Authentication

.gitignore

@@ -23,4 +23,7 @@
 hs_err_pid*
 replay_pid*
 
-target
+target
+
+data/
+volume-data/

docker-compose.yml

@@ -0,0 +1,53 @@
+services:
+  poll-service:
+    image:  ghcr.io/sympoll/poll-service/sympoll-poll-service:latest
+    container_name: poll-service-dc
+    ports:
+      - "8082:8082"
+    networks:
+      - sympoll-network
+
+  api-gateway:
+    image: ghcr.io/sympoll/api-gateway-service/sympoll-api-gateway-service-test:latest
+    ports:
+      - "8081:8081"
+    networks:
+      - sympoll-network
+
+  keycloak-mysql:
+    container_name: keycloak-mysql
+    image: mysql:8
+    environment:
+      MYSQL_ROOT_PASSWORD: root
+      MYSQL_DATABASE: keycloak
+      MYSQL_USER: keycloak
+      MYSQL_PASSWORD: password
+    volumes:
+      - ./volume-data/mysql_keycloak_data:/var/lib/mysql
+    networks:
+      - sympoll-network
+
+  keycloak:
+    container_name: keycloak
+    image: quay.io/keycloak/keycloak:24.0.1
+    command: [ "start-dev", "--import-realm" ]
+    environment:
+      DB_VENDOR: MYSQL
+      DB_ADDR: mysql
+      DB_DATABASE: keycloak
+      DB_USER: keycloak
+      DB_PASSWORD: password
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+    ports:
+      - "8181:8080"
+    volumes:
+      - ./docker/keycloak/realms/:/opt/keycloak/data/import/
+    depends_on:
+      - keycloak-mysql
+    networks:
+      - sympoll-network
+
+networks:
+  sympoll-network:
+    driver: bridge

docker/init.sql

@@ -0,0 +1,8 @@
+-- User Management Service Schema
+CREATE TABLE users
+(
+    user_id       UUID PRIMARY KEY,
+    username      VARCHAR(255) UNIQUE NOT NULL,
+    email         VARCHAR(255),
+    created_at    TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+);

pom.xml

@@ -47,6 +47,11 @@
 			<scope>test</scope>
 		</dependency>
 
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+		</dependency>
+
 		<dependency>
 			<groupId>io.projectreactor</groupId>
 			<artifactId>reactor-core</artifactId>

src/main/java/com/MTAPizza/Sympoll/api_gateway_service/config/SecurityConfigDisabled.java

@@ -0,0 +1,26 @@
+package com.MTAPizza.Sympoll.api_gateway_service.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.web.SecurityFilterChain;
+
+
+@Configuration
+@EnableWebSecurity
+@Profile("auth-disabled")
+public class SecurityConfigDisabled {
+
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        http
+                .csrf(AbstractHttpConfigurer::disable) // New method to disable CSRF
+                .authorizeRequests(auth -> auth
+                        .anyRequest().permitAll()); // Allow all requests without authentication
+
+        return http.build();
+    }
+}

src/main/java/com/MTAPizza/Sympoll/api_gateway_service/config/SecurityConfigEnabled.java

@@ -0,0 +1,23 @@
+package com.MTAPizza.Sympoll.api_gateway_service.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+@EnableWebSecurity
+@Profile("auth-enabled")
+public class SecurityConfigEnabled {
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
+        return httpSecurity.authorizeHttpRequests(authorize -> authorize
+                        .anyRequest().authenticated())
+                .oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()))
+                .build();
+    }
+}
+

src/main/resources/application-auth-enabled.properties

@@ -0,0 +1,7 @@
+spring.security.oauth2.resourceserver.jwt.issuer-uri=http://auth.localhost/realms/sympoll-realm
+# Use the reverse proxy to resolve and retrieve JWKs internally
+spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://auth-reverse-proxy/realms/sympoll-realm/protocol/openid-connect/certs
+# Enable detailed logging for OAuth2 resource server and JWT validation
+logging.level.org.springframework.security.oauth2=DEBUG
+logging.level.org.springframework.security.oauth2.server.resource=DEBUG
+logging.level.com.nimbusds=DEBUG

src/main/resources/application.properties

@@ -1,9 +1,13 @@
 server.port=8081
 spring.application.name=api-gateway-service
+spring.profiles.active=${ENABLE_AUTH:auth-enabled}
 
 # Cluster path to the Services:
 poll.route.uri=http://poll-service:8082
 user.route.uri=http://user-service:8083
 vote.route.uri=http://vote-service:8084
 group.route.uri=http://group-service:8085
 media.route.uri=http://media-service:8086
+
+logging.level.org.springframework.web=DEBUG
+logging.level.org.springframework.security=DEBUG