You will be developing a basic CRUD (Create, Read, Update, Delete) API using Spring Boot with MongoDB, and it should adhere to RESTful principles. The application will contain user management and product management functionalities.
classDiagram
User "1" -- "n" Product: Owns
User: +String id
User: +String name
User: +String email
User: +String password
User: +String role
Product: +String id
Product: +String name
Product: +String description
Product: +Double price
Product: +String userId
You should provide a set of RESTful APIs to perform CRUD operations on both Users and Products. The APIs should be designed according to the REST standard. The "GET Products" API should be accessible without authentication.
Implement a token-based authentication system. Only authenticated users can access the APIs. The users can have different roles (admin or user), and the API access should be controlled based on the user roles.
💡 Spring Security
The API should not return any 5XX errors. You should handle any possible exceptions and return appropriate HTTP response codes and messages.
Implement the following security measures:
- Hash and salt passwords before storing them in the database.
- Validate inputs to prevent MongoDB injection attacks.
- Protect sensitive user information. Don't return passwords or other sensitive information in your API responses.
- Use HTTPS to protect data in transit.
As an additional challenge, you could consider implementing the following features. Note that these are not required for the completion of the project but would provide additional learning opportunities:
- Set appropriate CORS policies: Implement Cross-Origin Resource Sharing (CORS) policies to manage the security of your application when it is accessed from different domains.
- Implement rate limiting to prevent brute force attacks: Use rate limiting to restrict the number of API requests a client can make in a given time. This can help prevent attacks and misuse of your application.
Your project will be extensively tested for the following aspects:
- Correctness of the APIs.
- Proper implementation of authentication and authorization.
- The absence of 5XX errors.
- Implementation of the above-mentioned security measures.
In order for auditors to test your program, you will have to run your project using a code editor or provide a script to run it.
classDiagram
direction LR
class OAuth2ImportSelector
class appConfig
class authenticationConfiguration
class authenticationManager
class authenticationManagerBuilder
class authenticationProvider
class conversionServicePostProcessor
class corsConfig
class corsFilter
class delegatingApplicationListener
class enableGlobalAuthenticationAutowiredConfigurer
class node2
class node15
class node4
class globalExceptionHandler
class handlerExceptionResolver
class handlerExceptionResolver
class httpSecurityConfiguration
class initializeAuthenticationProviderBeanManagerConfigurer
class initializeUserDetailsBeanManagerConfigurer
class jwtAuthenticationFilter
class jwtService
class letsplayApplication
class methodSecuritySelector
class mvcContentNegotiationManager
class mvcContentNegotiationManager
class mvcHandlerMappingIntrospector
class objectPostProcessor
class objectPostProcessorConfiguration
class node44
class passwordEncoder
class privilegeEvaluator
class productController
class productDTOMapper
class productRepository
class productService
class securityConfiguration
class securityFilterChain
class springSecurityFilterChain
class springWebMvcImportSelector
class userController
class userDTOMapper
class userDetailsService
class userRepository
class userService
class webApplicationContext
class webSecurityConfiguration
class webSecurityExpressionHandler
appConfig ..> authenticationManager: @Bean
appConfig ..> authenticationProvider: @Bean
appConfig ..> passwordEncoder: @Bean
appConfig ..> userDetailsService: @Bean
appConfig --> userRepository: depends on
authenticationConfiguration ..> authenticationManagerBuilder: @Bean
authenticationConfiguration ..> enableGlobalAuthenticationAutowiredConfigurer: @Bean
authenticationConfiguration ..> initializeAuthenticationProviderBeanManagerConfigurer: @Bean
authenticationConfiguration ..> initializeUserDetailsBeanManagerConfigurer: @Bean
authenticationConfiguration ..> objectPostProcessor: @Autowired
authenticationConfiguration --> objectPostProcessorConfiguration: @Import
authenticationConfiguration ..> webApplicationContext: @Autowired
corsConfig ..> corsFilter: @Bean
corsFilter --> mvcHandlerMappingIntrospector: depends on
httpSecurityConfiguration ..> authenticationConfiguration: @Autowired
httpSecurityConfiguration ..> mvcContentNegotiationManager: @Autowired
httpSecurityConfiguration ..> mvcContentNegotiationManager: @Autowired
httpSecurityConfiguration ..> objectPostProcessor: @Autowired
httpSecurityConfiguration ..> node44: @Bean
httpSecurityConfiguration ..> webApplicationContext: @Autowired
jwtAuthenticationFilter --> handlerExceptionResolver: depends on
jwtAuthenticationFilter --> handlerExceptionResolver: depends on
jwtAuthenticationFilter --> jwtService: depends on
jwtAuthenticationFilter --> userDetailsService: depends on
letsplayApplication ..> appConfig
letsplayApplication ..> corsConfig
letsplayApplication --> node2: @EnableSpringDataWebSupport
letsplayApplication --> node15: @EnableSpringDataWebSupport
letsplayApplication --> node4: @EnableSpringDataWebSupport
letsplayApplication ..> globalExceptionHandler
letsplayApplication ..> jwtAuthenticationFilter
letsplayApplication ..> jwtService
letsplayApplication ..> letsplayApplication
letsplayApplication ..> productController
letsplayApplication ..> productDTOMapper
letsplayApplication ..> productRepository
letsplayApplication ..> productService
letsplayApplication ..> securityConfiguration
letsplayApplication ..> userController
letsplayApplication ..> userDTOMapper
letsplayApplication ..> userRepository
letsplayApplication ..> userService
objectPostProcessorConfiguration ..> objectPostProcessor: @Bean
productController --> productService: depends on
productService --> productDTOMapper: depends on
productService --> productRepository: depends on
securityConfiguration --> OAuth2ImportSelector: @EnableWebSecurity
securityConfiguration --> authenticationConfiguration: @EnableWebSecurity
securityConfiguration --> authenticationProvider: depends on
securityConfiguration --> httpSecurityConfiguration: @EnableWebSecurity
securityConfiguration --> jwtAuthenticationFilter: depends on
securityConfiguration --> methodSecuritySelector: @EnableMethodSecurity
securityConfiguration ..> securityFilterChain: @Bean
securityConfiguration --> springWebMvcImportSelector: @EnableWebSecurity
securityConfiguration --> webSecurityConfiguration: @EnableWebSecurity
userController --> userService: depends on
userService --> authenticationManager: depends on
userService --> jwtService: depends on
userService --> passwordEncoder: depends on
userService --> userDTOMapper: depends on
userService --> userRepository: depends on
webSecurityConfiguration ..> conversionServicePostProcessor: @Bean
webSecurityConfiguration ..> delegatingApplicationListener: @Bean
webSecurityConfiguration ..> objectPostProcessor: @Autowired
webSecurityConfiguration ..> node44: @Autowired
webSecurityConfiguration ..> privilegeEvaluator: @Bean
webSecurityConfiguration ..> springSecurityFilterChain: @Bean
webSecurityConfiguration ..> webSecurityExpressionHandler: @Bean