feature: springdoc-openapi-ui with oauth2-autoconfigure.

- JWT Authentication for default api
- OAuth 2.0 Bearer Tokens for oauth2 api
- Swagger UI JWT Default tokens

Author: kdevkr

README.md

@@ -1,10 +1,11 @@
-# Spring Boot 2.7.18
+# Spring Boot 2 + Springdoc Swagger UI
 
 ## How to settings with Intellij IDEA
 1. Settings → Editor → Code Style → Enable editorconfig support
 2. Import Scheme → Checkstyle configuration → checkstyle.xml in project folder
 3. Install CheckStyle Plugin → Add checkstyle.xml and activate
 
-## Why do you need this repository?
-You can no longer create a Spring Boot 2 project through [Spring Initializr](https://start.spring.io/). If you know how to use a docker, you can use the [Spring Initializr docker image](https://hub.docker.com/r/kdevkr/spring-initializr) I shared.
+## Dependencies
 
+- [spring-security-oauth2-autoconfigure](https://github.com/spring-attic/spring-security-oauth2-boot/tree/main/spring-security-oauth2-autoconfigure)
+- [springdoc-openapi v1.7.0](https://springdoc.org/v1/)

build.gradle

@@ -31,13 +31,17 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
     implementation 'org.springframework.boot:spring-boot-starter-quartz'
     implementation 'org.springframework.boot:spring-boot-starter-security'
+    implementation 'org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.6.8'
     implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
     implementation 'org.springframework.boot:spring-boot-starter-validation'
     implementation 'org.springframework.boot:spring-boot-starter-web'
     implementation 'org.springframework.cloud:spring-cloud-starter-sleuth'
     implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity5'
     implementation 'org.springdoc:springdoc-openapi-ui:1.7.0'
     implementation 'org.springdoc:springdoc-openapi-security:1.7.0'
+    implementation 'io.jsonwebtoken:jjwt-api:0.12.5'
+    implementation 'io.jsonwebtoken:jjwt-impl:0.12.5'
+    implementation 'io.jsonwebtoken:jjwt-jackson:0.12.5'
     testImplementation 'org.testcontainers:junit-jupiter'
     compileOnly 'org.projectlombok:lombok'
     runtimeOnly 'com.h2database:h2'

src/main/java/com/example/demo/Application.java

@@ -1,12 +1,20 @@
 package com.example.demo;
 
+import java.util.TimeZone;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.context.properties.ConfigurationPropertiesScan;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
 
+@Slf4j
+@ConfigurationPropertiesScan
+@EnableConfigurationProperties
 @SpringBootApplication
 public class Application {
 
     public static void main(String[] args) {
+        TimeZone.setDefault(TimeZone.getTimeZone("UTC"));
         SpringApplication.run(Application.class, args);
     }
 

src/main/java/com/example/demo/auth/AuthPermissionEvaluator.java

@@ -0,0 +1,37 @@
+package com.example.demo.auth;
+
+import com.example.demo.user.UserClient;
+import com.example.demo.user.UserService;
+import java.io.Serializable;
+import lombok.AllArgsConstructor;
+import org.springframework.security.access.PermissionEvaluator;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.provider.ClientDetails;
+import org.springframework.stereotype.Component;
+
+@AllArgsConstructor
+@Component("auth")
+public class AuthPermissionEvaluator implements PermissionEvaluator {
+    private final UserService userService;
+
+    public boolean isSystem() {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        ClientDetails clientDetails = userService.loadClientByClientId(authentication.getName());
+        if (clientDetails instanceof UserClient) {
+            UserClient userClient = (UserClient) clientDetails;
+            return "system".equals(userClient.getUser().getId()) && userClient.getScope().contains("all");
+        }
+        return false;
+    }
+
+    @Override
+    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
+        return true;
+    }
+
+    @Override
+    public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
+        return true;
+    }
+}

src/main/java/com/example/demo/auth/PasswordConfiguration.java

@@ -0,0 +1,14 @@
+package com.example.demo.auth;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+@Configuration
+public class PasswordConfiguration {
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder(12);
+    }
+}

