Write and Publish a Tutorial!
Do you have good notes or papers written by you and seeking for a
platform to publish? We provide the platform to publish your tutorials
in your name. If you wish to publish your tutorial in your name to
help the readers, Please contact us by sending an email to
publish@tools4testing.com or publish@java4coding.com The main way that
others learn about your work is through your published tutorials. If
you don’t publish, it will be as if you never did the work. Your notes
can help the readers only when you share it.
Role-Based Access Control in Spring Security
Roles define the functional responsibilities or permissions granted to users within an application. Unlike authorities, which are granular permissions, roles represent broader categories of functionality.
Setting Roles:
When setting roles, it's important to differentiate between roles and authorities:
authorities() Method: Role names must be prefixed with ROLE_ to distinguish them from authorities. Set the authorities to authorities method by prefixing the role name with ROLE_, At the implementation level, this prefix specifies the difference between a role and an authority.
roles() Method: Automatically adds the ROLE_ prefix to the provided role names. Set the role to roles method. This method creates the GrantedAuthority object and automatically adds the ROLE_ prefix to the names you provide.
package com.java4coding;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@Configuration
public class ApplicationConfig {
@Bean
public UserDetailsService userDetailsService() {
var inMemoryUserDetailsManager = new InMemoryUserDetailsManager();
inMemoryUserDetailsManager.createUser(User.withUsername("manu")
.password("pass")
.authorities("ROLE_ADMIN") //Having the ROLE_ prefix, GrantedAuthority now represents a role.
.build());
inMemoryUserDetailsManager.createUser(User.withUsername("advith")
.password("xyz123")
.roles("MANAGER")
.build());
inMemoryUserDetailsManager.createUser(User.withUsername("aashvith")
.password("xyz123")
.roles("MANAGER")
.build());
return inMemoryUserDetailsManager;
}
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
} |
Methods for Role-Based Access:
hasRole(): This method restricts access based on a specific role assigned to the user.
hasAnyRole(): Grants access if the user possesses any of the specified roles.
access(): Utilizes SpEL to define role-based access control rules, offering flexibility but increasing code complexity.
package com.java4coding;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class ApplicationWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
// Permit for only users having admin role - using hasRole
protected void configure(HttpSecurity http)
throws Exception {
http.httpBasic();
http.authorizeRequests()
.anyRequest()
.hasRole("ADMIN");
}
} |
Role Constraint Configuration:
For straightforward role-based authorization, such as granting access based on a single role or any of a predefined set of roles, hasRole() and hasAnyRole() methods provide simplicity and clarity. When more intricate role-based authorization logic is required, such as dynamic role assignments or complex role hierarchies, leveraging the expressive capabilities of access() with SpEL expressions becomes advantageous.
