1# Security - Spring Security 6
2 
3## Security Configuration
4 
5```java
6@Configuration
7@EnableWebSecurity
8@EnableMethodSecurity
9public class SecurityConfig {
10 
11    @Bean
12    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
13        http
14            .csrf(csrf -> csrf
15                .ignoringRequestMatchers("/api/auth/**")
16                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
17            )
18            .cors(cors -> cors.configurationSource(corsConfigurationSource()))
19            .authorizeHttpRequests(auth -> auth
20                .requestMatchers("/api/auth/**", "/actuator/health").permitAll()
21                .requestMatchers("/api/admin/**").hasRole("ADMIN")
22                .requestMatchers("/api/users/**").hasAnyRole("USER", "ADMIN")
23                .anyRequest().authenticated()
24            )
25            .sessionManagement(session -> session
26                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
27            )
28            .exceptionHandling(ex -> ex
29                .authenticationEntryPoint(authenticationEntryPoint())
30                .accessDeniedHandler(accessDeniedHandler())
31            )
32            .addFilterBefore(jwtAuthenticationFilter(),
33                           UsernamePasswordAuthenticationFilter.class);
34 
35        return http.build();
36    }
37 
38    @Bean
39    public CorsConfigurationSource corsConfigurationSource() {
40        CorsConfiguration configuration = new CorsConfiguration();
41        configuration.setAllowedOrigins(List.of("http://localhost:3000"));
42        configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
43        configuration.setAllowedHeaders(List.of("*"));
44        configuration.setAllowCredentials(true);
45        configuration.setMaxAge(3600L);
46 
47        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
48        source.registerCorsConfiguration("/**", configuration);
49        return source;
50    }
51 
52    @Bean
53    public AuthenticationManager authenticationManager(
54            AuthenticationConfiguration config) throws Exception {
55        return config.getAuthenticationManager();
56    }
57 
58    @Bean
59    public PasswordEncoder passwordEncoder() {
60        return new BCryptPasswordEncoder(12);
61    }
62}
63```
64 
65## JWT Authentication Filter
66 
67```java
68@Component
69@RequiredArgsConstructor
70public class JwtAuthenticationFilter extends OncePerRequestFilter {
71    private final JwtService jwtService;
72    private final UserDetailsService userDetailsService;
73 
74    @Override
75    protected void doFilterInternal(
76            @NonNull HttpServletRequest request,
77            @NonNull HttpServletRequest response,
78            @NonNull FilterChain filterChain) throws ServletException, IOException {
79 
80        final String authHeader = request.getHeader("Authorization");
81        final String jwt;
82        final String username;
83 
84        if (authHeader == null || !authHeader.startsWith("Bearer ")) {
85            filterChain.doFilter(request, response);
86            return;
87        }
88 
89        jwt = authHeader.substring(7);
90 
91        try {
92            username = jwtService.extractUsername(jwt);
93 
94            if (username != null && SecurityContextHolder.getContext()
95                    .getAuthentication() == null) {
96                UserDetails userDetails = userDetailsService.loadUserByUsername(username);
97 
98                if (jwtService.isTokenValid(jwt, userDetails)) {
99                    UsernamePasswordAuthenticationToken authToken =
100                        new UsernamePasswordAuthenticationToken(
101                            userDetails,
102                            null,
103                            userDetails.getAuthorities()
104                        );
105 
106                    authToken.setDetails(
107                        new WebAuthenticationDetailsSource().buildDetails(request)
108                    );
109 
110                    SecurityContextHolder.getContext().setAuthentication(authToken);
111                }
112            }
113        } catch (JwtException e) {
114            log.error("JWT validation failed", e);
115        }
116 
117        filterChain.doFilter(request, response);
118    }
119}
120```
121 
122## JWT Service
123 
124```java
125@Service
126public class JwtService {
127    @Value("${jwt.secret}")
128    private String secretKey;
129 
130    @Value("${jwt.expiration}")
131    private long jwtExpiration;
132 
133    @Value("${jwt.refresh-expiration}")
134    private long refreshExpiration;
135 
136    public String extractUsername(String token) {
137        return extractClaim(token, Claims::getSubject);
138    }
139 
140    public <T> T extractClaim(String token, Function<Claims, T> claimsResolver) {
141        final Claims claims = extractAllClaims(token);
142        return claimsResolver.apply(claims);
143    }
144 
145    public String generateToken(UserDetails userDetails) {
146        Map<String, Object> extraClaims = new HashMap<>();
147        extraClaims.put("roles", userDetails.getAuthorities().stream()
148            .map(GrantedAuthority::getAuthority)
149            .collect(Collectors.toList()));
150 
151        return generateToken(extraClaims, userDetails);
152    }
153 
154    public String generateToken(
155            Map<String, Object> extraClaims,
156            UserDetails userDetails) {
