We will continue this with the help of previous code present in this blog
Roles :
- / – permitted for all
- /profile – permitted for only logged in user without any role
- /user – permitted for logged in user with role USER
- /admin – permitted for logged in user with role ADMIN
- /useroradmin – permitted for logged in user with role ADMIN and USER
Permissions :
- /listTeam – Should have USER role and TEAM_LEAD permission
- /listEmp – Should have ADMIN role and MANAGER permission
App.java
package com.springSecurity; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.context.ApplicationContext; @SpringBootApplication (exclude = {org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration.class}) public class App { public static void main(String[] args) { ApplicationContext applicationContext = SpringApplication.run(App.class, args); } }
SecurityConfig.java
package com.springSecurity;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
@EnableWebSecurity
@ConditionalOnProperty (name = "myproject.security.enabled", havingValue = "true", matchIfMissing = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("admin1").password(passwordEncoder().encode("admin")).roles("ADMIN").and()
.withUser("admin2").password(passwordEncoder().encode("admin")).roles("ADMIN").authorities("MANAGER").and()
.withUser("user1").password(passwordEncoder().encode("user")).roles("USER").and()
.withUser("user2").password(passwordEncoder().encode("user")).roles("USER").authorities("TEAM_LEAD");
// .withUser("admin").password("admin").roles("ADMIN").and()
// .withUser("user").password("user").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()//bypass authetication and authorization
.antMatchers("/profile").authenticated()//Authentication only required
.antMatchers("/user/**").hasRole("USER")//Authetication and Authorization required
.antMatchers("/admin/**").hasRole("ADMIN")//Authetication and Authorization required
.antMatchers("/useroradmin").hasAnyRole("ADMIN","USER")//Either admin or user role required
//permissions
.antMatchers("/listTeam").hasAuthority("TEAM_LEAD")//Authetication, Authorization (since /user/** is required) and permission required
.antMatchers("/listEmp").hasAuthority("MANAGER")//Authetication, Authorization and permission required
.antMatchers("/**").denyAll()
.and()
.httpBasic();
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Bean
PasswordEncoder passwordEncoder() {
// return NoOpPasswordEncoder.getInstance();
return new BCryptPasswordEncoder();
}
}
Controller.java
package com.springSecurity;
import java.util.ArrayList;
import java.util.List;
import javax.annotation.security.RolesAllowed;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class Controller {
/**
* Accessable without Authentication and authorization
* @return
*/
@GetMapping("/")
public String getWelcomePage() {
return "Hello....welcome to our website";
}
/**
* All logged in users
* Accessable with authentication but authorization not required
* @return
*/
@GetMapping("/profile")
public String getProfile() {
return "Welcome to profile page";
}
/**
* Only logged in user with role USER can access this
* @return
*/
@GetMapping("/user")
public String getUser() {
return "Hello User Role";
}
/**
* Only loggged in admin can access this
* @return
*/
@GetMapping("/admin")
public String getAdmin() {
return "Hello Admin Role";
}
/**
* Either User or Admin
* @return
*/
@GetMapping("/useroradmin")
public String getUserOrAdmin() {
return "Hello User or Admin Role";
}
@GetMapping("/listTeam")
public List<String> listTeam() {
List<String> list = new ArrayList();
list.add("Team Memeber 1");
list.add("Team Memeber 2");
list.add("Team Memeber 3");
return list;
}
@GetMapping("/listEmp")
public List<String> listEmp() {
List<String> list = new ArrayList();
list.add("Team Memeber 1");
list.add("Team Memeber 2");
list.add("Team Memeber 3");
list.add("Team Lead 1");
list.add("Team Lead 2");
return list;
}
}
Based64 encoded username:password i.e admin1:admin is YWRtaW4xOmFkbWlu
Making the API call :