Role-Based Authorization in Spring Boot – Spring Security code

Category : Spring Boot | Sub Category : Spring Boot | By Prasad Bonam Last updated: 2023-07-09 11:38:47 Viewed : 251


Role-Based Authorization in Spring Boot – Spring Security code :

Heres an example of implementing role-based authorization in Spring Boot with Spring Security:

  1. Update the Security Configuration:
java
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user") .password("{noop}password") // Specify password encoder, {noop} for plain text .roles("USER") .and() .withUser("admin") .password("{noop}password") .roles("ADMIN"); } @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/public").permitAll() .antMatchers("/admin").hasRole("ADMIN") .anyRequest().authenticated() .and() .formLogin() .and() .logout(); } }

In this example, two in-memory users (user and admin) with their respective roles (USER and ADMIN) are configured. The configure() method is updated to assign specific roles to certain URL patterns. The /public endpoint is accessible to all users, while the /admin endpoint requires the user to have the ADMIN role.

  1. Secure Endpoints with Role-Based Authorization:
java
import org.springframework.security.access.annotation.Secured; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; @RestController @RequestMapping("/api") public class ApiController { @GetMapping("/public") public String publicEndpoint() { return "Public Endpoint"; } @GetMapping("/admin") @Secured("ROLE_ADMIN") // Method-level security annotation public String adminEndpoint() { return "Admin Endpoint"; } @GetMapping("/user") @Secured("ROLE_USER") // Method-level security annotation public String userEndpoint() { return "User Endpoint"; } }

In this example, the /api/public endpoint is accessible to all users. The /api/admin endpoint is accessible only to users with the ROLE_ADMIN role, and the /api/user endpoint is accessible only to users with the ROLE_USER role.

Note that you can also use @PreAuthorize annotation from Spring Security for more fine-grained method-level security expressions.

  1. Test the Role-Based Authorization: You can test the role-based authorization by accessing the endpoints using appropriate credentials and roles. For example, accessing /api/public does not require authentication. To access /api/admin, you need to authenticate as the admin user with the ADMIN role. Similarly, to access /api/user, you need to authenticate as the user user with the USER role.

Thats it! This example demonstrates the implementation of role-based authorization using Spring Security in a Spring Boot application. You can customize the configuration and endpoints based on your specific requirements and roles.


Search
Sub-Categories
Related Articles

Leave a Comment: