Added Spring Security and Spring Session to showcase basic security.

odrotbohm · odrotbohm · commit 80ae7f1fd348 · 2026-02-12T12:02:39.000+01:00
We're using a HTTP header based strategy to generate authentication tokens on authorization requests. We use the already used HSQLDB as temporary session store.
diff --git a/server/pom.xml b/server/pom.xml
@@ -167,6 +167,18 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/ma
 			<scope>runtime</scope>
 		</dependency>
 
+		<!-- Security -->
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.session</groupId>
+			<artifactId>spring-session-jdbc</artifactId>
+		</dependency>
+
 		<!-- Misc -->
 
 		<dependency>
diff --git a/server/src/main/java/de/odrotbohm/restbucks/SecurityConfiguration.java b/server/src/main/java/de/odrotbohm/restbucks/SecurityConfiguration.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright 2015-2026 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package de.odrotbohm.restbucks;
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.session.web.http.HeaderHttpSessionIdResolver;
+
+/**
+ * Web security configuration enabling:
+ * <ol>
+ * <li>HTTP Basic authentication with Spring Security</li>
+ * <li>Configuring Spring Session to expose the session using an HTTP header.</li>
+ * </ol>
+ *
+ * @author Oliver Drotbohm
+ */
+@Configuration
+@ConditionalOnWebApplication
+class SecurityConfiguration {
+
+	/**
+	 * Configures a the HTTP session to be exposed via an HTTP header.
+	 */
+	@Bean
+	public HeaderHttpSessionIdResolver sessionStrategy() {
+		return HeaderHttpSessionIdResolver.xAuthToken();
+	}
+
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+
+		return http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
+				.httpBasic(it -> it.realmName("Spring RESTBucks"))
+				.build();
+	}
+}
diff --git a/server/src/main/resources/application.properties b/server/src/main/resources/application.properties
@@ -20,3 +20,9 @@ management.otlp.metrics.export.step=5s
 
 spring.threads.virtual.enabled=true
 spring.aot.repositories.enabled=true
+
+# Security
+spring.security.user.password=password
+spring.session.jdbc.initialize-schema=embedded
+spring.session.jdbc.schema=classpath:org/springframework/session/jdbc/schema-hsqldb.sql
+spring.session.jdbc.table-name=SPRING_SESSION
