MS Lesson 21: Spring Security

1. Authentication vs Authorization

* Authentication - "Who are you?"

Istifadecinin kimliyinin yoxlanilmasi. Esasen username ve passwordun yoxlanilmasi.

Dogru olmadigi halda 401 Unauthorized xetasi verir.


* Authorization - "What can you do?"

Authentifikasiya olunmush istifadecinin hansi emeliyyatlara icazesi oldugunun yoxlanilmasi. 

Dogru olmadigi halda 403 (Forbidden) xetasi verir.






2. Spring Security internal flow



Authentication - login melumatlarini dashiyan Java obyektidir.

Authentication auth = new UsernamePasswordAuthenticationToken(
"admin", // username (principal)
"12345", // password (credentials)
null // authorities (hələ yoxdur)
);


AuthenticationManager - Authentication prosesini idare eden koordinator.

Default implementasiya ProviderManager. Filter-den Authentication obyektini alir, hansi AuthenticationProvider-in ishleyeceyini secir, Provider-e oturur. 


AuthenticationProvider - esl Authentication mentiqinin oldugu yer. Default implementasiya DaoAuthenticationProvider. UserDetailsService-den user-i tapir, PasswordEncoder ile parolu yoxlayir, ugurlu olsa tam Authentication obytekti qaytarir. 


UserDetailsService/Manager - User melumatlarini DB-den oxuyan servis. Default implementasiyasi InMemoryUserDetailsManager. Esas metodu: UserDetails loadUserByUsername(String username);


PasswordEncoder - parollari hash eden ve muqayise eden komponent. Default (production) BCryptPasswordEncoder. 


SecurityContext - Authentikasiya olunmush user-in melumatinin saxlandigi yer. SecurityContextHolder (ThreadLocal) . Tomcat her request ucun ayri thread verir, ona gore paralel requestler bir birine qarishmir.  




2. Indi ise sade Spring Security app yazaq. 

Step1: dependency elave etmek:

implementation 'org.springframework.boot:spring-boot-starter-security'
testImplementation 'org.springframework.boot:spring-boot-starter-security-test'


Step2: Controller yaradaq

package az.etibarli.lessonspecification.controller;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/api/v1/test")
public class TestController {

    @GetMapping("/public")
    public String publicEndpoint() {
        return "public endpoint";
    }

    @GetMapping("/user")
    public String userEndpoint() {
        return "user endpoint";
    }

    @GetMapping("/admin")
    public String adminEndpoint() {
        return "admin endpoint";
    }

}


Step3: Security konfiqurasiya yaradaq

package az.etibarli.lessonspecification.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(auth -> auth
                .requestMatchers("/api/v1/test/public").permitAll()
                .anyRequest().authenticated()
        );
        http.httpBasic(Customizer.withDefaults());
        return http.build();
    }

}


Step4: Mock user-ler yaradaq

package az.etibarli.lessonspecification.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;

@Configuration
public class UserConfig {

    @Bean
    PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    UserDetailsService userDetailsService(PasswordEncoder passwordEncoder) {
        UserDetails admin = User.builder()
                .username("admin")
                .password(passwordEncoder.encode("12345"))
                .roles("ADMIN")
                .build();

        UserDetails user = User.builder()
                .username("user")
                .password(passwordEncoder.encode("12345"))
                .roles("USER")
                .build();

        return new InMemoryUserDetailsManager(admin, user);
    }

}


Step5: indi ise endpointlere access-leri deyishek

package az.etibarli.lessonspecification.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(auth -> auth
                .requestMatchers("/api/v1/test/user").hasRole("USER")
                .requestMatchers("/api/v1/test/admin").hasRole("ADMIN")
                .requestMatchers("/api/v1/test/public").permitAll()
                .anyRequest().authenticated()
        );
        http.httpBasic(Customizer.withDefaults());
        return http.build();
    }

}






















































Комментарии

Отправить комментарий

Популярные сообщения из этого блога

Interview questions

Изображение
+1. JVM memory areas. Thread safe memory areas, Garbage collector working principle, Java reference types +2. SOLID +3. Collection API: How does HashMap work under the hood, hash collision, Concurrent HashMap +4. Equals and HashCode contract -5. Thread, Volatile vs Synchronized, atomic variables(CAS-compare and swap). How to prevent deadlock. Deadlock vs livelock. Reentrant lock. +6. Error vs Exception +7. Immutable class(how to make object properties immutable, immutable collections) +8. DB index type(clustered, non clustered, composite) +9. DB normalization and denormalization +10. RDBMS vs non RDBMS +11. ACID vs BASE. Lock mechanism +12. Hash eviction policy(TTL, LRU, FIFO, LFU, MRU, random replacement, ARC). Problem: we have 2GB memory, how to store 15GB data in this cache +13. entity lifecycle +14. dirty check, flush +15. cascade types +16. n+1 problem (entity graph, join fetch) +17. lazy initialization exception 18. idempotency, safe in rest methods +19. IOC, DI, Proxy +20. AOP(c...
Далее...

Lesson1: JDK, JVM, JRE

Изображение
1. Compiler - takes the entire programming code written in high language and translates the whole of it into machine code at once. After this process the an executable file will be ready to run. The translation takes some times to be done, but after that execution is so fast. 2. Interpreter - takes each single instructions of the code translates it and then executes it on its own. The translation step is before the program runs is fast, but execution is slow. JDK = JRE + development tools JRE = JVM + library class JDK -> Java Development Kit. A kit which provides the environment to develop and execute (run) Java program. JRE -> Java Runtime Environment. Provides environment to only run. JVM -> Java Virtual Machine f * Compiled: Fortran, C, C++, Pascal, Haskell, Rust, Go * Interpreted: JavaScript, PHP, Python, Ruby Java both compiled and interpreted language. Terminalda : javac Main.java yazdiqda, source fayli(.java) bytecode(.class) faylina cevirir. Terminalda: java Main (bu z...
Далее...

Lesson_2: Operations in Java

1. Capda toplama emeliyyatinin ferqi: package org.example.test ; public class Test { public static void main (String[] args) throws Exception { int one = 1 ; int two = 2 ; System. out .println( "result = " + one + two) ; System. out .println(one + two + " result" ) ; } }   char a = 'a' ; char b = 'b' ; System. out .println(a + b) ; System. out .println( 'a' + 'b' ) ; System. out .println( "" + a + b) ; System. out .println( "" + 'a' + 'b' ) ; 2. float ve double-da bash veren riyazi emaliyyat xeyalari: package org.example.test ; public class Test { public static void main (String[] args) throws Exception { float f = 0.6F ; System. out .println(f + 0.1 ) ; } } Operators in Java Operators in Java can be classified into 6 types: Arithmetic Operators Assignment Operators Relational Operators Logical Operators Unary Operators Bitwise Operator...
Далее...