Implement AuthN/AuthZ with Spring Security

Goal:
Introduce basic authentication and authorization mechanisms for securing the Sztab backend. Protect endpoints based on user roles stored in the database.

Estimated Time: 6–7 hours

Task Breakdown

1. Add Spring Security Dependencies

•  Add spring-boot-starter-security to pom.xml
•  Ensure compatibility with Spring Boot 3 and Jakarta EE

2. Configure Basic Auth or Form-Based Login (MVP)

•  Enable HTTP basic auth or form login for dev/test use
•  Configure login page and failure handler (if using form login)
•  Secure /api/** while allowing unrestricted access to /actuator, /health, etc.

3. Secure Endpoints Using Role-Based Access

•  Annotate controller methods with @PreAuthorize or @Secured
•  Define authorization rules (e.g. only ADMIN can delete users)
•  Optionally use SecurityFilterChain for fine-grained config

4. Connect Authentication to Database

•  Load User and Role from PostgreSQL
•  Implement UserDetailsService or use Spring Data integration
•  Map roles to GrantedAuthority objects

5. Password Handling

•  Use BCryptPasswordEncoder for hashing and comparison
•  Store hashed password in DB for default admin
•  Add utility to generate encoded passwords for local testing

6. Optional: JWT Stub (For Future)

•  Create placeholder for future JWT integration (if token-based auth is planned)
•  Document switching strategy between session vs stateless

7. Tests and Validation

•  Write integration tests for login success/failure
•  Add role-based access tests for key endpoints
•  Test login with default admin credentials

Output Artifacts

• Secured endpoints across User/Project/Issue APIs
• Users and roles loaded from PostgreSQL
• Working login flow for MVP
• Passwords encoded using BCrypt