Concept
Security lands as proof, not as folklore. The app is an OAuth2 resource server; the lesson is the filter chain, role boundary, method security, and precise CSRF stance.
Task
- Add OAuth2 resource-server and Spring Security dependencies.
- Permit public reads and require authentication for writes.
- Gate mutating service methods with ADMIN method security.
- Test anonymous, USER, ADMIN, and garbage-token request outcomes.
- Write ADR-003 with the filter-chain and CSRF reasoning.
Run
./gradlew test --tests "*SecurityAuthorizationTest"Expected Result
- The five authorization/authentication outcomes pass through MockMvc.
- No Keycloak setup appears in the main path.
Common Traps
- Hand-rolling JWT parsing.
- Saying CSRF never matters for APIs.
- Testing authorization by calling service methods without the filter chain.
Hint Ladder
Hint 1
Bearer tokens in Authorization headers are not browser-auto-attached credentials.
Hint 2
Method security is a second line of defense after request matching.
Hint 3
Use Spring Security test support for role claims instead of a live identity provider.
Solution
See SecurityConfig.java, SecurityAuthorizationTest.java, and ADR-003.