Added some security changes

Author: OKaluzny

README.md

@@ -1,5 +1,5 @@
 
-## Lightweight RESTful API with Spring Boot, Keycloak, Docker, PostgreSQL, JPA, Lombok, Spotify plugin, OpenAPI, etc.
+## Lightweight RESTful API with Spring Boot 3, Keycloak 21, Docker, PostgreSQL, JPA, Lombok, OpenAPI, etc.
 
 [![Build Status](https://travis-ci.org/OKaluzny/spring-boot-docker-postgres.svg?branch=master)](https://travis-ci.org/OKaluzny/spring-boot-docker-postgres)
 

docker-compose.yml

@@ -3,59 +3,74 @@ version: '3.9'
 # Define services
 services:
   # App backend service
-  app:
+  #app:
     # This service depends on postgres db and keycloak auth. Start that first.
-    depends_on:
-      db:
-        condition: service_healthy
-      keycloak:
-        condition: service_started
-    image: spring-boot-keycloak-docker-postgres:latest
-    build:
-      context: ./
-      dockerfile: "Dockerfile"
+   # depends_on:
+    #  db:
+     #   condition: service_healthy
+      #keycloak:
+       # condition: service_started
+    #image: spring-boot-keycloak-docker-postgres:latest
+    #build:
+     # context: ./
+     # dockerfile: "Dockerfile"
     # Give the container the name web-app. You can change to something else.
-    container_name: web-app
+    #container_name: web-app
     # Forward the exposed port 8080 on the container to port 8080 on the host machine
-    ports:
-      - "8088:8080"
-    networks:
-      - backend
+    #ports:
+      # - "0.0.0.0:8088:8080/tcp"
+     # - target: 8080
+      #  host_ip: 0.0.0.0
+       # published: 8088
+        #protocol: tcp
+        #mode: host
+    #ports:
+     # - "8080:8080"
+    #networks:
+     # - backend
     # entrypoint: [ "java", "-Xms512m", "-Xmx1g", "-jar" ]
   # Database Service (Postgres)
-  db:
-    # Use the Docker Image postgres. This will pull the 14 version.
-    image: postgres:14-alpine
+  #db:
     # Give the container the name postgres-db. You can change to something else.
-    container_name: postgres-db
-    restart: always
+   # container_name: postgres-db
+    # Use the Docker Image postgres. This will pull the 14 version.
+    #image: postgres:14-alpine
+    #healthcheck:
+     # test: [ "CMD", "pg_isready", "-q", "-d", "postgres", "-U", "root" ]
+      #timeout: 45s
+      #interval: 10s
+      #retries: 10
+    #restart: always
     # Set a volume some that database is not lost after shutting down the container.
     # I used the name postgres-data, but you can change it to something else.
-    volumes:
-      - postgres_data_keycloak:/var/lib/postgresql/data
-    networks:
-      - backend
+    #volumes:
+     # - postgres_data_keycloak:/var/lib/postgresql/data
+    #networks:
+     # - backend
+    #network_mode: host
     # Maps port 5432 (localhost) to port 5432 on the container. You can change the ports to fix your needs.
-    ports:
-      - "5432:5432"
+    #ports:
+     # - "5432:5432"
     # Set up the username, password, and database name. You can change these values.
-    environment:
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: postgres
-      POSTGRES_DB: automobiles
-      PGDATA: /var/lib/postgresql/data/pgdata
-    healthcheck:
-      test: "pg_isready -U postgres"
+    #environment:
+     # POSTGRES_USER: postgres
+      #POSTGRES_PASSWORD: postgres
+      #POSTGRES_DB: automobiles
+      #PGDATA: /var/lib/postgresql/data/pgdata
   # Auth service
   keycloak:
-    image: quay.io/keycloak/keycloak:22.0.1
     container_name: keycloak-auth
+    image: quay.io/keycloak/keycloak:22.0.1
+    #build:
+     # context: .
+      #args:
+       # KEYCLOAK_VERSION: 22.0.1
     command:
       - "start-dev"
     ports:
       - "8180:8080"
     networks:
-      - backend
+      - keycloak
     environment:
       KEYCLOAK_ADMIN: admin
       KEYCLOAK_ADMIN_PASSWORD: password
@@ -82,13 +97,19 @@ services:
       POSTGRES_USER: keycloak
       POSTGRES_PASSWORD: password
     networks:
-      - backend
+      - keycloak
     healthcheck:
-      test: "pg_isready -U keycloak"
+      test: [ "CMD", "pg_isready", "-q", "-d", "postgres", "-U", "root" ]
+      timeout: 45s
+      interval: 10s
+      retries: 10
 
