Todos os requisitos foram implementados e testados.

exemplos/02-seguranca/pom.xml

@@ -56,6 +56,24 @@
             <version>42.2.8</version>
         </dependency>
 
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-api</artifactId>
+            <version>0.10.5</version>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-impl</artifactId>
+            <version>0.10.5</version>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-jackson</artifactId>
+            <version>0.10.5</version>
+            <scope>runtime</scope>
+        </dependency>
+
     </dependencies>
 
     <build>

exemplos/02-seguranca/src/main/java/br/com/ifpb/pweb2/securitydemo/config/SecurityConfig.java

@@ -0,0 +1,16 @@
+package br.com.ifpb.pweb2.securitydemo.config;
+
+import lombok.Data;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@ConfigurationProperties(prefix="security")
+@Data
+public class SecurityConfig {
+    private String tokenType;
+    private String secret;
+    private String issuer;
+    private String audience;
+    private Long expiration;
+}

exemplos/02-seguranca/src/main/java/br/com/ifpb/pweb2/securitydemo/config/WebSecurityConfig.java

@@ -1,32 +1,71 @@
 package br.com.ifpb.pweb2.securitydemo.config;
 
-import org.springframework.core.annotation.Order;
+import br.com.ifpb.pweb2.securitydemo.config.jwt.JwtAuthorizationFilter;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(jsr250Enabled = true, securedEnabled = true, prePostEnabled = true)
 /***
  * Deve ser carregado por último para garantir que essa configuração será aplicada a todos
  */
-@Order(10)
-public class WebSecurityConfig extends WebSecurityConfigurerAdapter  {
+//@Order(10)
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    private final UserDetailsService userDetailsService;
+
+    private final PasswordEncoder passwordEncoder;
+
+    private final SecurityConfig securityConfig;
+
+    public WebSecurityConfig(UserDetailsService userDetailsService, PasswordEncoder passwordEncoder, SecurityConfig securityConfig) {
+        this.userDetailsService = userDetailsService;
+        this.passwordEncoder = passwordEncoder;
+        this.securityConfig = securityConfig;
+    }
+
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
-        http.csrf().disable()
+        http.cors().and()
                 .authorizeRequests()
-                .antMatchers("/api/**").authenticated()
                 .antMatchers("/publico").permitAll()
-                .antMatchers("/usuarios").permitAll()
-            .and()
-            .sessionManagement()
+                .antMatchers("/login").permitAll()
+                .anyRequest().authenticated()
+                .and()
+                .addFilter(new JwtAuthorizationFilter(authenticationManager(), securityConfig))
+                .sessionManagement()
                 .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-            .and()
-            .httpBasic();
+                .and()
+                .csrf().disable();
+    }
+
+    public void configure(AuthenticationManagerBuilder auth) throws Exception {
+        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
+    }
+
+
+    @Bean
+    public AuthenticationManager getAuthenticationManager() throws Exception {
+        return authenticationManager();
+    }
+
+    @Bean
+    public CorsConfigurationSource corsConfigurationSource() {
+        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
+        return source;
     }
 
 }

exemplos/02-seguranca/src/main/java/br/com/ifpb/pweb2/securitydemo/config/jwt/JwtAuthorizationFilter.java

