Added security for local running applications

Author: Nasruddin

.idea/workspace.xml

@@ -30,6 +30,19 @@ services:
  - ./postgresql/init.sql:/docker-entrypoint-initdb.d/init.sql
  networks:
  - shared-network
+
+ keycloak:
+ image: quay.io/keycloak/keycloak:latest
+ container_name: keycloak
+ ports:
+ - "8081:8080"
+ environment:
+ KEYCLOAK_ADMIN: admin
+ KEYCLOAK_ADMIN_PASSWORD: admin
+ command: [ "start-dev" ]
+ networks:
+ - shared-network
+
 networks:
  shared-network:
  name: shared-network

docker/docker-compose-infra.yml

@@ -38,7 +38,16 @@
 <groupId>org.springframework.boot</groupId>
 <artifactId>spring-boot-starter-webflux</artifactId>
 </dependency>
+<!--Security related dependency-->
+<dependency>
+<groupId>org.springframework.boot</groupId>
+<artifactId>spring-boot-starter-security</artifactId>
+</dependency>
 
+<dependency>
+<groupId>org.springframework.boot</groupId>
+<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+</dependency>
 <dependency>
 <groupId>io.javatab.util</groupId>
 <artifactId>util</artifactId>

microservices/course-composite-service/pom.xml

@@ -0,0 +1,29 @@
+package io.javatab.microservices.composite.course.config;
+
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/protectedapi")
+public class ResourceController {
+
+ @GetMapping("/public")
+ public String publicResource() {
+ return "This is a public resource. No authentication required.";
+ }
+
+ @GetMapping("/user")
+ //@PreAuthorize("hasRole('USER')")
+ public String userResource(Authentication authentication) {
+ return "Hello, " + authentication.getName() + "! You have USER access.";
+ }
+
+ @GetMapping("/admin")
+ //@PreAuthorize("hasRole('ADMIN')")
+ public String adminResource(Authentication authentication) {
+ return "Hello, " + authentication.getName() + "! You have ADMIN access.";
+ }
+}

microservices/course-composite-service/src/main/java/io/javatab/microservices/composite/course/config/ResourceController.java

@@ -0,0 +1,112 @@
+package io.javatab.microservices.composite.course.config;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
+import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Mono;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+
+@Configuration
+@EnableWebFluxSecurity
+public class SecurityConfig {
+
+ private static final Logger logger = LoggerFactory.getLogger(SecurityConfig.class);
+
+ @Bean
+ public SecurityWebFilterChain securityFilterChain(ServerHttpSecurity http) {
+ http
+ .authorizeExchange(exchanges -> exchanges
+ .pathMatchers("/api/course-aggregate").hasRole("COURSE-AGGREGATE-READ")
+ .anyExchange().authenticated()
+ )
+ .oauth2ResourceServer(oauth2 -> oauth2
+ .jwt(jwt -> jwt.jwtAuthenticationConverter(grantedAuthoritiesExtractor()))
+ );
+
+ // Add filter to log roles
+ http.addFilterAt((exchange, chain) -> logRoles(exchange).then(chain.filter(exchange)),
+ SecurityWebFiltersOrder.AUTHORIZATION);
+
+ return http.build();
+ }
+
+ @Bean
+ public ReactiveJwtDecoder jwtDecoder() {
+ return NimbusReactiveJwtDecoder.withJwkSetUri("http://localhost:8081/realms/course-management-realm/protocol/openid-connect/certs").build();
+ }
+
+ @Bean
+ public Converter<Jwt, Mono<JwtAuthenticationToken>> grantedAuthoritiesExtractor() {
+ return new Converter<Jwt, Mono<JwtAuthenticationToken>>() {
+ @Override
+ public Mono<JwtAuthenticationToken> convert(Jwt jwt) {
+ Collection<GrantedAuthority> authorities = new ArrayList<>();
+
+ // Extract realm roles
+ Map<String, Object> realmAccess = jwt.getClaim("realm_access");
+ if (realmAccess != null && realmAccess.containsKey("roles")) {
+ List<String> roles = (List<String>) realmAccess.get("roles");
+ authorities.addAll(roles.stream()
+ .map(role -> new SimpleGrantedAuthority("ROLE_" + role.toUpperCase()))
+ .toList());
+ }
+
+ // Extract client roles (replace "my-resource-server" with your client ID)
+ /*Map<String, Object> resourceAccess = jwt.getClaim("resource_access");
+ if (resourceAccess != null) {
+ Map<String, Object> clientRoles = (Map<String, Object>) resourceAccess.get("my-resource-server");
+ if (clientRoles != null && clientRoles.containsKey("roles")) {
+ List<String> roles = (List<String>) clientRoles.get("roles");
+ authorities.addAll(roles.stream()
+ .map(role -> new SimpleGrantedAuthority("ROLE_" + role.toUpperCase()))
+ .toList());
+ }
+ }*/
+ Map<String, Object> resourceAccess = jwt.getClaim("resource_access");
+ if (resourceAccess != null) {
+ resourceAccess.forEach((resource, access) -> {
+ if (access instanceof Map) {
+ Map<String, Object> clientRoles = (Map<String, Object>) access;
+ if (clientRoles.containsKey("roles")) {
+ List<String> roles = (List<String>) clientRoles.get("roles");
+ authorities.addAll(roles.stream()
+ .map(role -> new SimpleGrantedAuthority("ROLE_" + role.toUpperCase()))
+ .toList());
+ }
+ }
+ });
+ }
+
+ return Mono.just(new JwtAuthenticationToken(jwt, authorities));
+ }
+ };
+ }
+
+ private Mono<Void> logRoles(ServerWebExchange exchange) {
+ return exchange.getPrincipal()
+ .cast(JwtAuthenticationToken.class)
+ .doOnNext(jwtAuth -> {
+ Collection<? extends GrantedAuthority> authorities = jwtAuth.getAuthorities();
+ logger.info("Roles in Resource Server: {}", authorities);
+ })
+ .then();
+ }
+}

microservices/course-composite-service/src/main/java/io/javatab/microservices/composite/course/config/SecurityConfig.java

@@ -14,6 +14,15 @@ logging:
  level:
  root: INFO
  io.javatab.microservices.composite.course: DEBUG
+
+# Security related properties
+ security:
+ oauth2:
+ resourceserver:
+ jwt:
+ issuer-uri: http://localhost:8081/realms/course-management-realm
+ jwk-set-uri: http://localhost:8081/realms/course-management-realm/protocol/openid-connect/certs
+
 ---
 spring:
  config:

microservices/course-composite-service/src/main/resources/application.yml

@@ -61,6 +61,15 @@
 <artifactId>spring-boot-starter-validation</artifactId>
 </dependency>
 
+<dependency>
+<groupId>org.springframework.boot</groupId>
+<artifactId>spring-boot-starter-security</artifactId>
+</dependency>
+
+<dependency>
+<groupId>org.springframework.boot</groupId>
+<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+</dependency>
 
 <dependency>
 <groupId>io.javatab.util</groupId>