Configuring Web Security in Spring Web and Spring WebFlux with Spring Boot 3.x and Java 17

Team is proactively working on spring boot 3.x upgrade and java 17. this post guide you how to migrate those Web Security Config in both Spring Web and Spring WebFlux. Securing web applications is a critical aspect of modern software development. In Spring applications, configuring web security is made easy with the powerful Spring Security framework. With the release of Spring Boot 3.x and Java 17, developers can leverage the latest features and improvements for building secure web application

Post, Code and Quiet Time. Configuring Web Security in Spring Web and Spring WebFlux with Spring Boot 3.x and Java 17 By Errong Leng – 16 Apr 2024 – View online → Photo by Yixian Zhao / Unsplash Team is proactively working on spring boot 3.x upgrade and java 17. this post guide you how to migrate those Web Security Config in both Spring Web and Spring WebFlux. Securing web applications is a critical aspect of modern software development. In Spring applications, configuring web security is made easy with the powerful Spring Security framework. With the release of Spring Boot 3.x and Java 17, developers can leverage the latest features and improvements for building secure web applications. This guide will demonstrate how to configure web security in both Spring Web and Spring WebFlux applications using Spring Security with Spring Boot 3.x and Java 17. Configuring Web Security in Spring Web import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import static org.springframework.security.config.Customizer.withDefaults; @EnableWebSecurity @Configuration public class WebSecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { return http .sessionManagement(s -> s.sessionFixation().newSession()) .httpBasic(AbstractHttpConfigurer::disable) .cors(AbstractHttpConfigurer::disable) .csrf(AbstractHttpConfigurer::disable) .logout(AbstractHttpConfigurer::disable) .formLogin(AbstractHttpConfigurer::disable) .authorizeHttpRequests(requests -> requests.requestMatchers( new AntPathRequestMatcher("/paths/public/access", "GET") ).permitAll().anyRequest().authenticated()) .oauth2ResourceServer(oauth2 -> oauth2.jwt(withDefaults())).build(); } } Configuring Web Security in Spring WebFlux import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity; import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.web.server.SecurityWebFilterChain; import static org.springframework.http.HttpMethod.GET; import static org.springframework.security.config.Customizer.withDefaults; @Configuration @EnableWebFluxSecurity public class WebSecurityConfig { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http .httpBasic(ServerHttpSecurity.HttpBasicSpec::disable) .cors(ServerHttpSecurity.CorsSpec::disable) .csrf(ServerHttpSecurity.CsrfSpec::disable) .logout(ServerHttpSecurity.LogoutSpec::disable) .formLogin(ServerHttpSecurity.FormLoginSpec::disable) .authorizeExchange((authorize) -> authorize .pathMatchers(GET, "/paths/public/access") .permitAll() .anyExchange().authenticated() ) .oauth2ResourceServer(oauth2 -> oauth2.jwt(withDefaults())) .build(); } } Define Security Rules: Define security rules using the ServerHttpSecurity object, similar to configuring rules for Spring Web applications. Specify URL patterns, access permissions, and authentication mechanisms accordingly. Oauth 2 Resource Server with JWT spring: security: oauth2: resourceserver: jwt: public-key-location: """ issuer-uri: "" Conclusion Configuring web security in Spring Web and Spring WebFlux applications with Spring Boot 3.x and Java 17 is straightforward with Spring Security. By following the guidelines outlined in this guide, you can effectively secure your web applications against unauthorized access and protect sensitive resources. Whether you're building traditional servlet-based applications or reactive applications, Spring Security provides the necessary tools and flexibility to meet your security requirements. Post, Code and Quiet Time. © 2024 – Unsubscribe

Implementing Filters in Spring Web and Spring WebFlux

Introduction Team is proactively working on spring boot 3.x upgrade and java 17. this post guide you how to migrate those Filters in both Spring Web and Spring WebFlux. Filters are a fundamental aspect of web development, allowing developers to intercept and manipulate incoming requests and outgoing responses. In Spring applications, filters can be implemented to perform tasks such as logging, authentication, authorization, and request/response modification. This guide will demonstrate how to

