Implement AuthN/AuthZ with Spring Security (SZ-4)
rk@tigase.net opened 2 hours ago

Implement AuthN/AuthZ with Spring Security

Goal:
Introduce basic authentication and authorization mechanisms for securing the Sztab backend. Protect endpoints based on user roles stored in the database.

Estimated Time: 6–7 hours


Task Breakdown

1. Add Spring Security Dependencies

  •  Add spring-boot-starter-security to pom.xml
  •  Ensure compatibility with Spring Boot 3 and Jakarta EE

2. Configure Basic Auth or Form-Based Login (MVP)

  •  Enable HTTP basic auth or form login for dev/test use
  •  Configure login page and failure handler (if using form login)
  •  Secure /api/** while allowing unrestricted access to /actuator, /health, etc.

3. Secure Endpoints Using Role-Based Access

  •  Annotate controller methods with @PreAuthorize or @Secured
  •  Define authorization rules (e.g. only ADMIN can delete users)
  •  Optionally use SecurityFilterChain for fine-grained config

4. Connect Authentication to Database

  •  Load User and Role from PostgreSQL
  •  Implement UserDetailsService or use Spring Data integration
  •  Map roles to GrantedAuthority objects

5. Password Handling

  •  Use BCryptPasswordEncoder for hashing and comparison
  •  Store hashed password in DB for default admin
  •  Add utility to generate encoded passwords for local testing

6. Optional: JWT Stub (For Future)

  •  Create placeholder for future JWT integration (if token-based auth is planned)
  •  Document switching strategy between session vs stateless

7. Tests and Validation

  •  Write integration tests for login success/failure
  •  Add role-based access tests for key endpoints
  •  Test login with default admin credentials

Output Artifacts

  • Secured endpoints across User/Project/Issue APIs
  • Users and roles loaded from PostgreSQL
  • Working login flow for MVP
  • Passwords encoded using BCrypt
  • rk@tigase.net commented 2 hours ago

    🕒 Estimated Time: 6–7 hours total

    Subtask Estimates

    TaskEstimated Time
    Add Spring Security dependencies and config base~30 mins
    Configure basic auth or form login~1 hour
    Secure endpoints with annotations + test access rules~1.5 hours
    Integrate DB-based user + role authentication~1.5 hours
    Password encoding and secure admin setup~1 hour
    Optional: stub for JWT future use~30 mins
    Tests and validation (login + access control)~1 hour
issue 1 of 1
Type
New Feature
Priority
Normal
Assignee
Version
none
Sprints
n/a
Customer
n/a
Issue Votes (0)
Watchers (3)
Reference
SZ-4
Please wait...
Page is in error, reload to recover