Skip to main content

How to use Authentication and Authorization in Spring Security | Role based Authorization

Role based Authorization (Admin and Other User) and Permissions in Spring Security with Spring Boot

spring security role-based authorization and permissions example

In this article, we will see how we can achieve Authentication using inMemoryAuthentication and role based Authorization in Spring Security.

We perform Authentication and Authorization with Spring Boot application that we already seen in older articles.

First Refer below articles related Spring Boot CRUD operation with Rest API and Thymeleaf.

For enable security in spring, first we have to add below dependency in pom.xml file.

Step 1 : Add spring-security dependency in pom.xml file

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Step 2 : Create new Java class and extends with WebSecurityConfigurerAdapter

After adding dependency, we can use spring security's class and its method.

Create one class and extends with WebSecurityConfigurerAdapter class. Also add @EnableWebSecurity annotation on top of class.

@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { }

Step 3 : Override configure() method for Authentication

Now Override configure() method and pass AuthenticationManagerBuilder class as parameter.

protected void configure(AuthenticationManagerBuilder auth) { }

In this method we use inMemoryAuthentication() for Aunthenticate admin and user.

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {

    auth.inMemoryAuthentication()
        .withUser("admin")
        .password("admin")
        .roles("ADMIN")
        .and()
        .withUser("user")
        .password("user")
        .roles("USER");
}

We also have to create Bean for PasswordEncoder

Step 4 : Adding Bean for Password Encoder

For learning purpose, we are setting up no password encoder. For real web application we mist have to use hash algorithm for password encoding.

@Bean
 public PasswordEncoder getPasswordEncode() {
      return NoOpPasswordEncoder.getInstance();
 }

Step 5 : Override configure() method for Role based Authorization

protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        .antMatchers("/books/new").hasRole("ADMIN")
        .antMatchers("/books/edit/*").hasRole("ADMIN")
        .antMatchers("/books/delete/*").hasRole("ADMIN")
        .antMatchers("/").hasAnyRole("ADMIN", "USER")
        .and()
        .formLogin().defaultSuccessUrl("/books", true);
}

The order of the rules matters and the more specific rules should go first. Means we have to use antMatchers path higher to least priority.

Here we are giving all permission to ADMIN role and Reading permission to USER role. After successful login, user redirects to /books URL where all books are displaying that are stored in MySql Database. (Refer old article for Spring BOOT CRUD operation).

Lets see final code for SpringSecurityConfig.java class

package com.example.config;

import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

    auth.inMemoryAuthentication()
        .withUser("admin")
        .password("admin")
        .roles("ADMIN")
        .and()
        .withUser("user")
        .password("user")
        .roles("USER");
    }

    @Bean
    public PasswordEncoder getPasswordEncode() {
        return NoOpPasswordEncoder.getInstance();
    }
    
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/books/new").hasRole("ADMIN")
            .antMatchers("/books/edit/*").hasRole("ADMIN")
            .antMatchers("/books/delete/*").hasRole("ADMIN")
            .antMatchers("/").hasAnyRole("ADMIN", "USER")
            .and().formLogin().defaultSuccessUrl("/books", true);
    }
    
}

Lets see output :

When we hit "http://localhost:8080/" It redirects to "http://localhost:8080/login" page.

Spring security default login page

Login with ADMIN role and Add new Book

Spring security admin role

Spring security admin role authorization


For logout hit "http://localhost:8080/logout" URL and it will ask for confirmation logout.

Login with USER role and trying to Add, Edit or Delete book

When we try to Add, Edit or Delete Book with USER role Spring Security gives Forbidden error (Error code 403 - unauthorized user) because it is accessible only for ADMIN role as we set Authorization in SpringSecurityConfig.java class.

 

User role authorization in Spring Boot



Happy coding... Happy learning...

Other articles :


Comments

Post a Comment

Popular posts from this blog

Queen's Attack II HackerRank Solution in Java with Explanation

Queen's Attack II Problem's Solution in Java (Chessboard Problem)   Problem Description : You will be given a square chess board with one queen and a number of obstacles placed on it. Determine how many squares the queen can attack.  A queen is standing on an n * n chessboard. The chess board's rows are numbered from 1 to n, going from bottom to top. Its columns are numbered from 1 to n, going from left to right. Each square is referenced by a tuple, (r, c), describing the row r and column c, where the square is located. The queen is standing at position (r_q, c_q). In a single move, queen can attack any square in any of the eight directions The queen can move: Horizontally (left, right) Vertically (up, down) Diagonally (four directions: up-left, up-right, down-left, down-right) The queen can move any number of squares in any of these directions, but it cannot move through obstacles. Input Format : n : The size of the chessboard ( n x n ). k : The number of obstacles...
Post a Comment
Read more

Java Hashset HackerRank Solution | Programming Blog

Java Hashset HackerRank Solution with Explanation   Problem Statement :- In computer science, a set is an abstract data type that can store certain values, without any particular order, and no repeated values. {1,2,3} is an example of a set, but {1,2,2} is not a set. Today you will learn how to use sets in java by solving this problem. You are given n pairs of strings. Two pairs (a,b) and (c,d) are identical if a = c and b = d. That also implies (a,b) is not same as (b,a). After taking each pair as input, you need to print number of unique pairs you currently have. See full problem description in HackerRank Website :- https://www.hackerrank.com/challenges/java-hashset/problem Let's see solution of problem. import java.util.HashSet; import java.util.Scanner; public class Solution {     public static void main(String[] args) {         Scanner s = new Scanner(System.in);         System.out.println("Enter tot...
Post a Comment
Read more