12 minutes / published
Spring Security's Filter Chain Without the Folklore
Resource server configuration, method security, CORS vs CSRF, and request tests that prove the chain.
Resource Server, Not Hand-Rolled JWT
The API expects bearer tokens through Spring Security's OAuth2 resource-server support.
The course does not add Keycloak to the main path because identity-provider operations would drown out the filter-chain lesson.
Request Rules And Method Rules
Public reads keep the tutorial easy to inspect. Writes require authentication, and mutating service methods require ADMIN through method security.
That gives the course two proof points: request matching and method authorization.
CSRF Depends On Credential Transport
Bearer tokens in Authorization headers are not browser-auto-attached credentials, so CSRF is disabled for that transport reason.
The ADR deliberately avoids the sloppy shortcut that APIs never need CSRF. Cookie credentials would change the decision.
The Five Outcomes
Anonymous read returns 200. Anonymous write returns 401. USER write returns 403. ADMIN write succeeds. Garbage or expired tokens return 401.
Those outcomes are asserted with MockMvc so at least one test passes through the real filter chain.