notes/pl/java/libfws/spring/security/docs/courses/linkedin.txt

2022
https://www.linkedin.com/learning/spring-spring-security-15832928/
    ! 1h31m, 2022
    https://www.linkedin.com/learning/spring-spring-security-15832928/in-memory-authentication
        deps (org.springframework.boot)
            * spring-boot-starter-security
            * spring-security-test

        create a new class ...config/WebSecurityConfig
            ...
            import org.springframework.context.annotation.Bean;
            import org.springframework.context.annotation.Configuration;
            import org.springframework.security.config.annotation.web.builders.HttpSecurity;
            import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
            import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
            import org.springframework.security.core.userdetails.User;
            import org.springframework.security.core.userdetails.UserDetails;
            import org.springframework.security.core.userdetails.UserDetailsService;
            import org.springframework.security.provisioning.InMemoryUserDetailsManager;
            ...
            @Configuration
            @EnableWebSecurity
            public class WebSecurityConfig extends WebSecurityConfigurerAdopter {
                @Override
                protected void configure(HttpSecurity httpSecurity) throws Exception {
                    http
                        .authorizeRequest()
                        .antMatchers("/", "/home").permitAll()
                        .anyRequest().authenticated()
                        .and()
                        .httpBasic();
                }
                @Bean
                @Override
                public UserDetailsService userDetailsService() {
                    UserDetails user = User
                        .withDefaultPasswordEncoder() // deprecated, for test purp only
                        .username("user")
                        .password("password")
                        .roles("USER")
                        .build();
                    return new InMemoryUserDatailsManager(user);
                }
            }

    @Configuration
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) {
            http
                .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .antMatchers("/customers/**").hasRole("USER") // "ROLE_USER"
                .antMatchers("/orders").hasRole("ADMIN")
                .anyRequest().authenticated()
                .and()
                .httpBasic() // does not have /logout
                // for the form-based auth
                // .httpBasic
                .formLogin()
                .loginPage("/login").permitAll()
                .permitAll();
                .and()
                .logout()
                .clearAuthentication(true)
                .invalidateHttpSession(true)
                .logoutSuccessUrl("/login?logout")
                .permitAll()
        }

        @Bean
        public UserDetailsService users(DataSource dataSource) {
            return JdbcUserDetailManager();
        }

        // spring cli
        spring encodepassword password
        bcrypt pwd-encoder is default one

        @Bean
        public GrantedAuthoritiesMapper authorityMapper() {
            SimpleAuthoritiyMapper authorityMapper = new SimpleAuthoritiyMapper();
            authorityMapper.setConvertToUpperCase(true);
            return authorityMapper;
        }
    }
    
    OAuth2 token types
    access_token (short-lived), id-s a user
    refresh_token - longer-lived
    scopes - provides for rights, associated with the access token

    Grants
    authorization code
    implicit
    client credentials

    CommonOAuth2Provider
        provides native support for Okta, Google, ...

    Auth Server
        @EnableAuthorizationServer
        AuthorizationServerConfigurerAdapter

    ResourceServer
        @EnableResourceServer

    OAuth2Client
    @EnableOAuth2Client
    Oauth2RestTemplate - provieds much scaffolding

    LDAP
    need to configure AuthenticationManagerBuilder

    @EnableWebFluxSecurity
    SecurityWebFilterChain provides more fine-grained control
    MapReactiveUserDetailsService provides handle to UserDetailsService

    @EnableWebFluxSecurity
    ... {
        @Bean
        public MapReactiveUserDetailsService userDetailsService() {
            List<UserDetails> = new ArrayList<>();
            userDetails.add(User.withDefaultPasswordEncoder().username(...).password(...).roles("USER").build());
            // ... .roles("USER", "ADMIN")
            return new MapReactiveUserDetailsService(userDetails);
        }
        @Bean
        // ServerHttpSecurity is for WebFlux
        public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { 
            http.authorizeExchange()
                .pathMatchers("/hello").permitAll()
                .anyExchange().hasRole("ADMIN")
                .and().httpBasic();
            return http.build()
        }
    }