My implementation for the Spring Boot Security Course from Amigoscode.
- Description for each branch
- Status
git checkout section-2-getting-started-with-spring-security
The username available for this section is user and it is using the generated password available in the logs.
(Using generated security password: bf5ac150-92d2-47de-9715-2db137874388)
The main page of the project http://localhost:8080 was whitelisted.
-
URI: api/v1/students/:studentId
-
Method: GET
-
URL params:
- required:
studentId=[Integer] - optional: -
- required:
-
Query params:
- required: -
- optional: -
- required: -
-
Successful call:
(with Basic Auth)
- Response:
- Code: 200 OK
- Content:
{ "studentId": 1, "name": "Student 1" } - Code: 200 OK
- Response:
-
Failed call:
(without authorization)
- Response:
- Code: 401 Unauthorized
- Content:
{ "timestamp": "2020-09-22T12:30:01.402+0000", "status": 401, "error": "Unauthorized", "message": "Unauthorized", "path": "/api/v1/students/1" } - Code: 401 Unauthorized
- Response:
git checkout section-3-user-roles-and-authorities
Under this section more users were added. Available users:
| Username | Password | Role | Authorities |
|---|---|---|---|
| student1 | pass | STUDENT* | STUDENT:READ, STUDENT:WRITE, COURSES:READ |
| steve | pass012 | ADMIN | STUDENT:READ, STUDENT:WRITE, COURSES:READ, COURSES:WRITE |
* The authorities that should be associated with the STUDENT role were not added.
The available roles can be found in the ApplicationUserRole enum, while the permissions are defined in the ApplicationUserAuthority enum.
git checkout section-4-permission-based-authentication
Available users:
| Username | Password | Role | Authorities |
|---|---|---|---|
| student1 | pass | STUDENT* | STUDENT:READ, STUDENT:WRITE, COURSES:READ |
| steve | pass012 | ADMIN | STUDENT:READ, STUDENT:WRITE, COURSES:READ, COURSES:WRITE |
| tom | pass012 | ADMINTRAINEE | STUDENT:READ, COURSES:READ |
* The authorities that should be associated with the STUDENT role were not added.
The available roles can be found in the ApplicationUserRole enum, while the permissions are defined in the ApplicationUserAuthority enum.
The defined endpoints evaluate the use of hasAuthority and preAuthorize with users with different roles and
permissions and are not real CRUD implementations.
For ADMIN and ADMINTRAINEE roles, for STUDENT:READ authority.
-
URI: management/api/v1/students
-
Method: GET
-
URL params:
- required: -
- optional: -
- required: -
-
Query params:
- required: -
- optional: -
- required: -
-
Success response:
- Code: 200 OK
- Content:
[ { "studentId": 1, "name": "Student 1" }, { "studentId": 2, "name": "Student 2" }, { "studentId": 3, "name": "Student 3" } ] - Code: 200 OK
For ADMIN role, for STUDENT:WRITE authority.
-
URI: management/api/v1/students
-
Method: POST
-
URL params:
- required: -
- optional: -
- required: -
-
Query params:
- required: -
- optional: -
- required: -
-
Data params:
- required:
student=[Student]{ "name": "Student X" } - optional: -
- required:
-
Success response:
- Code: 200 OK
- Code: 200 OK
-
Fail response:
- Code: 403 Forbidden for the other roles.
For ADMIN role, for STUDENT:WRITE authority.
-
URI: management/api/v1/students/:studentId
-
Method: PUT
-
URL params:
- required:
studentId=[Integer] - optional: -
- required:
-
Query params:
- required: -
- optional: -
- required: -
-
Data params:
- required:
student=[Student]{ "name": "Student X" } - optional: -
- required:
-
Success response:
- Code: 200 OK
- Code: 200 OK
-
Fail response:
- Code: 403 Forbidden for the other roles.
For ADMIN role, for STUDENT:WRITE authority.
-
URI: management/api/v1/students/:studentId
-
Method: DELETE
-
URL params:
- required:
studentId=[Integer] - optional: -
- required:
-
Query params:
- required: -
- optional: -
- required: -
-
Success response:
- Code: 200 OK
- Code: 200 OK
-
Fail response:
- Code: 403 Forbidden for the other roles.
git checkout section-5-cross-site-request-forgery
Add the XSRF_TOKEN header in POST, PUT and DELETE requests when CSRF is not disabled in ApplicationSecurityConfig.configure method.
git checkout section-6-form-based-authentication
Custom login page.
Added a "Course" page with logout button.
Played with SESSIONID and remember-me cookies.
git checkout section-7-database-authentication
Adding custom UserDetailsService and custom UserDetails "faking" connecting to a database to obtain the users.
git checkout section-8-jwt
-
URI: login
-
Method: PUT
-
URL params:
- required: -
- optional: -
- required: -
-
Query params:
- required: -
- optional: -
- required: -
-
Data params:
- required:
usernameAndPasswordAuthenticationRequest=[UsernameAndPasswordAuthenticationRequest]{ "username": "anna", "password": "pass" } - optional: -
- required:
-
Success response:
- Code: 200 OK
- Added Header:
Authorization: Bearer eyJhbGciOiJIUzM4NCJ9.eyJzdWIiOiJhbm5hIiwiYXV0aG9yaXRpZXMiOlt7ImF1dGhvcml0eSI6IlJPTEVfU1RVREVOVCJ9XSwiaWF0IjoxNjAwODc2Njc5LCJleHAiOjE2MDIwMjE2MDB9.vEYLlZgOl_TFQYxbCq3SIuKwgrs7_ilZ3VoUvqQvdXoOVPeYHd76hmfE9WUYoj2w - Code: 200 OK
For each request add Authorization Header with Bearer eyJhbGciOiJIUzM4NCJ9.eyJzdWIiOiJhbm5hIiwiYXV0aG9yaXRpZXMiOlt7ImF1dGhvcml0eSI6IlJPTEVfU1RVREVOVCJ9XSwiaWF0IjoxNjAwODc2Njc5LCJleHAiOjE2MDIwMjE2MDB9.vEYLlZgOl_TFQYxbCq3SIuKwgrs7_ilZ3VoUvqQvdXoOVPeYHd76hmfE9WUYoj2w.
[COMPLETED] - As I finished the section of the course and the associated project, I am setting a personal status of "Completed" and will probably not update this repository in the near future as this was a learning project.