                "/swagger-ui/**",
+                "/swagger-ui.html",
+                "/v3/api-docs/**",
+                "/actuator/health"
+        );
+    }
+
+    @Test
+    void shouldWrapFilterChainConfigurationException() {
+        assertThatThrownBy(() -> securityConfig.securityFilterChain(null))
+                .isInstanceOf(SecurityConfigurationException.class)
+                .hasMessage("Failed to build Spring Security filter chain")
+                .hasCauseInstanceOf(NullPointerException.class);
+    }
+}

src/test/java/com/xpeho/spring_boot_java_random_user/config/SecurityConfigurationExceptionTest.java

@@ -0,0 +1,18 @@
+package com.xpeho.spring_boot_java_random_user.config;
+
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class SecurityConfigurationExceptionTest {
+
+    @Test
+    void shouldExposeMessageAndCause() {
+        IllegalStateException cause = new IllegalStateException("boom");
+        SecurityConfigurationException exception = new SecurityConfigurationException("Failed to build Spring Security filter chain", cause);
+
+        assertThat(exception)
+                .hasMessage("Failed to build Spring Security filter chain")
+                .hasCause(cause);
+    }
+}

src/test/java/com/xpeho/spring_boot_java_random_user/presentation/UserGetByIdContainerTest.java

@@ -32,7 +32,9 @@
             "app.security.user.username=testuser",
             "app.security.user.password=testpass",
             "app.security.test.username=testviewer",
-            "app.security.test.password=testviewerpass"
+            "app.security.test.password=testviewerpass",
+            "logging.level.com.xpeho.spring_boot_java_random_user.presentation.handlers=OFF",
+            "logging.level.com.zaxxer.hikari.pool.PoolBase=ERROR"
         }
 )
 class UserGetByIdContainerTest {

src/test/java/com/xpeho/spring_boot_java_random_user/presentation/exceptions/GlobalExceptionHandlerTest.java

@@ -79,9 +79,9 @@ void shouldReturnNotFoundWhenUserNotFoundException() {
     }
 
     @Test
-    @DisplayName("Should return 500 INTERNAL_SERVER_ERROR for generic exceptions")
-    void shouldReturnInternalServerErrorForGenericException() {
-        Exception ex = new Exception("Something went wrong");
+    @DisplayName("Should return 500 INTERNAL_SERVER_ERROR for runtime exceptions")
+    void shouldReturnInternalServerErrorForRuntimeException() {
+        RuntimeException ex = new RuntimeException("Something went wrong");
         ResponseEntity<ErrorResponse> response = handler.handleGenericException(ex);
 
         assertEquals(HttpStatus.INTERNAL_SERVER_ERROR, response.getStatusCode());

src/test/resources/application-test.properties

@@ -10,3 +10,5 @@ app.security.test.username=testviewer
 app.security.test.password=testviewerpass
 spring.sql.init.mode=never
 spring.docker.compose.enabled=false
+logging.level.com.xpeho.spring_boot_java_random_user.presentation.handlers=OFF
+logging.level.com.zaxxer.hikari.pool.PoolBase=ERROR

src/test/resources/application-test.properties.template

@@ -4,3 +4,5 @@ spring.datasource.username=myusername
 spring.datasource.password=mypassword
 spring.sql.init.mode=never
 spring.docker.compose.enabled=false
+logging.level.com.xpeho.spring_boot_java_random_user.presentation.handlers=OFF
+logging.level.com.zaxxer.hikari.pool.PoolBase=ERROR