@@ -0,0 +1,82 @@
+package br.com.ifpb.pweb2.securitydemo.config.jwt;
+
+import br.com.ifpb.pweb2.securitydemo.config.SecurityConfig;
+import io.jsonwebtoken.*;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.List;
+import java.util.stream.Collectors;
+
+@Slf4j
+public class JwtAuthorizationFilter extends BasicAuthenticationFilter {
+
+    private final SecurityConfig securityConfig;
+
+    public JwtAuthorizationFilter(AuthenticationManager authenticationManager, SecurityConfig securityConfig) {
+        super(authenticationManager);
+        this.securityConfig = securityConfig;
+    }
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
+                                    FilterChain filterChain) throws IOException, ServletException {
+        UsernamePasswordAuthenticationToken authentication = getAuthentication(request);
+        if (authentication == null) {
+            filterChain.doFilter(request, response);
+            return;
+        }
+
+        SecurityContextHolder.getContext().setAuthentication(authentication);
+        filterChain.doFilter(request, response);
+    }
+
+    private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request) {
+        String token = request.getHeader("Authorization");
+        if (token != null && !token.isEmpty() && token.startsWith("Bearer")) {
+            try {
+                String signingKey = securityConfig.getSecret();
+
+                Jws<Claims> parsedToken = Jwts.parser()
+                        .setSigningKey(signingKey.getBytes())
+                        .parseClaimsJws(token.replace("Bearer ", ""));
+
+                String username = parsedToken
+                        .getBody()
+                        .getSubject();
+
+                List<SimpleGrantedAuthority> authorities = ((List<?>) parsedToken.getBody()
+                        .get("roles")).stream()
+                        .map(authority -> new SimpleGrantedAuthority((String) authority))
+                        .collect(Collectors.toList());
+
+                if (username != null && !username.isEmpty()){
+                    return new UsernamePasswordAuthenticationToken(username, null, authorities);
+                }
+
+            } catch (ExpiredJwtException exception) {
+                log.warn("Request to parse expired JWT : {} failed : {}", token, exception.getMessage());
+            } catch (UnsupportedJwtException exception) {
+                log.warn("Request to parse unsupported JWT : {} failed : {}", token, exception.getMessage());
+            } catch (MalformedJwtException exception) {
+                log.warn("Request to parse invalid JWT : {} failed : {}", token, exception.getMessage());
+            } catch (SignatureException exception) {
+                log.warn("Request to parse JWT with invalid signature : {} failed : {}", token, exception.getMessage());
+            } catch (IllegalArgumentException exception) {
+                log.warn("Request to parse empty or null JWT : {} failed : {}", token, exception.getMessage());
+            }
+        }
+
+        return null;
+    }
+
+}

exemplos/02-seguranca/src/main/java/br/com/ifpb/pweb2/securitydemo/config/jwt/JwtUtil.java

@@ -0,0 +1,45 @@
+package br.com.ifpb.pweb2.securitydemo.config.jwt;
+
+import br.com.ifpb.pweb2.securitydemo.config.SecurityConfig;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.security.Keys;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+
+import java.util.Date;
+import java.util.List;
+import java.util.stream.Collectors;
+
+@Configuration
+public class JwtUtil {
+
+    private final SecurityConfig securityConfig;
+    private final String signingKey;
+
+    public JwtUtil(SecurityConfig securityConfig) {
+        this.securityConfig = securityConfig;
+        signingKey = securityConfig.getSecret();
+    }
+
+    public String generateToken(Authentication authentication) {
+        UserDetails user = ((UserDetails) authentication.getPrincipal());
+
+        List<String> roles = user.getAuthorities()
+                .stream()
+                .map(GrantedAuthority::getAuthority)
+                .collect(Collectors.toList());
+
+        return Jwts.builder()
+                .signWith(Keys.hmacShaKeyFor(signingKey.getBytes()), SignatureAlgorithm.HS512)
+                .setHeaderParam("type", securityConfig.getTokenType())
+                .setIssuer(securityConfig.getIssuer()) //emissor
+                .setAudience(securityConfig.getAudience()) //destinatario
+                .setSubject(user.getUsername())
+                .setExpiration(new Date(System.currentTimeMillis() + securityConfig.getExpiration()))
+                .claim("roles", roles)
+                .compact();
+    }
+}

exemplos/02-seguranca/src/main/java/br/com/ifpb/pweb2/securitydemo/controller/LoginController.java

@@ -0,0 +1,44 @@
+package br.com.ifpb.pweb2.securitydemo.controller;
+
+import br.com.ifpb.pweb2.securitydemo.config.jwt.JwtUtil;
+import br.com.ifpb.pweb2.securitydemo.controller.dto.LoginDTO;
+import br.com.ifpb.pweb2.securitydemo.controller.dto.TokenDTO;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class LoginController {
+
+    private final JwtUtil jwtUtil;
+
+    private final AuthenticationManager authenticationManager;
+
+    private final PasswordEncoder passwordEncoder;
+
+    public LoginController(AuthenticationManager authenticationManager, JwtUtil jwtUtil, PasswordEncoder passwordEncoder) {
+        this.jwtUtil = jwtUtil;
+        this.authenticationManager = authenticationManager;
+        this.passwordEncoder = passwordEncoder;
+    }
+
+    @PostMapping("login")
+    public ResponseEntity login(@RequestBody LoginDTO loginDTO) {
+
+        System.out.println(passwordEncoder.encode(loginDTO.getPassword()));
+
+        UsernamePasswordAuthenticationToken authenticationToken =
+                new UsernamePasswordAuthenticationToken(loginDTO.getLogin(), loginDTO.getPassword());
+
+        String token = this.jwtUtil.generateToken(authenticationManager.authenticate(authenticationToken));
+
+        return ResponseEntity.ok(new TokenDTO(token));
+    }
+
+}