Sample secured endpoint

Author: Daenges

server/src/main/java/com/studybuddies/server/configuration/JwtAuthConverter.java

@@ -33,20 +33,27 @@ public AbstractAuthenticationToken convert(Jwt source) {
   private Collection<? extends GrantedAuthority> extractRoles(Jwt jwt) {
     Set<String> roles = new HashSet<>();
 
+    // Extract roles from realm_access (if available)
     Map<String, Object> realmAccess = jwt.getClaimAsMap("realm_access");
-    if(realmAccess != null && realmAccess.containsKey("roles")) {
+    if (realmAccess != null && realmAccess.containsKey("roles")) {
       roles.addAll((Collection<? extends String>) realmAccess.get("roles"));
     }
 
-    Map<String, Object> resourceAccess = jwt.getClaim("resource_access");
-    if(resourceAccess != null && resourceAccess.containsKey("demo")) {
-      Map<String, Object> demoAccess = (Map<String, Object>) resourceAccess.get("roles");
-      if(demoAccess != null && demoAccess.containsKey("roles")) {
-        roles.addAll((Collection<? extends String>) demoAccess.get("roles"));
+    // Extract roles from resource_access dynamically
+    Map<String, Object> resourceAccess = jwt.getClaimAsMap("resource_access");
+    if (resourceAccess != null) {
+      for (Map.Entry<String, Object> entry : resourceAccess.entrySet()) {
+        Map<String, Object> resource = (Map<String, Object>) entry.getValue();
+        if (resource.containsKey("roles")) {
+          roles.addAll((Collection<? extends String>) resource.get("roles"));
+        }
       }
-
     }
-    System.out.println(roles);
-    return roles.stream().map(role -> new SimpleGrantedAuthority("ROLE_" + role.toUpperCase())).collect(Collectors.toSet());
+
+    // Convert to Spring Security GrantedAuthorities with "ROLE_" prefix
+    return roles.stream()
+            .map(role -> new SimpleGrantedAuthority("ROLE_" + role.toUpperCase()))
+            .collect(Collectors.toSet());
   }
+
 }

server/src/main/java/com/studybuddies/server/configuration/SecurityConfig.java

@@ -3,10 +3,12 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.SecurityFilterChain;
 
 @Configuration
+@EnableMethodSecurity
 public class SecurityConfig {
 
   @Autowired
@@ -15,8 +17,7 @@ public class SecurityConfig {
   @Bean
   public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
     http.
-            authorizeHttpRequests(a -> a
-                    .anyRequest().authenticated())
+            authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
             .oauth2ResourceServer(oauth2 -> oauth2.jwt(jwt -> jwt.jwtAuthenticationConverter(jwtAuthConverter)));
     return http.build();
   }

server/src/main/java/com/studybuddies/server/web/MeetingController.java

@@ -9,6 +9,7 @@
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 @AllArgsConstructor
@@ -32,6 +33,7 @@ public ResponseEntity<?> changeMeeting(@RequestParam Long id, @Valid @RequestBod
   }
 
   @GetMapping
+  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<?> getMeeting(@RequestParam(required = false) Long id) {
     String response = meetingService.retrieveMeetingFromDatabase(id);
     return ResponseEntity.status(HttpStatus.OK).body(response);