Merge pull request #1 from shyakadev/method-security

update authorization to method

src/main/java/com/example/keycloakresourceserver/ArticleController.java

@@ -4,7 +4,10 @@
 
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.lang.NonNull;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -34,4 +37,11 @@ public ResponseEntity<Article> createArticle(@RequestBody ArticleDto article) {
         Article created = articleService.createArticle(article);
         return new ResponseEntity<Article>(created, HttpStatus.CREATED);
     }
+
+    @GetMapping("/{id}")
+     @PreAuthorize("hasAnyRole('ROLE_ADMIN', 'ROLE_USER')")
+    public ResponseEntity<Article> getById(@PathVariable @NonNull Long id) {
+        Article article = articleService.findById(id);
+        return ResponseEntity.ok(article);
+    }
 }

src/main/java/com/example/keycloakresourceserver/ArticleService.java

@@ -1,8 +1,10 @@
 package com.example.keycloakresourceserver;
 
 import java.util.List;
+import java.util.Optional;
 import java.util.stream.Collectors;
 
+import org.springframework.lang.NonNull;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -21,11 +23,17 @@ public List<Article> getAll() {
 
     public List<ArticleDto> getAllMinified() {
         return getAll().stream()
-              .map(ArticleDto::minify)
-              .collect(Collectors.toList());
+                .map(ArticleDto::minify)
+                .collect(Collectors.toList());
     }
 
     public Article createArticle(ArticleDto article) {
         return articleRepository.save(new Article(article.getTitle(), article.getContent()));
     }
+
+    public Article findById(@NonNull Long id) {
+        Optional<Article> article = articleRepository.findById(id);
+
+        return article.orElseThrow(() -> new RuntimeException("Article not found with ID: " + id));
+    }
 }

src/main/java/com/example/keycloakresourceserver/SecurityConfiguration.java

@@ -2,6 +2,7 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -12,6 +13,7 @@
 @RequiredArgsConstructor
 @Configuration
 @EnableWebSecurity
+@EnableMethodSecurity
 public class SecurityConfiguration {
 
     private final JwtAuthConverter jwtAuthConverter;
@@ -24,6 +26,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                     authorize.requestMatchers("/v1/articles/minified").permitAll();
                     authorize.requestMatchers("/v1/articles/create").hasRole("ADMIN");
                     authorize.requestMatchers("/v1/articles/all").hasAnyRole("USER", "ADMIN");
+                    authorize.requestMatchers("/v1/articles/**").permitAll();
                     authorize.anyRequest().authenticated();
                 })
                 .oauth2ResourceServer(oauth2 -> oauth2