 networks:
-  backend:
-    name: app
+ # backend:
+  #  name: app
+   # driver: bridge
+  keycloak:
+    name: keycloak
     driver: bridge
 
 volumes:

pom.xml

@@ -113,8 +113,7 @@
                     </compilerArgs>
                 </configuration>
             </plugin>
-
-            <plugin>
+           <!-- <plugin>
                 <groupId>io.fabric8</groupId>
                 <artifactId>docker-maven-plugin</artifactId>
                 <version>0.43.0</version>
@@ -137,7 +136,7 @@
                         </configuration>
                     </execution>
                 </executions>
-            </plugin>
+            </plugin>-->
 
         </plugins>
     </build>

src/main/java/com/kaluzny/demo/config/SecurityConfig.java

@@ -1,15 +1,13 @@
 package com.kaluzny.demo.config;
 
 import lombok.RequiredArgsConstructor;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
-import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
-import org.springframework.security.oauth2.jwt.JwtDecoder;
-import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.security.web.SecurityFilterChain;
 
@@ -20,38 +18,27 @@
 @Configuration
 @EnableWebSecurity
 //@EnableMethodSecurity
-@RequiredArgsConstructor
 class SecurityConfig {
 
-    @Value("${spring.security.oauth2.resource-server.jwt.jwk-set-uri}")
-    private String jwkSetUri;
-
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
 
         httpSecurity
                 .authorizeHttpRequests(registry -> registry
-                        .requestMatchers("/api/**").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.GET,"/api/**").hasRole("USER")
+                        .requestMatchers(HttpMethod.POST,"/api/**").hasRole("PERSON")
                         .anyRequest().authenticated()
                 )
                 .oauth2ResourceServer(oauth2Configurer -> oauth2Configurer
                         .jwt(jwtConfigurer -> jwtConfigurer
                                 .jwtAuthenticationConverter(jwt -> {
-                                    // Map<String, Collection<String>> realmAccess = jwt.getClaim("realm_access");
-                                    Map<String, Collection<String>> realmAccess = jwt.getClaim("resource_access");
+                                    Map<String, Collection<String>> realmAccess = jwt.getClaim("realm_access");
                                     Collection<String> roles = realmAccess.get("roles");
                                     var grantedAuthorities = roles.stream()
                                             .map(role -> new SimpleGrantedAuthority("ROLE_" + role))
                                             .collect(Collectors.toList());
                                     return new JwtAuthenticationToken(jwt, grantedAuthorities);
-                                }).decoder(jwtDecoder())));
+                                })));
         return httpSecurity.build();
     }
-
-    @Bean
-    public JwtDecoder jwtDecoder() {
-        return NimbusJwtDecoder
-                .withJwkSetUri(jwkSetUri)
-                .jwsAlgorithm(SignatureAlgorithm.RS256).build();
-    }
 }

src/main/java/com/kaluzny/demo/web/AutomobileRestController.java

@@ -14,6 +14,7 @@
 import io.swagger.v3.oas.annotations.responses.ApiResponses;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import jakarta.annotation.PostConstruct;
+import jakarta.annotation.security.RolesAllowed;
 import jakarta.validation.constraints.NotNull;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -23,6 +24,7 @@
 import org.springframework.data.domain.Sort;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.bind.annotation.*;
 
