1
1
.
.
4
4
.
.
7
7
R
R
o
o
l
l
e
e
s
s
I
I
n
n
f
f
o
o
[
[
G
G
]
]
This tutorial shows how to use Roles to Authorize access to Endpoints.
This is simple out of the box approach that requires no custom code.
Authorization is configures inside the Controller by using simple Annotations @Secured({"ROLE_ADMIN", "ROLE_USER"}).
SecurityConfig.java
@EnableGlobalMethodSecurity(securedEnabled = true)
MyController.java (@Secured can only be used with Roles)
@Secured("ROLE_ADMIN")
@Secured({"ROLE_ADMIN", "ROLE_USER"})
Application Schema [Results]
Spring Boot Starters
GROUP
DEPENDENCY
DESCRIPTION
Web
Spring Web
Enables @Controller, @RequestMapping and Tomcat Server
Security
Spring Security
Enables Spring Security
P
P
r
r
o
o
c
c
e
e
d
d
u
u
r
r
e
e
Create Project: springboot_security_authorization_roles (add Spring Boot Starters from the table)
Edit File: application.properties (specify Username, Password, Role)
Create Package: controllers (inside main package)
– Create Class: MyController.java (inside controllers package)
Create Package: config (inside main package)
– Create Class: SecurityConfig.java (inside config package)
application.properties
# SECURITY
spring.security.user.name = myuser
spring.security.user.password = mypassword
spring.security.user.roles = USER, LOADER
MyController
http://localhost:8080/OnlyAdmin
Tomcat
Browser
SecurityConfig
SecurityConfig.java
package com.ivoronline.springboot_security_authorization_roles.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.formLogin();
}
}
MyController.java
package com.ivoronline.springboot_security_authorization_roles.controllers;
import org.springframework.security.access.annotation.Secured;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
public class MyController {
@ResponseBody
@Secured("ROLE_ADMIN")
@RequestMapping("/OnlyAdmin")
public String onlyAdmin() {
return "Only ROLE_ADMIN";
}
@ResponseBody
@Secured({"ROLE_ADMIN","ROLE_USER"})
@RequestMapping("/AdminAndUser")
public String adminAndUser() {
return "ROLE_ADMIN and ROLE_USER";
}
}
R
R
e
e
s
s
u
u
l
l
t
t
s
s
http://localhost:8080/OnlyAdmin @Secured("ROLE_ADMIN") => deny USER after Login
http://localhost:8080/endPoint2 @Secured({"ROLE_ADMIN","ROLE_USER"}) => allow USER after Login