157        return buildToken(extraClaims, userDetails, jwtExpiration);
158    }
159 
160    public String generateRefreshToken(UserDetails userDetails) {
161        return buildToken(new HashMap<>(), userDetails, refreshExpiration);
162    }
163 
164    private String buildToken(
165            Map<String, Object> extraClaims,
166            UserDetails userDetails,
167            long expiration) {
168        return Jwts
169            .builder()
170            .setClaims(extraClaims)
171            .setSubject(userDetails.getUsername())
172            .setIssuedAt(new Date(System.currentTimeMillis()))
173            .setExpiration(new Date(System.currentTimeMillis() + expiration))
174            .signWith(getSignInKey(), SignatureAlgorithm.HS256)
175            .compact();
176    }
177 
178    public boolean isTokenValid(String token, UserDetails userDetails) {
179        final String username = extractUsername(token);
180        return username.equals(userDetails.getUsername()) && !isTokenExpired(token);
181    }
182 
183    private boolean isTokenExpired(String token) {
184        return extractExpiration(token).before(new Date());
185    }
186 
187    private Date extractExpiration(String token) {
188        return extractClaim(token, Claims::getExpiration);
189    }
190 
191    private Claims extractAllClaims(String token) {
192        return Jwts
193            .parserBuilder()
194            .setSigningKey(getSignInKey())
195            .build()
196            .parseClaimsJws(token)
197            .getBody();
198    }
199 
200    private Key getSignInKey() {
201        byte[] keyBytes = Decoders.BASE64.decode(secretKey);
202        return Keys.hmacShaKeyFor(keyBytes);
203    }
204}
205```
206 
207## UserDetailsService Implementation
208 
209```java
210@Service
211@RequiredArgsConstructor
212public class CustomUserDetailsService implements UserDetailsService {
213    private final UserRepository userRepository;
214 
215    @Override
216    @Transactional(readOnly = true)
217    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
218        User user = userRepository.findByEmailWithRoles(username)
219            .orElseThrow(() -> new UsernameNotFoundException(
220                "User not found with email: " + username));
221 
222        return org.springframework.security.core.userdetails.User
223            .builder()
224            .username(user.getEmail())
225            .password(user.getPassword())
226            .authorities(user.getRoles().stream()
227                .map(role -> new SimpleGrantedAuthority("ROLE_" + role.getName()))
228                .collect(Collectors.toList()))
229            .accountExpired(false)
230            .accountLocked(!user.getActive())
231            .credentialsExpired(false)
232            .disabled(!user.getActive())
233            .build();
234    }
235}
236```
237 
238## Authentication Controller
239 
240```java
241@RestController
242@RequestMapping("/api/auth")
243@RequiredArgsConstructor
244public class AuthenticationController {
245    private final AuthenticationService authenticationService;
246 
247    @PostMapping("/register")
248    public ResponseEntity<AuthenticationResponse> register(
249            @Valid @RequestBody RegisterRequest request) {
250        AuthenticationResponse response = authenticationService.register(request);
251        return ResponseEntity.status(HttpStatus.CREATED).body(response);
252    }
253 
254    @PostMapping("/login")
255    public ResponseEntity<AuthenticationResponse> login(
256            @Valid @RequestBody LoginRequest request) {
257        AuthenticationResponse response = authenticationService.login(request);
258        return ResponseEntity.ok(response);
259    }
260 
261    @PostMapping("/refresh")
262    public ResponseEntity<AuthenticationResponse> refreshToken(
263            @RequestBody RefreshTokenRequest request) {
264        AuthenticationResponse response = authenticationService.refreshToken(request);
265        return ResponseEntity.ok(response);
266    }
267 
268    @PostMapping("/logout")
269    @PreAuthorize("isAuthenticated()")
270    public ResponseEntity<Void> logout() {
271        SecurityContextHolder.clearContext();
272        return ResponseEntity.noContent().build();
273    }
274}
275```
276 
277## Authentication Service
278 
279```java
280@Service
281@RequiredArgsConstructor
282@Transactional
283public class AuthenticationService {
284    private final UserRepository userRepository;
285    private final PasswordEncoder passwordEncoder;
286    private final JwtService jwtService;
287    private final AuthenticationManager authenticationManager;
288 
289    public AuthenticationResponse register(RegisterRequest request) {
290        if (userRepository.existsByEmail(request.email())) {
291            throw new DuplicateResourceException("Email already registered");
292        }
293 
294        User user = User.builder()
295            .email(request.email())
296            .password(passwordEncoder.encode(request.password()))
297            .username(request.username())
298            .active(true)
299            .roles(Set.of(Role.builder().name("USER").build()))
300            .build();
301 
302        user = userRepository.save(user);
303 
304        String accessToken = jwtService.generateToken(convertToUserDetails(user));
305        String refreshToken = jwtService.generateRefreshToken(convertToUserDetails(user));
306 
307        return new AuthenticationResponse(accessToken, refreshToken);
