Spring Security: аутентификация и авторизация

1@Configuration
2@EnableWebSecurity
3@RequiredArgsConstructor
4public class SecurityConfig {
5
6    private final JwtAuthenticationFilter jwtAuthFilter;
7    private final AuthenticationProvider authenticationProvider;
8
9    @Bean
10    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
11        http
12            .csrf(csrf -> csrf.disable())
13            .authorizeHttpRequests(auth -> auth
14                .requestMatchers("/api/auth/**").permitAll()
15                .requestMatchers("/api/public/**").permitAll()
16                .requestMatchers(HttpMethod.GET, "/api/products/**").permitAll()
17                .requestMatchers("/api/admin/**").hasRole("ADMIN")
18                .anyRequest().authenticated()
19            )
20            .sessionManagement(session -> session
21                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
22            )
23            .authenticationProvider(authenticationProvider)
24            .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
25
26        return http.build();
27    }
28
29    @Bean
30    public PasswordEncoder passwordEncoder() {
31        return new BCryptPasswordEncoder();
32    }
33}

1@Service
2public class JwtService {
3
4    @Value("${jwt.secret}")
5    private String secretKey;
6
7    @Value("${jwt.expiration}")
8    private long jwtExpiration;
9
10    public String generateToken(UserDetails userDetails) {
11        return Jwts.builder()
12            .setSubject(userDetails.getUsername())
13            .setIssuedAt(new Date())
14            .setExpiration(new Date(System.currentTimeMillis() + jwtExpiration))
15            .signWith(getSigningKey(), SignatureAlgorithm.HS256)
16            .compact();
17    }
18
19    private Key getSigningKey() {
20        byte[] keyBytes = Decoders.BASE64.decode(secretKey);
21        return Keys.hmacShaKeyFor(keyBytes);
22    }
23}

1@Component
2@RequiredArgsConstructor
3public class JwtAuthenticationFilter extends OncePerRequestFilter {
4
5    private final JwtService jwtService;
6    private final UserDetailsService userDetailsService;
7
8    @Override
9    protected void doFilterInternal(
10            HttpServletRequest request,
11            HttpServletResponse response,
12            FilterChain filterChain) throws ServletException, IOException {
13
14        final String authHeader = request.getHeader("Authorization");
15        final String jwt;
16        final String userEmail;
17
18        if (authHeader == null || !authHeader.startsWith("Bearer ")) {
19            filterChain.doFilter(request, response);
20            return;
21        }
22
23        jwt = authHeader.substring(7);
24        userEmail = jwtService.extractUsername(jwt);
25
26        if (userEmail != null && SecurityContextHolder.getContext().getAuthentication() == null) {
27            UserDetails userDetails = userDetailsService.loadUserByUsername(userEmail);
28
29            if (jwtService.isTokenValid(jwt, userDetails)) {
30                UsernamePasswordAuthenticationToken authToken =
31                    new UsernamePasswordAuthenticationToken(
32                        userDetails, null, userDetails.getAuthorities());
33                authToken.setDetails(
34                    new WebAuthenticationDetailsSource().buildDetails(request));
35                SecurityContextHolder.getContext().setAuthentication(authToken);
36            }
37        }
38        filterChain.doFilter(request, response);
39    }
40}

1@Service
2@RequiredArgsConstructor
3public class UserService implements UserDetailsService {
4
5    private final UserRepository userRepository;
6
7    @Override
8    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
9        User user = userRepository.findByEmail(username)
10            .orElseThrow(() -> new UsernameNotFoundException("User not found"));
11
12        return org.springframework.security.core.userdetails.User.builder()
13            .username(user.getEmail())
14            .password(user.getPassword())
15            .roles(user.getRoles().stream()
16                .map(Role::name)
17                .toArray(String[]::new))
18            .build();
19    }
20}

1@Service
2@RequiredArgsConstructor
3public class DocumentService {
4
5    private final SecurityService securityService;
6
7    public Document getDocument(Long id) {
8        Document doc = documentRepository.findById(id)
9            .orElseThrow(() -> new RuntimeException("Not found"));
10
11        // Проверка владения
12        if (!doc.getOwnerId().equals(securityService.getCurrentUserId())
13                && !securityService.hasRole("ADMIN")) {
14            throw new AccessDeniedException("Not authorized");
15        }
16
17        return doc;
18    }
19}

1@RestControllerAdvice
2public class SecurityExceptionHandler {
3
4    @ExceptionHandler(AccessDeniedException.class)
5    public ResponseEntity<ErrorResponse> handleAccessDenied(AccessDeniedException ex) {
6        return ResponseEntity.status(HttpStatus.FORBIDDEN)
7            .body(new ErrorResponse("ACCESS_DENIED", "Недостаточно прав"));
8    }
9
10    @ExceptionHandler(BadCredentialsException.class)
11    public ResponseEntity<ErrorResponse> handleBadCredentials(BadCredentialsException ex) {
12        return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
13            .body(new ErrorResponse("INVALID_CREDENTIALS", "Неверные учётные данные"));
14    }
15}

1@Configuration
2public class OAuth2Config {
3
4    @Bean
5    public ClientRegistrationRepository clientRegistrationRepository() {
6        ClientRegistration google = ClientRegistration.withRegistrationId("google")
7            .clientId("your-client-id")
8            .clientSecret("your-client-secret")
9            .scope("openid", "profile", "email")
10            .authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
11            .tokenUri("https://oauth2.googleapis.com/token")
12            .userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
13            .userNameAttributeName(IdTokenClaimNames.SUB)
14            .clientName("Google")
15            .build();
16
17        return new InMemoryClientRegistrationRepository(google);
18    }
19}

1@SpringBootTest
2@AutoConfigureMockMvc
3class SecurityTest {
4
5    @Autowired
6    private MockMvc mockMvc;
7
8    @Test
9    void shouldReturn401_whenNoToken() throws Exception {
10        mockMvc.perform(get("/api/users"))
11            .andExpect(status().isUnauthorized());
12    }
13
14    @Test
15    @WithMockUser(roles = "USER")
16    void shouldReturn200_whenAuthenticated() throws Exception {
17        mockMvc.perform(get("/api/users"))
18            .andExpect(status().isOk());
19    }
20
21    @Test
22    @WithMockUser(roles = "USER")
23    void shouldReturn403_whenAdminEndpoint() throws Exception {
24        mockMvc.perform(get("/api/admin/users"))
25            .andExpect(status().isForbidden());
26    }
27}