Nasruddin
diff --git a/‎.idea/workspace.xml‎
Lines changed: 38 additions & 17 deletions b/‎.idea/workspace.xml‎
Lines changed: 38 additions & 17 deletions
diff --git a/‎docker/docker-compose-infra.yml‎
Lines changed: 13 additions & 0 deletions b/‎docker/docker-compose-infra.yml‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎microservices/course-composite-service/pom.xml‎
Lines changed: 9 additions & 0 deletions b/‎microservices/course-composite-service/pom.xml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎microservices/course-composite-service/src/main/java/io/javatab/microservices/composite/course/config/ResourceController.java‎
Lines changed: 29 additions & 0 deletions b/‎microservices/course-composite-service/src/main/java/io/javatab/microservices/composite/course/config/ResourceController.java‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎microservices/course-composite-service/src/main/java/io/javatab/microservices/composite/course/config/SecurityConfig.java‎
Lines changed: 112 additions & 0 deletions b/‎microservices/course-composite-service/src/main/java/io/javatab/microservices/composite/course/config/SecurityConfig.java‎
Lines changed: 112 additions & 0 deletions
diff --git a/‎microservices/course-composite-service/src/main/resources/application.yml‎
Lines changed: 9 additions & 0 deletions b/‎microservices/course-composite-service/src/main/resources/application.yml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎microservices/course-service/pom.xml‎
Lines changed: 9 additions & 0 deletions b/‎microservices/course-service/pom.xml‎
Lines changed: 9 additions & 0 deletions
@@ -30,6 +30,19 @@ services:
       - ./postgresql/init.sql:/docker-entrypoint-initdb.d/init.sql
     networks:
       - shared-network
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:latest
+    container_name: keycloak
+    ports:
+      - "8081:8080"
+    environment:
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+    command: [ "start-dev" ]
+    networks:
+      - shared-network
+
 networks:
   shared-network:
     name: shared-network
@@ -38,7 +38,16 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-webflux</artifactId>
 		</dependency>
+		<!--Security related dependency-->
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
 
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>io.javatab.util</groupId>
 			<artifactId>util</artifactId>
 
@@ -0,0 +1,29 @@
+package io.javatab.microservices.composite.course.config;
+
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/protectedapi")
+public class ResourceController {
+
+    @GetMapping("/public")
+    public String publicResource() {
+        return "This is a public resource. No authentication required.";
+    }
+
+    @GetMapping("/user")
+    //@PreAuthorize("hasRole('USER')")
+    public String userResource(Authentication authentication) {
+        return "Hello, " + authentication.getName() + "! You have USER access.";
+    }
+
+    @GetMapping("/admin")
+    //@PreAuthorize("hasRole('ADMIN')")
+    public String adminResource(Authentication authentication) {
+        return "Hello, " + authentication.getName() + "! You have ADMIN access.";
+    }
+}
@@ -0,0 +1,112 @@
+package io.javatab.microservices.composite.course.config;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
+import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Mono;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+
+@Configuration
+@EnableWebFluxSecurity
+public class SecurityConfig {
+
+    private static final Logger logger = LoggerFactory.getLogger(SecurityConfig.class);
+
+    @Bean
+    public SecurityWebFilterChain securityFilterChain(ServerHttpSecurity http) {
+        http
+                .authorizeExchange(exchanges -> exchanges
+                        .pathMatchers("/api/course-aggregate").hasRole("COURSE-AGGREGATE-READ")
+                        .anyExchange().authenticated()
+                )
+                .oauth2ResourceServer(oauth2 -> oauth2
+                        .jwt(jwt -> jwt.jwtAuthenticationConverter(grantedAuthoritiesExtractor()))
+                );
+
+        // Add filter to log roles
+        http.addFilterAt((exchange, chain) -> logRoles(exchange).then(chain.filter(exchange)),
+                SecurityWebFiltersOrder.AUTHORIZATION);
+
+        return http.build();
+    }
+
+    @Bean
+    public ReactiveJwtDecoder jwtDecoder() {
+        return NimbusReactiveJwtDecoder.withJwkSetUri("http://localhost:8081/realms/course-management-realm/protocol/openid-connect/certs").build();
+    }
+
+    @Bean
+    public Converter<Jwt, Mono<JwtAuthenticationToken>> grantedAuthoritiesExtractor() {
+        return new Converter<Jwt, Mono<JwtAuthenticationToken>>() {
+            @Override
+            public Mono<JwtAuthenticationToken> convert(Jwt jwt) {
+                Collection<GrantedAuthority> authorities = new ArrayList<>();
+
+                // Extract realm roles
+                Map<String, Object> realmAccess = jwt.getClaim("realm_access");
+                if (realmAccess != null && realmAccess.containsKey("roles")) {
+                    List<String> roles = (List<String>) realmAccess.get("roles");
+                    authorities.addAll(roles.stream()
+                            .map(role -> new SimpleGrantedAuthority("ROLE_" + role.toUpperCase()))
+                            .toList());
+                }
+
+                // Extract client roles (replace "my-resource-server" with your client ID)
+                /*Map<String, Object> resourceAccess = jwt.getClaim("resource_access");
+                if (resourceAccess != null) {
+                    Map<String, Object> clientRoles = (Map<String, Object>) resourceAccess.get("my-resource-server");
+                    if (clientRoles != null && clientRoles.containsKey("roles")) {
+                        List<String> roles = (List<String>) clientRoles.get("roles");
+                        authorities.addAll(roles.stream()
+                                .map(role -> new SimpleGrantedAuthority("ROLE_" + role.toUpperCase()))
+                                .toList());
+                    }
+                }*/
+                Map<String, Object> resourceAccess = jwt.getClaim("resource_access");
+                if (resourceAccess != null) {
+                    resourceAccess.forEach((resource, access) -> {
+                        if (access instanceof Map) {
+                            Map<String, Object> clientRoles = (Map<String, Object>) access;
+                            if (clientRoles.containsKey("roles")) {
+                                List<String> roles = (List<String>) clientRoles.get("roles");
+                                authorities.addAll(roles.stream()
+                                        .map(role -> new SimpleGrantedAuthority("ROLE_" + role.toUpperCase()))
+                                        .toList());
+                            }
+                        }
+                    });
+                }
+
+                return Mono.just(new JwtAuthenticationToken(jwt, authorities));
+            }
+        };
+    }
+
+    private Mono<Void> logRoles(ServerWebExchange exchange) {
+        return exchange.getPrincipal()
+                .cast(JwtAuthenticationToken.class)
+                .doOnNext(jwtAuth -> {
+                    Collection<? extends GrantedAuthority> authorities = jwtAuth.getAuthorities();
+                    logger.info("Roles in Resource Server: {}", authorities);
+                })
+                .then();
+    }
+}
@@ -14,6 +14,15 @@ logging:
   level:
     root: INFO
     io.javatab.microservices.composite.course: DEBUG
+
+# Security related properties
+  security:
+    oauth2:
+      resourceserver:
+        jwt:
+          issuer-uri: http://localhost:8081/realms/course-management-realm
+          jwk-set-uri: http://localhost:8081/realms/course-management-realm/protocol/openid-connect/certs
+
 ---
 spring:
   config:
 
@@ -61,6 +61,15 @@
 			<artifactId>spring-boot-starter-validation</artifactId>
 		</dependency>
 
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+		</dependency>
 
 		<dependency>
 			<groupId>io.javatab.util</groupId>