MS Lesson22: Spring Security Project

Step1: docker-compose.yaml fayli

services:
  postgres:
    image: postgres:17
    container_name: security2
    environment:
      POSTGRES_DB: security2
      POSTGRES_USER: security2
      POSTGRES_PASSWORD: security2
    ports:
      - "5555:5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data
    networks:
      - demo-network

networks:
  demo-network:
    driver: bridge

volumes:

postgres_data: 

application.yaml fayli

server:
  port: 9999

spring:
  profiles:
    include:
      - db

application-db.yaml fayli

spring:
  datasource:
    url: jdbc:postgresql://${DB_HOSTNAME:localhost}:${DB_PORT:5555}/security2
    username: security2
    password: security2
    driver-class-name: org.postgresql.Driver

  jpa:
    hibernate:
      ddl-auto: update
    show-sql: true
    properties:
      hibernate:
        format_sql: true

Step2: Entity-leri yaratmaq

User entity

package az.etibarli.step3.entity;

import jakarta.persistence.*;

import lombok.AccessLevel;

import lombok.Getter;

import lombok.NoArgsConstructor;

import lombok.Setter;

import lombok.ToString;

import java.util.LinkedHashSet;

import java.util.Set;

@Getter

@Setter

@ToString

@NoArgsConstructor(access = AccessLevel.PROTECTED)

@Entity

@Table(name = "users")

public class User {

@Id

@GeneratedValue(strategy = GenerationType.IDENTITY)

private Long id;

@Column(nullable = false, unique = true)

private String username;

@Column(nullable = false)

private String password;

@ManyToMany(fetch = FetchType.EAGER)

@JoinTable(

name = "user_roles",

joinColumns = @JoinColumn(name = "user_id"),

inverseJoinColumns = @JoinColumn(name = "role_id")

)

@ToString.Exclude

private Set<Role> roles = new LinkedHashSet<>();

}

Role entity

package az.etibarli.step3.entity;

import jakarta.persistence.*;

import lombok.Getter;

import lombok.NoArgsConstructor;

import lombok.Setter;

import lombok.ToString;

import java.util.LinkedHashSet;

import java.util.Set;

@Getter

@Setter

@ToString

@NoArgsConstructor

@Entity

@Table(name = "roles")

public class Role {

@Id

@GeneratedValue(strategy = GenerationType.IDENTITY)

private Long id;

@Column(nullable = false, unique = true)

private String name;

@ManyToMany(fetch = FetchType.EAGER)

@JoinTable(

name = "role_permissions",

joinColumns = @JoinColumn(name = "role_id"),

inverseJoinColumns = @JoinColumn(name = "permission_id")

)

@ToString.Exclude

private Set<Permission> permissions = new LinkedHashSet<>();

}

Permission entity

package az.etibarli.step3.entity;

import jakarta.persistence.*;

import lombok.AccessLevel;

import lombok.NoArgsConstructor;

import lombok.Setter;

@Setter

@NoArgsConstructor(access = AccessLevel.PROTECTED)

@Entity

@Table(name = "permissions")

public class Permission {

@Id

@GeneratedValue(strategy = GenerationType.IDENTITY)

private Long id;

@Column(nullable = false, unique = true)

private String name;

public Long getId() {

return id;

}

public String getName() {

return name;

}

}

Step3: UserRepository yaratmaq

package az.etibarli.step3.repository;

import az.etibarli.step3.entity.User;
import org.springframework.data.jpa.repository.JpaRepository;

import java.util.Optional;

public interface UserRepository extends JpaRepository<User, Long> {

    Optional<User> findByUsername(String username);

}

Step4: ProjectSecurityConfig yaratmaq

package az.etibarli.step3.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
public class ProjectSecurityConfig {

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

}

ve UserController yaratmaq

package az.etibarli.step3.controller;

import az.etibarli.step3.entity.User;
import az.etibarli.step3.repository.UserRepository;
import org.springframework.http.ResponseEntity;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class UserController {

    private final UserRepository userRepository;
    private final PasswordEncoder passwordEncoder;

    public UserController(UserRepository userRepository, PasswordEncoder passwordEncoder) {
        this.userRepository = userRepository;
        this.passwordEncoder = passwordEncoder;
    }

    @PostMapping("/register")
    public ResponseEntity<String> registerUser(@RequestBody User user) {
        user.setPassword(passwordEncoder.encode(user.getPassword()));
        userRepository.save(user);
        return ResponseEntity.ok("User is created");
    }

}

Step5: SecurityFilterChain yaratmaq. Bu ona gore lazimdir ki bizim yaratdigimiz /register endpointini public etmek. Cunki bu shekilde accessimiz yoxdur

package az.etibarli.step3.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class ProjectSecurityConfig {

    @Bean
    SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
        http
                .csrf(csrf -> csrf.disable())
                .authorizeHttpRequests(request -> request
                        .requestMatchers("/register").permitAll()
                        .anyRequest().authenticated());
        return http.build();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

}

*** CSRF nedir? Cross-Site Request Forgery