src/main/java/com/example/demo/auth/RoleHierarchyConfiguration.java

@@ -0,0 +1,33 @@
+package com.example.demo.auth;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchyUtils;
+import org.springframework.security.access.vote.RoleHierarchyVoter;
+
+@Order(0)
+@Configuration
+public class RoleHierarchyConfiguration {
+    @Bean
+    public RoleHierarchy roleHierarchy() {
+        RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
+        Map<String, List<String>> roleHierarchyMap = new HashMap<>();
+        roleHierarchyMap.put("ROLE_SYSTEM", List.of("ROLE_ADMIN"));
+        roleHierarchyMap.put("ROLE_ADMIN", List.of("ROLE_USER"));
+        String hierarchy = RoleHierarchyUtils.roleHierarchyFromMap(roleHierarchyMap);
+        roleHierarchy.setHierarchy(hierarchy);
+        return roleHierarchy;
+    }
+
+    @Bean
+    public RoleHierarchyVoter roleHierarchyVoter() {
+        RoleHierarchy roleHierarchy = roleHierarchy();
+        return new RoleHierarchyVoter(roleHierarchy);
+    }
+}

src/main/java/com/example/demo/auth/SecurityConfiguration.java

@@ -0,0 +1,87 @@
+package com.example.demo.auth;
+
+import com.example.demo.auth.jwt.JwtAuthenticationFilter;
+import com.example.demo.auth.jwt.JwtFormLoginSuccessHandler;
+import com.example.demo.user.UserService;
+import lombok.AllArgsConstructor;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpHeaders;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
+
+@AllArgsConstructor
+@EnableMethodSecurity
+@EnableWebSecurity
+@Configuration
+public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
+
+    private final UserService userService;
+    private final PasswordEncoder passwordEncoder;
+    private final RoleHierarchy roleHierarchy;
+
+    @Bean
+    @Override
+    public AuthenticationManager authenticationManagerBean() throws Exception {
+        return super.authenticationManagerBean();
+    }
+
+    @Autowired
+    @Override
+    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+        auth.userDetailsService(userService).passwordEncoder(passwordEncoder);
+    }
+
+    @Autowired
+    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+        auth.userDetailsService(userService).passwordEncoder(passwordEncoder);
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.csrf(AbstractHttpConfigurer::disable);
+        http.headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin));
+        http.httpBasic(AbstractHttpConfigurer::disable);
+
+        http.formLogin()
+            .successHandler(new JwtFormLoginSuccessHandler())
+            .and()
+            .logout().logoutUrl("/logout")
+            .permitAll().deleteCookies(HttpHeaders.AUTHORIZATION);
+
+        http.authorizeRequests()
+            .antMatchers("/h2-console", "/h2-console/**").permitAll()
+            .antMatchers("/swagger-ui.html", "/swagger-ui/**", "/v3/api-docs/**").permitAll()
+            .antMatchers("/login", "/error").permitAll()
+            .anyRequest().authenticated()
+            .expressionHandler(webSecurityExpressionHandler())
+            .and()
+            .addFilterBefore(new JwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
+
+        http.sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
+        http.securityContext(sc -> sc.securityContextRepository(new RequestAttributeSecurityContextRepository()));
+    }
+
+    @Bean
+    public DefaultWebSecurityExpressionHandler webSecurityExpressionHandler() {
+        DefaultWebSecurityExpressionHandler webSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
+        webSecurityExpressionHandler.setRoleHierarchy(roleHierarchy);
+        return webSecurityExpressionHandler;
+    }
+
+
+
+}