308    }
309 
310    public AuthenticationResponse login(LoginRequest request) {
311        authenticationManager.authenticate(
312            new UsernamePasswordAuthenticationToken(
313                request.email(),
314                request.password()
315            )
316        );
317 
318        User user = userRepository.findByEmail(request.email())
319            .orElseThrow(() -> new UsernameNotFoundException("User not found"));
320 
321        String accessToken = jwtService.generateToken(convertToUserDetails(user));
322        String refreshToken = jwtService.generateRefreshToken(convertToUserDetails(user));
323 
324        return new AuthenticationResponse(accessToken, refreshToken);
325    }
326 
327    public AuthenticationResponse refreshToken(RefreshTokenRequest request) {
328        String username = jwtService.extractUsername(request.refreshToken());
329 
330        User user = userRepository.findByEmail(username)
331            .orElseThrow(() -> new UsernameNotFoundException("User not found"));
332 
333        UserDetails userDetails = convertToUserDetails(user);
334 
335        if (!jwtService.isTokenValid(request.refreshToken(), userDetails)) {
336            throw new InvalidTokenException("Invalid refresh token");
337        }
338 
339        String accessToken = jwtService.generateToken(userDetails);
340 
341        return new AuthenticationResponse(accessToken, request.refreshToken());
342    }
343 
344    private UserDetails convertToUserDetails(User user) {
345        return org.springframework.security.core.userdetails.User
346            .builder()
347            .username(user.getEmail())
348            .password(user.getPassword())
349            .authorities(user.getRoles().stream()
350                .map(role -> new SimpleGrantedAuthority("ROLE_" + role.getName()))
351                .collect(Collectors.toList()))
352            .build();
353    }
354}
355```
356 
357## Method Security
358 
359```java
360@Service
361@RequiredArgsConstructor
362public class UserService {
363    private final UserRepository userRepository;
364 
365    @PreAuthorize("hasRole('ADMIN')")
366    public List<User> getAllUsers() {
367        return userRepository.findAll();
368    }
369 
370    @PreAuthorize("hasRole('ADMIN') or #userId == authentication.principal.id")
371    public User getUserById(Long userId) {
372        return userRepository.findById(userId)
373            .orElseThrow(() -> new ResourceNotFoundException("User not found"));
374    }
375 
376    @PreAuthorize("isAuthenticated()")
377    @PostAuthorize("returnObject.email == authentication.principal.username")
378    public User updateProfile(Long userId, UserUpdateRequest request) {
379        User user = getUserById(userId);
380        // Update logic
381        return userRepository.save(user);
382    }
383 
384    @Secured({"ROLE_ADMIN", "ROLE_MANAGER"})
385    public void deleteUser(Long userId) {
386        userRepository.deleteById(userId);
387    }
388}
389```
390 
391## OAuth2 Resource Server (JWT)
392 
393```java
394@Configuration
395@EnableWebSecurity
396public class OAuth2ResourceServerConfig {
397 
398    @Bean
399    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
400        http
401            .authorizeHttpRequests(auth -> auth
402                .requestMatchers("/public/**").permitAll()
403                .anyRequest().authenticated()
404            )
405            .oauth2ResourceServer(oauth2 -> oauth2
406                .jwt(jwt -> jwt
407                    .jwtAuthenticationConverter(jwtAuthenticationConverter())
408                )
409            );
410 
411        return http.build();
412    }
413 
414    @Bean
415    public JwtDecoder jwtDecoder() {
416        return JwtDecoders.fromIssuerLocation("https://auth.example.com");
417    }
418 
419    @Bean
420    public JwtAuthenticationConverter jwtAuthenticationConverter() {
421        JwtGrantedAuthoritiesConverter grantedAuthoritiesConverter =
422            new JwtGrantedAuthoritiesConverter();
423        grantedAuthoritiesConverter.setAuthoritiesClaimName("roles");
424        grantedAuthoritiesConverter.setAuthorityPrefix("ROLE_");
425 
426        JwtAuthenticationConverter jwtAuthenticationConverter =
427            new JwtAuthenticationConverter();
428        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(
429            grantedAuthoritiesConverter);
430 
431        return jwtAuthenticationConverter;
432    }
433}
434```
435 
436## Quick Reference
437 
438| Annotation | Purpose |
439|------------|---------|
440| `@EnableWebSecurity` | Enables Spring Security |
441| `@EnableMethodSecurity` | Enables method-level security annotations |
442| `@PreAuthorize` | Checks authorization before method execution |
443| `@PostAuthorize` | Checks authorization after method execution |
444| `@Secured` | Role-based method security |
445| `@WithMockUser` | Mock authenticated user in tests |
446| `@AuthenticationPrincipal` | Inject current user in controller |
447 
448## Security Best Practices
449 
450- Always use HTTPS in production
451- Store JWT secret in environment variables
452- Use strong password encoding (BCrypt with strength 12+)
453- Implement token refresh mechanism
454- Add rate limiting to authentication endpoints
455- Validate all user inputs
456- Log security events
457- Keep dependencies updated
458- Use CSRF protection for state-changing operations
459- Implement proper session timeout
460