Role based Authorization (Admin and Other User) and Permissions in Spring Security with Spring Boot
In this article, we will see how we can achieve Authentication using inMemoryAuthentication and role based Authorization in Spring Security.
We perform Authentication and Authorization with Spring Boot application that we already seen in older articles.
First Refer below articles related Spring Boot CRUD operation with Rest API and Thymeleaf.
For enable security in spring, first we have to add below dependency in pom.xml file.
Step 1 : Add spring-security dependency in pom.xml file
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Step 2 : Create new Java class and extends with WebSecurityConfigurerAdapter
After adding dependency, we can use spring security's class and its method.
Create one class and extends with WebSecurityConfigurerAdapter class. Also add @EnableWebSecurity annotation on top of class.
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { }
Step 3 : Override configure() method for Authentication
Now Override configure() method and pass AuthenticationManagerBuilder class as parameter.
protected void configure(AuthenticationManagerBuilder auth) { }
In this method we use inMemoryAuthentication() for Aunthenticate admin and user.
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password("admin")
.roles("ADMIN")
.and()
.withUser("user")
.password("user")
.roles("USER");
}
We also have to create Bean for PasswordEncoder
Step 4 : Adding Bean for Password Encoder
For learning purpose, we are setting up no password encoder. For real web application we mist have to use hash algorithm for password encoding.
@Bean
public PasswordEncoder getPasswordEncode() {
return NoOpPasswordEncoder.getInstance();
}
Step 5 : Override configure() method for Role based Authorization
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/books/new").hasRole("ADMIN")
.antMatchers("/books/edit/*").hasRole("ADMIN")
.antMatchers("/books/delete/*").hasRole("ADMIN")
.antMatchers("/").hasAnyRole("ADMIN", "USER")
.and()
.formLogin().defaultSuccessUrl("/books", true);
}
The order of the rules matters and the more specific rules should go first. Means we have to use antMatchers path higher to least priority.
Here we are giving all permission to ADMIN role and Reading permission to USER role. After successful login, user redirects to /books URL where all books are displaying that are stored in MySql Database. (Refer old article for Spring BOOT CRUD operation).
Lets see final code for SpringSecurityConfig.java class
package com.example.config;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password("admin")
.roles("ADMIN")
.and()
.withUser("user")
.password("user")
.roles("USER");
}
@Bean
public PasswordEncoder getPasswordEncode() {
return NoOpPasswordEncoder.getInstance();
}
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/books/new").hasRole("ADMIN")
.antMatchers("/books/edit/*").hasRole("ADMIN")
.antMatchers("/books/delete/*").hasRole("ADMIN")
.antMatchers("/").hasAnyRole("ADMIN", "USER")
.and().formLogin().defaultSuccessUrl("/books", true);
}
}
Lets see output :
When we hit "http://localhost:8080/" It redirects to "http://localhost:8080/login" page.
Login with ADMIN role and Add new Book
For logout hit "http://localhost:8080/logout" URL and it will ask for confirmation logout.
Login with USER role and trying to Add, Edit or Delete book
When we try to Add, Edit or Delete Book with USER role Spring Security gives Forbidden error (Error code 403 - unauthorized user) because it is accessible only for ADMIN role as we set Authorization in SpringSecurityConfig.java class.
Happy coding... Happy learning...
Other articles :
Comments
Post a Comment