Module 5 / Lesson 5.1

Spring Security Resource Server

Protect writes with a real resource-server filter chain while keeping public reads simple.

Concept

Security lands as proof, not as folklore. The app is an OAuth2 resource server; the lesson is the filter chain, role boundary, method security, and precise CSRF stance.

Task

  1. Add OAuth2 resource-server and Spring Security dependencies.
  2. Permit public reads and require authentication for writes.
  3. Gate mutating service methods with ADMIN method security.
  4. Test anonymous, USER, ADMIN, and garbage-token request outcomes.
  5. Write ADR-003 with the filter-chain and CSRF reasoning.

Run

./gradlew test --tests "*SecurityAuthorizationTest"

Expected Result

  • The five authorization/authentication outcomes pass through MockMvc.
  • No Keycloak setup appears in the main path.

Common Traps

  • Hand-rolling JWT parsing.
  • Saying CSRF never matters for APIs.
  • Testing authorization by calling service methods without the filter chain.

Hint Ladder

Hint 1

Bearer tokens in Authorization headers are not browser-auto-attached credentials.

Hint 2

Method security is a second line of defense after request matching.

Hint 3

Use Spring Security test support for role claims instead of a live identity provider.

Solution

See SecurityConfig.java, SecurityAuthorizationTest.java, and ADR-003.