Write and Publish a Tutorial!
Do you have good notes or papers written by you and seeking for a
platform to publish? We provide the platform to publish your tutorials
in your name. If you wish to publish your tutorial in your name to
help the readers, Please contact us by sending an email to
publish@tools4testing.com or publish@java4coding.com The main way that
others learn about your work is through your published tutorials. If
you don’t publish, it will be as if you never did the work. Your notes
can help the readers only when you share it.
Authority-Based Access Control in Spring Security
Authorization, a crucial aspect of security, determines whether an authenticated user has permission to access a particular resource within an application. In the context of Spring Security, authorization occurs after successful authentication, where the system evaluates the user's credentials and validates their identity.
Upon authentication, the application delegates the request to an authorization filter. This filter, often referred to as the access control mechanism, examines the user's details stored in the security context, which is established during the authentication process. Based on configured authorization rules, the filter either grants or denies access to the requested resource.
Methods for Configuring Access:
hasAuthority(): This method restricts access to users possessing a specific authority. Authorities typically represent permissions or privileges within the application.
hasAnyAuthority(): Unlike hasAuthority(), this method allows access if the user holds at least one of the specified authorities. It provides flexibility in defining access control rules.
access(): This method offers extensive customization options using Spring Expression Language (SpEL). While powerful, it complicates code readability and should be reserved for cases where more complex authorization rules are required.
For straightforward authorization scenarios, such as granting access based on a single authority or any of a predefined set of authorities, hasAuthority() and hasAnyAuthority() methods offer simplicity and clarity. However, in situations demanding more nuanced access control logic, leveraging the expressive capabilities of access() becomes beneficial.
package com.java4coding;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@Configuration
public class ApplicationConfig {
@Bean
public UserDetailsService userDetailsService() {
var inMemoryUserDetailsManager = new InMemoryUserDetailsManager();
inMemoryUserDetailsManager.createUser(User.withUsername("manu")
.password("pass")
.authorities("WRITE")
.build());
inMemoryUserDetailsManager.createUser(User.withUsername("advith")
.password("xyz123")
.authorities("READ")
.build());
inMemoryUserDetailsManager.createUser(User.withUsername("aashvith")
.password("xyz123")
.authorities("READ")
.build());
return inMemoryUserDetailsManager;
}
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
} |
package com.java4coding;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class ApplicationWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
// Permit for only users having Write access - using hasAuthority
protected void configure(HttpSecurity http)
throws Exception {
http.httpBasic();
http.authorizeRequests()
.anyRequest()
.hasAuthority("WRITE");
}
/*
// Permit for only users having Write access - using access
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic();
http.authorizeRequests()
.anyRequest()
.access("hasAuthority('WRITE')");
}
*/
/*
// Permit for users having any authority from Write and Read - using hasAnyAuthority
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic();
http.authorizeRequests()
.anyRequest()
.hasAnyAuthority("WRITE", "READ");
}
*/
/*
// Permit for users having read authority and don't have authority to delete - using access
@Override
protected void configure(HttpSecurity http)
throws Exception {
http.httpBasic();
String expression = "hasAuthority('read') and !hasAuthority('delete')";
http.authorizeRequests()
.anyRequest()
.access(expression);
}
*/
/*
// Permit all requests
@Override
protected void configure(HttpSecurity http)
throws Exception {
http.httpBasic();
http.authorizeRequests().anyRequest().permitAll();
}
*/
/*
//Restricting access to all endpoints
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic();
http.authorizeRequests()
.anyRequest().denyAll();
}
*/
} |
