Spring Security: Authorization

Author:
In the domain of application security, once a user's identity is verified through authentication, the next critical step is authorization. Authorization determines what an authenticated user is allowed to do within an application, such as accessing specific resources or performing actions.

Spring Security offers a robust and flexible authorization model that can be tailored to meet complex application security requirements. This blog post explores the concept of authorization in Spring Security through practical use cases and examples, illustrating how to effectively apply authorization controls to secure your application.

The Basics of Authorization in Spring Security

Authorization determines whether an authenticated entity has the right to access specific resources or perform operations. It's about granting or denying permissions based on roles or policies.

Authorization in Spring Security is managed through a combination of domain object security, method security, and URL-based security. It uses the concept of "granted authorities" (roles or privileges) assigned to authenticated users to make authorization decisions. The framework provides various ways to configure authorization, allowing developers to implement fine-grained security policies.

Key Components in Authorization

GrantedAuthority: Represents an authority granted to the principal (user).

SecurityContextHolder: Stores details of the current security context, including the authenticated user's details and granted authorities.

Expression-Based Access Control: Allows for complex security rules using expressions.

Method Security Annotations: @PreAuthorize, @PostAuthorize, @Secured, etc., for securing methods.

Spring Security provides different ways to authorize HTTP requests. Let's look into URL-based or request-level security and method-level security.

URL-Based Security for REST Endpoints

One common requirement is restricting access to certain URLs based on the user's roles. Spring Security simplifies this with its configuration-based approach.

This code snippet showcases how to set up URL-based authorization in Spring Security, defining specific access controls based on HTTP methods and user roles. This allows for a secure and granular approach to protecting resources and ensuring that only authorized users can perform certain actions within your application.
    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

        http.csrf(csrf -> csrf.disable())
                .authorizeHttpRequests((authorize) -> {
                    authorize.requestMatchers(HttpMethod.POST, "/api/**").hasRole("ADMIN");
                    authorize.requestMatchers(HttpMethod.PUT, "/api/**").hasRole("ADMIN");
                    authorize.requestMatchers(HttpMethod.DELETE, "/api/**").hasRole("ADMIN");
                    authorize.requestMatchers(HttpMethod.GET, "/api/**").hasAnyRole("ADMIN", "USER");
                    authorize.requestMatchers(HttpMethod.PATCH, "/api/**").hasAnyRole("ADMIN", "USER");
                    authorize.anyRequest().authenticated();
                }).httpBasic(Customizer.withDefaults());

        http.exceptionHandling( exception -> exception
                .authenticationEntryPoint(authenticationEntryPoint));

        http.addFilterBefore(authenticationFilter, UsernamePasswordAuthenticationFilter.class);

        return http.build();
    }
The SecurityFilterChain is responsible for specifying how security should be applied to HTTP requests in a Spring application.

The authorizeHttpRequests() method specifies authorization rules for HTTP requests based on URLs and HTTP methods.

authorize.requestMatchers(HttpMethod.POST, "/api/**").hasRole("ADMIN"): Specifies that only users with the "ADMIN" role are allowed to make POST requests to any URL that matches the /api/** pattern.

Similar rules are set for PUT, DELETE, GET, and PATCH requests. For PUT, DELETE, and PATCH methods, only "ADMIN" users are allowed. For GET requests, both "ADMIN" and "USER" roles are permitted, providing broader access.

authorize.anyRequest().authenticated(): This rule ensures that any request not matching the previous patterns must be authenticated, regardless of the user's role. It is a catch-all rule that secures all other endpoints.

Method-Level Security

You can enable method-level security in your Spring application by annotating any @Configuration class with @EnableMethodSecurity. Then, you can immediately annotate any Spring-managed class or method with @PreAuthorize, @PostAuthorize, @PreFilter, and @PostFilter to authorize method invocations, including the input parameters and return values.

The code below demonstrates the role-based authorization for RESTful endpoints using Spring Security. 
@RestController
@RequestMapping("/api/")
public class AdminController {

    @PreAuthorize("hasRole('ADMIN')")
    @GetMapping("/admin")
    public ResponseEntity<String> helloAdmin(){
        return ResponseEntity.ok("Hello Admin");
    }

    @PreAuthorize("hasRole('USER')")
    @GetMapping("/user")
    public ResponseEntity<String> helloUser(){
        return ResponseEntity.ok("Hello User");
    }
}
@PreAuthorize("hasRole('ADMIN')"): This is applied to the helloAdmin() method. It specifies that this endpoint can only be accessed by users with the 'ADMIN' role.

@GetMapping("/admin"): This maps HTTP GET requests to /api/admin to the helloAdmin() method. When accessed, it returns a response with "Hello Admin".

@PreAuthorize("hasRole('USER')"): This annotation on the helloUser() method restricts access to users with the 'USER' role. Spring Security enforces this role check before allowing access to the method.

@GetMapping("/user"): Maps HTTP GET requests to /api/user to the helloUser() method. Authorized users with the 'USER' role will receive a "Hello User" response.

Conclusion

By understanding and leveraging the various authorization mechanisms available in Spring Security, developers can ensure that their applications are secure and maintain a fine balance between accessibility and control. Whether securing web URLs or applying fine-grained access control on service methods, Spring Security protects sensitive resources and functionalities in your applications.

Related Spring Security Tutorials/Guides:

Core Components of Spring Security Spring Security: Authentication Spring Security: Authorization Spring Security: Principal Spring Security: Granted Authority Spring Security: SecurityContextHolder Spring Security: UserDetailsService Spring Security: Authentication Manager Spring Security: Authentication Provider Spring Security: Password Encoder AuthenticationEntryPoint in Spring Security @PreAuthorize Annotation in Spring Security Spring Security Basic Authentication Spring Security In-Memory Authentication Spring Security Form-Based Authentication Difference Between Basic Authentication and Form Based Authentication Spring Security Custom Login Page Spring Security Login Form Example with Database Authentication Spring Boot Login REST API Login and Registration REST API using Spring Boot, Spring Security, Hibernate, and MySQL Database Spring Boot + Spring Security + Angular Example Tutorial Spring Boot + Angular Login Authentication, Logout, and HttpInterceptor Example Spring Security In-Memory Authentication Example Spring Security Hibernate Database Authentication - UserDetailsService Securing a Spring MVC Application with Spring Security Spring Boot Security Login REST API Example Spring Boot Security Login and Registration REST API Role-based Authorization using Spring Boot and Spring Security Spring Boot Security JWT Token-Based Authentication and Role-Based Authorization Tutorial Spring Boot + Spring Security + JWT + MySQL Database Tutorial Spring Boot JWT Authentication and Authorization Example Spring Boot Security JWT Example - Login REST API with JWT Authentication Spring Boot Security JWT Token-Based Authentication and Role-Based Authorization Tutorial Spring Security - Get Current Logged-In User Details Spring Security - How to Get Current Logged-In Username in JSP Spring Security - How to Access User Roles in JSP Spring Security - How to Get Current Logged-In Username in Themeleaf Spring Security Tutorial - Registration, Login, and Logout Spring Boot 2 + Spring MVC + Role-Based Spring Security + JPA + Thymeleaf + MySQL Tutorial User Registration Module using Spring Boot 2 + Spring MVC + Spring Security + Hibernate 5 + Thymeleaf + MySQL Registration and Login using Spring Boot, Spring Security, Spring Data JPA, Hibernate, H2, JSP, and Bootstrap Spring Boot User Registration and Login Example Tutorial

Comments

Post a Comment

Leave Comment