What is Role-based access control in Spring Boot?

Spring Bootframework~5 mins

Role-based access control in Spring Boot

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Introduction

Role-based access control helps decide who can do what in an app. It keeps things safe by giving permissions based on user roles.

When you want only admins to change settings in your app.

When users should see only their own data, not others'.

When different teams have different access levels in a system.

When you want to protect sensitive parts of your website or API.

When you want to easily add or remove permissions by changing roles.

Syntax

Spring Boot

@PreAuthorize("hasRole('ROLE_NAME')")
public ReturnType methodName() {
    // method code
}

Use @PreAuthorize on methods to restrict access based on roles.

Roles usually start with 'ROLE_' prefix by convention in Spring Security.

Examples

This method can only be accessed by users with the ADMIN role.

Spring Boot

@PreAuthorize("hasRole('ADMIN')")
public String adminOnly() {
    return "Admin content";
}

This method allows access to users with either USER or ADMIN roles.

Spring Boot

@PreAuthorize("hasAnyRole('USER', 'ADMIN')")
public String userOrAdmin() {
    return "User or Admin content";
}

This method denies access to users with the GUEST role.

Spring Boot

@PreAuthorize("!hasRole('GUEST')")
public String noGuest() {
    return "Not for guests";
}

Sample Program

This Spring Boot app has three endpoints. The '/admin' endpoint is only for ADMIN role users. The '/user' endpoint is for USER or ADMIN roles. The '/public' endpoint is open to all.

Spring Boot

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@SpringBootApplication
@EnableMethodSecurity
public class RbacDemoApplication {
    public static void main(String[] args) {
        SpringApplication.run(RbacDemoApplication.class, args);
    }
}

@RestController
class DemoController {

    @GetMapping("/admin")
    @PreAuthorize("hasRole('ADMIN')")
    public String adminAccess() {
        return "Welcome Admin!";
    }

    @GetMapping("/user")
    @PreAuthorize("hasAnyRole('USER', 'ADMIN')")
    public String userAccess() {
        return "Welcome User or Admin!";
    }

    @GetMapping("/public")
    public String publicAccess() {
        return "Welcome Everyone!";
    }
}

OutputSuccess

Important Notes

Make sure to enable method security with @EnableMethodSecurity in your config.

Roles are case-sensitive and usually prefixed with 'ROLE_'.

Access denied errors return HTTP 403 status by default.

Summary

Role-based access control restricts access based on user roles.

Use @PreAuthorize annotations on methods to enforce role checks.

Configure roles carefully to protect sensitive parts of your app.