How to Use @Secured Annotation in Spring Boot for Role-Based Security
In Spring Boot, use the
@Secured annotation on methods to restrict access based on user roles. Enable method security with @EnableMethodSecurity in your configuration, then specify allowed roles inside @Secured as strings like @Secured({"ROLE_ADMIN"}).Syntax
The @Secured annotation is placed on methods or classes to specify which roles can access them. It takes an array of role names as strings. Roles must be prefixed with ROLE_ by convention.
- @Secured: The annotation to secure methods.
- roles: Array of allowed roles as strings, e.g.,
{"ROLE_USER", "ROLE_ADMIN"}. - @EnableMethodSecurity: Enables method-level security in Spring Boot.
java
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; @EnableMethodSecurity public class SecurityConfig { // Security configuration here } public class SomeService { @Secured({"ROLE_ADMIN"}) public void adminOnlyMethod() { // code only accessible by admins } }
Example
This example shows a Spring Boot service with a method restricted to users with the ROLE_ADMIN. The security configuration enables method security.
java
import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.context.annotation.Configuration; import org.springframework.security.access.annotation.Secured; import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; import org.springframework.stereotype.Service; @SpringBootApplication public class DemoApplication { public static void main(String[] args) { SpringApplication.run(DemoApplication.class, args); } } @Configuration @EnableMethodSecurity class SecurityConfig { // Additional security config if needed } @Service class AdminService { @Secured({"ROLE_ADMIN"}) public String adminTask() { return "Admin task executed"; } }
Output
If a user with ROLE_ADMIN calls adminTask(), it returns: "Admin task executed". Other roles get access denied.
Common Pitfalls
- Not enabling method security with
@EnableMethodSecuritycauses@Securedto be ignored. - Forgetting to prefix roles with
ROLE_leads to access denial. - Using
@Securedon private methods will not work because Spring proxies only public methods by default. - Mixing
@Securedwith other annotations like@PreAuthorizewithout understanding their differences can cause confusion.
java
/* Wrong: Missing @EnableMethodSecurity */ @Service class WrongService { @Secured({"ROLE_ADMIN"}) public void task() {} } /* Right: Enable method security */ import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; @Configuration @EnableMethodSecurity class CorrectConfig {} @Service class CorrectService { @Secured({"ROLE_ADMIN"}) public void task() {} }
Quick Reference
| Concept | Description | Example |
|---|---|---|
| @Secured | Restricts method access by roles | @Secured({"ROLE_USER", "ROLE_ADMIN"}) |
| @EnableMethodSecurity | Enables method-level security in Spring Boot | @EnableMethodSecurity on config class |
| Role Prefix | Roles must start with 'ROLE_' | "ROLE_ADMIN" |
| Method Visibility | Methods should be public for proxy to work | public void method() |
| Access Denied | Thrown if user lacks required role | AccessDeniedException |
Key Takeaways
Always enable method security with @EnableMethodSecurity to activate @Secured annotations.
Use @Secured on public methods and specify roles with the 'ROLE_' prefix.
Access is denied if the user does not have any of the specified roles in @Secured.
Do not forget to configure Spring Security properly to authenticate users with roles.
Understand that @Secured is simple role-based access control and differs from more flexible annotations like @PreAuthorize.