Open in app

Sign in

Write

Sign in

Spring Security — Access Control

Seyed Sahil
4 min readApr 28, 2020

Hello there and welcome back. This is going to be the continuation of Spring Security — Implementing Basic Authentication. In this final article, we will discuss Authentication Management with Spring Security.

About Authentication Manager

To access the protected resources the user has to raise an authentication request and an Authentication Manager is responsible for this. It should handle any request related to authentication. There are several ways to do this like In-Memory Authentication, JDBC based authentication, etc. Here we will use In-Memory authentication.

About Roles

A Role is an access privilege assigned to a user registered in a system and used for access control. Roles can be used to define access restriction to endpoints.

Consider a WhatsApp admin only group. A common group member can only read the messages from the group. But a group admin can post and read messages. Say there are two endpoints, one to read messages ‘/read’ and one to send messages ‘/send ‘. A common group member can only access the endpoint to read messages even if they are authenticated. Like this, a group admin can access both endpoints. This is how the roles are being used.

Note: Here in our demonstration, we will see how the roles can be used with the help of the endpoints discussed in the previous article.

About In-Memory Authentication

To configure in-memory authentication in spring, we have to do the following

  1. In our SecurityConfiguration class, override configure(AuthenticationManagerBuilder ) method.
  2. Add in-memory authentication to the AuthenticationManagerBuilder instance by calling inMemoryAuthentication() method.
  3. Calling inMemoryAuthentication() will return a configuration.

About the Code

Here we are creating two users with distinct roles. The very first user is having ‘ ADMIN’ role and the second is having ‘ USER ‘ role. Here we have configured an authentication manager to use in-memory authentication and added two users.

Note: We are going to configure the authentication manager in such a way that admin users can view all the activities present in the system and general users can access only activities specific to them.

Access Control Implementation

Before we begin, take a look at the configuration code.

About the Code

A certain URL of given pattern must be accessible by one more given roles.

  1. Calling antMatchers() will give us a list of ant matcher instances (Matcher which compares a predefined ant-style pattern against a URL)
  2. A call to access() method will enable URL based authorization by evaluating a given expression (Spring Expression Language). At Line 13, we are stating that the URLs matching the given ant pattern are accessible only by the users having role ‘ADMIN’ or ‘USER’. Again this configuration can be chained together and let us customize for different patterns and roles.

About Authentication and Authorization

Authentication means confirming your own identity. Your identity is verified with given username and password and you will be granted access.

Authorization means what all resources you can access from a system you are authenticated to.

Taking our WhatsApp group example, a group admin is authorized to post messages to group change group policies, etc. But a non-admin group member is not authorized to do these tasks.

The tutorial on Basic Authentication is now complete 🙂

Download the Source Code

Okay. Since we have completed the introduction to Spring Security it is time to take a look at the sample source code. I have created a sample project based on the above demonstration. Please download the source code from GitHub. The project file ‘ pom.xml’ is in the ‘ demo ‘ folder and you have to do the import based on this.

Note: I have configured the project to work with SQL Server. Update your application.properties file with the right parameters for data source based on the database you are using. Once that is done, please execute ‘dbscript.sql ‘ to populate the data.

Questions and Answers

Q: Why are we prefixing a password with ‘{noop}’?

Since we are using in-memory authentication, we have to given the password in plain text. In spring security we have the option to specify a storage format for passwords. Here, by prefixing plain text with ‘{noop}’ we are telling spring to use NoOpPasswordEncoder for decoding the password.

Q: What will happen if user with role USER tries to access an endpoint which is only accessible for ADMIN users?

The server will respond with Error 403 Forbidden. The below-given screenshot displays response code from server in this scenario

Now with the last question, we have completed series. Got some questions? Post it as a comment 🙂

Thank you for reading.

Seyed Sahil

Originally published at http://sydlabz.wordpress.com on April 28, 2020.

Spring Security
Spring Boot
Web Development
Web Security

--

--

Seyed Sahil

Written by Seyed Sahil

12 Followers

Coding Since 2011, Software Engineer, Game Developer, Artist, Photographer. Passionate about Security and Web Technologies. Favourites — C, Java, Javascript.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams