Category : Spring Boot | Sub Category : Spring Boot | By Prasad Bonam Last updated: 2023-07-09 11:38:47 Viewed : 744
Role-Based Authorization in Spring Boot – Spring Security code :
Heres an example of implementing role-based authorization in Spring Boot with Spring Security:
javaimport org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user")
.password("{noop}password") // Specify password encoder, {noop} for plain text
.roles("USER")
.and()
.withUser("admin")
.password("{noop}password")
.roles("ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/public").permitAll()
.antMatchers("/admin").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.logout();
}
}
In this example, two in-memory users (user
and admin
) with their respective roles (USER
and ADMIN
) are configured. The configure()
method is updated to assign specific roles to certain URL patterns. The /public
endpoint is accessible to all users, while the /admin
endpoint requires the user to have the ADMIN
role.
javaimport org.springframework.security.access.annotation.Secured;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("/api")
public class ApiController {
@GetMapping("/public")
public String publicEndpoint() {
return "Public Endpoint";
}
@GetMapping("/admin")
@Secured("ROLE_ADMIN") // Method-level security annotation
public String adminEndpoint() {
return "Admin Endpoint";
}
@GetMapping("/user")
@Secured("ROLE_USER") // Method-level security annotation
public String userEndpoint() {
return "User Endpoint";
}
}
In this example, the /api/public
endpoint is accessible to all users. The /api/admin
endpoint is accessible only to users with the ROLE_ADMIN
role, and the /api/user
endpoint is accessible only to users with the ROLE_USER
role.
Note that you can also use @PreAuthorize
annotation from Spring Security for more fine-grained method-level security expressions.
/api/public
does not require authentication. To access /api/admin
, you need to authenticate as the admin
user with the ADMIN
role. Similarly, to access /api/user
, you need to authenticate as the user
user with the USER
role.Thats it! This example demonstrates the implementation of role-based authorization using Spring Security in a Spring Boot application. You can customize the configuration and endpoints based on your specific requirements and roles.