Post, Code and Quiet Time. Implementing Filters in Spring Web and Spring WebFlux By Errong Leng – 16 Apr 2024 – View online → Photo by J Lee / Unsplash Introduction Team is proactively working on spring boot 3.x upgrade and java 17. this post guide you how to migrate those Filters in both Spring Web and Spring WebFlux. Filters are a fundamental aspect of web development, allowing developers to intercept and manipulate incoming requests and outgoing responses. In Spring applications, filters can be implemented to perform tasks such as logging, authentication, authorization, and request/response modification. This guide will demonstrate how to implement filters in both Spring Web and Spring WebFlux applications. Implementing Filters in Spring Web In Spring Web, filters are implemented by extending the javax.servlet.Filter interface and registering the filter with the servlet container using either web.xml or Servlet 3.0+ annotations. import javax.servlet.*; import java.io.IOException; @Component public class MyFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { // Initialization logic } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { // Filter logic chain.doFilter(request, response); // Proceed with the filter chain } @Override public void destroy() { // Cleanup logic } } In the latest Java 17 release, the Jakarta EE namespace (jakarta.servlet) replaces the previous javax.servlet namespace. import jakarta.servlet.*; import jakarta.servlet.http.HttpServletRequest; Create a Filter Class Register the Filter: You can register the filter using either web.xml or Servlet 3.0+ annotations. With annotations, simply annotate the filter class with @Component. Configure Filter Order (Optional): If you have multiple filters, you can specify their order using the @Order annotation or by implementing the Ordered interface. Implementing Filters in Spring WebFlux In Spring WebFlux, filters are implemented as WebFilter beans, which are registered with the WebFilterChain in the application configuration. import org.springframework.web.server.ServerWebExchange; import org.springframework.web.server.WebFilter; import org.springframework.web.server.WebFilterChain; import reactor.core.publisher.Mono; @Component public class MyWebFilter implements WebFilter { @Override public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) { // Filter logic return chain.filter(exchange); // Proceed with the filter chain } } Register the WebFilter Bean: The WebFilter bean is automatically registered with the WebFilterChain when the application starts. Conclusion Implementing filters in Spring Web and Spring WebFlux applications allows developers to intercept and manipulate HTTP requests and responses. Whether you're working with traditional servlet-based applications or reactive applications, Spring provides flexible mechanisms for implementing filters to meet your application's requirements. By following the guidelines outlined in this guide, you can effectively implement filters in your Spring applications to perform various tasks such as logging, authentication, and request/response modification. Post, Code and Quiet Time. © 2024 – Unsubscribe

A Comprehensive Guide to Context Path Configuration in Spring Web and Spring WebFlux

Introduction Team is working on spring boot version upgrade to 3.x and java to java 17. We noticed a few changes required for Context Path. The context path plays a crucial role in web applications, serving as the prefix to all URLs within the application. Configuring the context path correctly is essential, especially in scenarios where multiple applications are deployed on the same server. In this guide, we'll explore how to configure the context path in both Spring Web and Spring WebFlux app

Post, Code and Quiet Time. A Comprehensive Guide to Context Path Configuration in Spring Web and Spring WebFlux By Errong Leng – 16 Apr 2024 – View online → Photo by Jelleke Vanooteghem / Unsplash Introduction Team is working on spring boot version upgrade to 3.x and java to java 17. We noticed a few changes required for Context Path. The context path plays a crucial role in web applications, serving as the prefix to all URLs within the application. Configuring the context path correctly is essential, especially in scenarios where multiple applications are deployed on the same server. In this guide, we'll explore how to configure the context path in both Spring Web and Spring WebFlux applications. Configuring Context Path in Spring Web In a traditional Spring Web application, configuring the context path can be done through application properties or XML configuration. server.servlet.context-path=/myapp Configuring Base Path in Spring WebFlux In Spring WebFlux, you can indeed configure the base path directly using the spring.webflux.base-path property in the application.properties file. This property specifies the base path under which all WebFlux endpoints will be mapped. Example application.properties: spring.webflux.base-path=/myapp This simple configuration effectively sets the context path for the Spring WebFlux application. Conclusion Configuring the context path is essential for maintaining a well-organized and structured web application. Whether you're using Spring Web or Spring WebFlux, the process of configuring the context path is straightforward and can be done through properties or programmatic configuration. By following the guidelines outlined in this guide, you can ensure that your applications are correctly configured and easily accessible under the desired context path. Post, Code and Quiet Time. © 2024 – Unsubscribe

A Comprehensive Guide to Using H2 In-Memory Database in Unit Tests

Introduction Unit testing is an integral part of software development, ensuring that individual components of an application function as expected in isolation. When testing components that interact with databases, using an in-memory database is a common approach to achieve fast and reliable tests. In this guide, we'll explore how to use the H2 in-memory database in your unit tests with Spring Boot. Step 1: Add H2 Dependency First, ensure that you have the H2 database dependency added to your