src/main/java/com/example/demo/auth/jwt/JwtAuthenticationFilter.java

@@ -0,0 +1,67 @@
+package com.example.demo.auth.jwt;
+
+import io.jsonwebtoken.*;
+import io.jsonwebtoken.impl.DefaultJws;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.HttpHeaders;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
+import org.springframework.util.StringUtils;
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.util.WebUtils;
+
+@Slf4j
+public class JwtAuthenticationFilter extends OncePerRequestFilter {
+    public static final String AUTHORIZATION_HEADER_PREFIX = "Bearer ";
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
+        if (request.getRequestURI().startsWith("/oauth")) { // NOTE: Exclude oauth endpoint url.
+            filterChain.doFilter(request, response);
+            return;
+        }
+
+        String token = null;
+
+        String authorization = request.getHeader(HttpHeaders.AUTHORIZATION);
+        if (authorization != null && authorization.startsWith(AUTHORIZATION_HEADER_PREFIX)) {
+            token = authorization.substring(AUTHORIZATION_HEADER_PREFIX.length());
+        }
+
+        Cookie cookie = WebUtils.getCookie(request, HttpHeaders.AUTHORIZATION);
+        if (token == null && cookie != null) {
+            token = cookie.getValue();
+        }
+
+        if (StringUtils.hasText(token)) {
+            DefaultJws<Claims> jws = JwtUtil.parse(token);
+            Claims claims = jws.getPayload();
+
+            List<GrantedAuthority> authorities = new ArrayList<>();
+
+            if ("system".equals(claims.getSubject())) {
+                authorities.add(new SimpleGrantedAuthority("ROLE_SYSTEM"));
+            } else {
+                authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
+            }
+
+            UsernamePasswordAuthenticationToken authenticationToken =
+                new UsernamePasswordAuthenticationToken(claims.getSubject(), null, authorities);
+            authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
+            SecurityContextHolder.getContext().setAuthentication(authenticationToken);
+        }
+
+        filterChain.doFilter(request, response);
+    }
+}

src/main/java/com/example/demo/auth/jwt/JwtFormLoginSuccessHandler.java

@@ -0,0 +1,43 @@
+package com.example.demo.auth.jwt;
+
+import com.example.demo.user.User;
+import java.io.IOException;
+import java.time.Duration;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Date;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.HttpHeaders;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.web.util.CookieGenerator;
+
+@Slf4j
+public class JwtFormLoginSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
+
+    @Override
+    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
+        Instant now = Instant.now();
+        User principal = (User) authentication.getPrincipal();
+
+        String jwt = JwtUtil.builder()
+            .subject(principal.getId())
+            .claim("name", authentication.getName())
+            .issuedAt(Date.from(now))
+            .expiration(Date.from(now.plus(30, ChronoUnit.DAYS)))
+            .compact();
+
+        CookieGenerator cookieGenerator = new CookieGenerator();
+        cookieGenerator.setCookieName(HttpHeaders.AUTHORIZATION);
+        cookieGenerator.setCookiePath("/");
+        cookieGenerator.setCookieSecure(true);
+        cookieGenerator.setCookieHttpOnly(true);
+        cookieGenerator.setCookieMaxAge((int) Duration.ofHours(1).toSeconds()); // seconds
+        cookieGenerator.addCookie(response, jwt);
+
+        super.onAuthenticationSuccess(request, response, authentication);
+    }
+}

src/main/java/com/example/demo/auth/jwt/JwtUtil.java

@@ -0,0 +1,29 @@
+package com.example.demo.auth.jwt;
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.JwtBuilder;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.impl.DefaultJws;
+import io.jsonwebtoken.security.Keys;
+import java.util.Base64;
+import javax.crypto.SecretKey;
+import lombok.experimental.UtilityClass;
+
+@UtilityClass
+public class JwtUtil {
+    public static SecretKey secretKey() {
+        byte[] bytes = Base64.getDecoder().decode("NwDDyzuXUkReFuwPyMjb3r6aDQAoj63Yu2FjiJjS3wFbvjK7");
+        return Keys.hmacShaKeyFor(bytes);
+    }
+
+    public static JwtBuilder builder() {
+        return Jwts.builder().signWith(JwtUtil.secretKey());
+    }
+
+    @SuppressWarnings("unchecked")
+    public static DefaultJws<Claims> parse(String token) {
+        return (DefaultJws<Claims>) Jwts.parser()
+            .verifyWith(JwtUtil.secretKey()).build()
+            .parse(token);
+    }
+}