Role-Based Authorization in Spring Boot – Spring Security code

Category : Spring Boot | Sub Category : Spring Boot | By Prasad Bonam Last updated: 2023-07-09 11:38:47 Viewed : 330

Role-Based Authorization in Spring Boot – Spring Security code :

Heres an example of implementing role-based authorization in Spring Boot with Spring Security:

1. Update the Security Configuration:

javaCopy code
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("user")
                .password("{noop}password") // Specify password encoder, {noop} for plain text
                .roles("USER")
            .and()
                .withUser("admin")
                .password("{noop}password")
                .roles("ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/public").permitAll()
                .antMatchers("/admin").hasRole("ADMIN")
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .and()
            .logout();
    }
}

In this example, two in-memory users (user and admin) with their respective roles (USER and ADMIN) are configured. The configure() method is updated to assign specific roles to certain URL patterns. The /public endpoint is accessible to all users, while the /admin endpoint requires the user to have the ADMIN role.

2. Secure Endpoints with Role-Based Authorization:

javaCopy code
import org.springframework.security.access.annotation.Secured;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/api")
public class ApiController {

    @GetMapping("/public")
    public String publicEndpoint() {
        return "Public Endpoint";
    }

    @GetMapping("/admin")
    @Secured("ROLE_ADMIN") // Method-level security annotation
    public String adminEndpoint() {
        return "Admin Endpoint";
    }

    @GetMapping("/user")
    @Secured("ROLE_USER") // Method-level security annotation
    public String userEndpoint() {
        return "User Endpoint";
    }
}

In this example, the /api/public endpoint is accessible to all users. The /api/admin endpoint is accessible only to users with the ROLE_ADMIN role, and the /api/user endpoint is accessible only to users with the ROLE_USER role.

Note that you can also use @PreAuthorize annotation from Spring Security for more fine-grained method-level security expressions.

3. Test the Role-Based Authorization: You can test the role-based authorization by accessing the endpoints using appropriate credentials and roles. For example, accessing /api/public does not require authentication. To access /api/admin, you need to authenticate as the admin user with the ADMIN role. Similarly, to access /api/user, you need to authenticate as the user user with the USER role.

Thats it! This example demonstrates the implementation of role-based authorization using Spring Security in a Spring Boot application. You can customize the configuration and endpoints based on your specific requirements and roles.