Post, Code and Quiet Time. A Comprehensive Guide to Using H2 In-Memory Database in Unit Tests By Errong Leng – 16 Apr 2024 – View online → Photo by Daniel Hehn / Unsplash Introduction Unit testing is an integral part of software development, ensuring that individual components of an application function as expected in isolation. When testing components that interact with databases, using an in-memory database is a common approach to achieve fast and reliable tests. In this guide, we'll explore how to use the H2 in-memory database in your unit tests with Spring Boot. Step 1: Add H2 Dependency First, ensure that you have the H2 database dependency added to your Maven or Gradle build file. In a Spring Boot project, you typically include H2 as a test dependency. Maven: <dependency> <groupId>com.h2database</groupId> <artifactId>h2</artifactId> <scope>test</scope> </dependency> Step 2: Configure Spring Boot Application In your Spring Boot application configuration, configure the datasource to use the H2 in-memory database. This can be achieved by specifying the JDBC URL, username, and password in the application.properties or application.yml file. Example application.properties: spring.datasource.url=jdbc:h2:mem:testdb spring.datasource.driverClassName=org.h2.Driver spring.datasource.username=sa spring.datasource.password=password spring.h2.console.enabled=true Step 3: Write Unit Tests Write your unit tests using a testing framework such as JUnit or TestNG. Use the Spring TestContext Framework to initialize the Spring application context and enable transaction management for your tests. Example unit test with JUnit 5: import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.autoconfigure.jdbc.AutoConfigureTestDatabase; import org.springframework.boot.test.autoconfigure.jdbc.AutoConfigureTestDatabase.Replace; import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest; import org.springframework.test.context.junit.jupiter.SpringJUnitConfig; @SpringBootTest class UserRepositoryIntegrationTest { @Autowired private UserRepository userRepository; @Test void testSaveUser() { // Write your test logic here } } Step 4: Run Unit Tests Run your unit tests using your preferred build tool (Maven or Gradle) or within your IDE. The tests will utilize the H2 in-memory database configured for testing purposes. Conclusion Using the H2 in-memory database in unit tests offers a lightweight and efficient way to test database interactions in your Spring Boot applications. By following the steps outlined in this guide, you can seamlessly integrate H2 into your unit testing workflow, ensuring the reliability and effectiveness of your tests while maintaining fast execution times. Happy testing! Post, Code and Quiet Time. © 2024 – Unsubscribe

why @WithMockUser still got 401 unauthorized

@AutoConfigureMockMvc for none reactive spring application, the Servlet API and Servlet containers, spring-boot-starter-web, please use MockMvc. import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; @DirtiesContext(classMode = ClassMode.AFTER_EACH_TEST_METHOD) @AutoConfigureMockMvc @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) public class IntegrationTestsBase { @Autowired protected MockMvc mockMvc; ... mockMvc.perform(

Post, Code and Quiet Time. why @WithMockUser still got 401 unauthorized By Errong Leng – 15 Apr 2024 – View online → Photo by TOMOKO UJI / Unsplash @AutoConfigureMockMvc for none reactive spring application, the Servlet API and Servlet containers, spring-boot-starter-web, please use MockMvc. import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; @DirtiesContext(classMode = ClassMode.AFTER_EACH_TEST_METHOD) @AutoConfigureMockMvc @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) public class IntegrationTestsBase { @Autowired protected MockMvc mockMvc; ... mockMvc.perform(post(url) .header(HttpHeaders.AUTHORIZATION, "authorization") .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE) ... .content(objectMapper.writeValueAsString(req)) ).andReturn().getResponse(); @AutoConfigureWebTestClient for reactive spring application, The reactive-stack web framework, spring-boot-starter-webflux, please use WebTestClient. @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) @DirtiesContext(classMode = ClassMode.AFTER_EACH_TEST_METHOD) @AutoConfigureWebTestClient(timeout = "100000") public class IntegrationTests { @Autowired protected WebTestClient webTestClient; ... webTestClient .get() .uri(uriBuilder -> .build()) .header(Headers.LANGUAGE, "EN") .header(Headers.AUTHORIZATION, "authorization") .exchange() .expectStatus() .is2xxSuccessful() .expectBody(PortalContractResponse[].class) .returnResult().getResponseBody(); @MockWithUser @MockWithUser is a custom annotation used in Spring Boot tests to simplify the process of mocking user authentication. This annotation is typically used in conjunction with Spring Security tests to automatically mock user authentication details, such as username, roles, and authorities, allowing for easier testing of secured endpoints and methods. When applied to a test method or class, @MockWithUser populates the security context with a mocked user, eliminating the need for manual setup of authentication details in each test case. By using @MockWithUser, you can streamline your Spring Security tests and focus on testing the behavior of your application without worrying about setting up user authentication details manually in each test case. @SpringBootTest class UserControllerIntegrationTest { @Test @MockWithUser(username = "testuser", roles = {"USER", "ADMIN"}) void testGetUserDetails() throws Exception { // use MockMvc or WebTestClient } } Conclusion In conclusion, when using the Servlet API and Servlet containers with WebTestClient, or when employing MockMvc in reactive-stack web frameworks, encountering persistent 401 unauthorized responses in test cases is a common occurrence. This behavior arises due to the inherent differences in how authentication is handled between these components. As such, developers need to be aware of these nuances and adapt their testing strategies accordingly. Strategies such as configuring authentication mechanisms appropriately for the chosen testing framework or utilizing custom authentication mechanisms can help mitigate these challenges and ensure successful test execution. Post, Code and Quiet Time. © 2024 – Unsubscribe