Spring Bootframework~30 mins

Securing endpoints by role in Spring Boot - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Securing endpoints by role

📖 Scenario: You are building a simple Spring Boot web application that has two types of users: ADMIN and USER. You want to protect your web endpoints so that only users with the right roles can access certain pages.For example, the /admin page should only be accessible by users with the ADMIN role, while the /user page should be accessible by users with the USER role.

🎯 Goal: Build a Spring Boot security configuration that restricts access to endpoints based on user roles.You will create a simple in-memory user store, define roles, and secure the endpoints accordingly.

📋 What You'll Learn

Create an in-memory user store with two users: one with role ADMIN and one with role USER

Define a security configuration class to secure endpoints

Restrict access to /admin endpoint to only ADMIN role

Restrict access to /user endpoint to only USER role

💡 Why This Matters

🌍 Real World

Securing web application endpoints by user roles is common in real-world apps to protect sensitive pages and data.

💼 Career

Understanding how to configure Spring Security for role-based access control is a key skill for backend Java developers working on secure web applications.

Progress0 / 4 steps

Create in-memory users with roles

Create a Spring Security configuration class called SecurityConfig. Inside it, create a userDetailsService bean that defines two users: admin with password adminpass and role ADMIN, and user with password userpass and role USER. Use InMemoryUserDetailsManager and User.withDefaultPasswordEncoder() to create users.

Spring Boot

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;

@Configuration
public class SecurityConfig {
    
    // Your code here
}

Need a hint?

Use User.withDefaultPasswordEncoder() to create users with roles and passwords. Then return an InMemoryUserDetailsManager with these users.

Add HTTP security configuration

In the SecurityConfig class, add a SecurityFilterChain bean method called filterChain that takes HttpSecurity http as a parameter. For now, configure it to allow all requests without authentication by calling http.authorizeHttpRequests().anyRequest().permitAll() and then http.build().

Spring Boot

import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class SecurityConfig {
    @Bean
    public UserDetailsService userDetailsService() {
        var userAdmin = User.withDefaultPasswordEncoder()
            .username("admin")
            .password("adminpass")
            .roles("ADMIN")
            .build();
        var userUser = User.withDefaultPasswordEncoder()
            .username("user")
            .password("userpass")
            .roles("USER")
            .build();
        return new InMemoryUserDetailsManager(userAdmin, userUser);
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        // Your code here
    }
}

Need a hint?

Use http.authorizeHttpRequests().anyRequest().permitAll() to allow all requests for now. Return http.build() at the end.

Restrict access to /admin and /user endpoints by role

Modify the filterChain method to restrict access: allow only users with role ADMIN to access /admin endpoint, and only users with role USER to access /user endpoint. Use http.authorizeHttpRequests() with requestMatchers and hasRole methods. Also require authentication for any other requests.

Spring Boot

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        // Your code here
    }

Need a hint?

Use requestMatchers("/admin").hasRole("ADMIN") and requestMatchers("/user").hasRole("USER") to restrict access. Then require authentication for other requests.

Enable form login for authentication

In the filterChain method, add form login support by calling http.formLogin() before returning http.build(). This will enable a simple login page for users to authenticate.

Spring Boot

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests()
            .requestMatchers("/admin").hasRole("ADMIN")
            .requestMatchers("/user").hasRole("USER")
            .anyRequest().authenticated();
        // Your code here
    }

Need a hint?

Add http.formLogin() to enable a default login form for authentication.