@@ -51,15 +53,15 @@ public void init() {
         repository.save(new Automobile(1L, "Ford", "Green", Instant.now(), Instant.now(), true, false));
     }
 
-    @Operation(summary = "Add a new Automobile", description = "endpoint for creating an entity", tags = {"Automobile"})
+    /*@Operation(summary = "Add a new Automobile", description = "endpoint for creating an entity", tags = {"Automobile"})
     @ApiResponses(value = {
             @ApiResponse(responseCode = "201", description = "Automobile created"),
             @ApiResponse(responseCode = "400", description = "Invalid input"),
-            @ApiResponse(responseCode = "409", description = "Automobile already exists")})
+            @ApiResponse(responseCode = "409", description = "Automobile already exists")})*/
     @PostMapping("/automobiles")
     @ResponseStatus(HttpStatus.CREATED)
-    //@PreAuthorize("hasRole('PERSON')")
-    //@RolesAllowed("PERSON")
+    @PreAuthorize("hasRole('ADMIN')")
+    //@RolesAllowed("ADMIN")
     public Automobile saveAutomobile(
             @Parameter(description = "Automobile", required = true) @NotNull @RequestBody Automobile automobile) {
         log.info("saveAutomobile() - start: automobile = {}", automobile);
@@ -74,7 +76,8 @@ public Automobile saveAutomobile(
                     content = @Content(array = @ArraySchema(schema = @Schema(implementation = Automobile.class))))})
     @GetMapping("/automobiles")
     @ResponseStatus(HttpStatus.OK)
-    @Cacheable(value = "automobile")
+    //@Cacheable(value = "automobile", sync = true)
+    @PreAuthorize("hasRole('ADMIN')")
     public Collection<Automobile> getAllAutomobiles() {
         log.info("getAllAutomobiles() - start");
         Collection<Automobile> collection = repository.findAll();

src/main/resources/application.yml

@@ -4,13 +4,14 @@ spring:
     name: App
   profiles:
     active: development
-  main:
-    allow-bean-definition-overriding: true
+    #main:
+    # allow-bean-definition-overriding: true
   # Database
   datasource:
     driver-class-name: org.postgresql.Driver
     # For correct works with docker-compose, we need to change "localhost" to a service name, take from docker-compose.yml
-    url: jdbc:postgresql://db:5432/automobiles
+    #url: jdbc:postgresql://db:5432/automobiles
+    url: jdbc:postgresql://localhost:5432/automobiles
     username: postgres
     password: postgres
   # JPA properties
@@ -20,31 +21,42 @@ spring:
     show-sql: true
     database: postgresql
     database-platform: org.hibernate.dialect.PostgreSQLDialect
-    open-in-view: false
-    generate-ddl: true
-# Keycloak Configuration
+    #open-in-view: false
+    #generate-ddl: true
+  # Keycloak Configuration
   security:
     oauth2:
       resource-server:
         jwt:
           issuer-uri: http://localhost:8180/realms/automobile-realm
-          jwk-set-uri: http://localhost:8180/realms/automobile-realm/protocol/openid-connect/certs
-
+# Server configuration
+server:
+  port: 8080  #set your port
+  servlet:
+    context-path: /demo
 # Logger configuration
 logging:
   pattern:
     console: "%d %-5level %logger : %msg%n"
   level:
     org.springframework: info
+    org.springframework.security: debug
+    org.springframework.security.oauth2: debug
     #org.hibernate: debug
-# Server configuration
-server:
-  port: 8088 #set your port
-  #servlet:
-   # context-path: /demo
 # Swagger configuration
 springdoc:
   swagger-ui:
     path: /swagger-ui.html # swagger-ui custom path
   api-docs:
     path: /v3/api-docs.yaml
+# spring actuator
+management:
+  endpoints:
+    #enabled-by-default: true # If changed to false, you can enable separate functionality as indicated below
+    #endpoint: # here
+    # health:
+    #  enabled: true
+    web:
+      exposure:
+        # exclude: "*"
+        include: "*"