Open in app

Sign in

Write

Sign in

Autorization : Simple ways

Manish Dixit
4 min readMay 16, 2024

--

To safeguard critical data and capabilities in a Spring Boot application, appropriate permission techniques are necessary. Here we will discuss several methods for authorising your Spring Boot APIs. These are basic and easy to adapt methods which one can implement for start but there are other ways too to do it. But lets start with basics first

Spring Security

With its robust framework, Spring Security offers complete security services for Java applications. It offers several choices for API authorization and connects with Spring Boot in a smooth manner. Lets see one example of role based authorization

Example: Role-Based Authorization
Let’s consider a scenario where we have an API endpoint/api/secure that should only be accessible to users with the role “ADMIN”. We can simply leverage “WebSecurityConfigurerAdapter”. Here’s how you can configure role-based authorization using Spring Security:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/api/secure").hasRole("ADMIN")
                .anyRequest().authenticated()
                .and()
            .httpBasic();
    }
    
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("admin").password(passwordEncoder().encode("adminPass")).roles("ADMIN")
                .and()
                .withUser("user").password(passwordEncoder().encode("userPass")).roles("USER");
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

Here, we’ve configured Spring Security to restrict access to /api/secure to users with the role “ADMIN”. We've also defined two users (admin and user) with their respective roles and passwords.

OAuth 2.0

OAuth 2.0 is a popular authorization mechanism that allows for secure access to resources without requiring users to share credentials. Strong OAuth 2.0 support is offered by Spring Security, enabling you to interface with a range of OAuth providers.

This is a general mechanism which can we implemented with any tech stack you prefer. So in short, not specific to Spring.

Example: OAuth 2.0 with Spring Security

Let’s consider integrating with an OAuth 2.0 provider like Google. Here’s a simplified example of how you can configure OAuth 2.0 authentication in a Spring Boot application:

@EnableWebSecurity
public class OAuth2Config extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/api/**").authenticated()
                .and()
            .oauth2Login();
    }
}

Here, We leveraged “WebSecurityConfigurerAdapter” and override configure method of that class in our own class OAuth2Config. We’ve configured Spring Security to require authentication for all API endpoints under /api. When a user accesses these endpoints, they'll be redirected to the OAuth 2.0 provider (e.g., Google) for authentication.

Note: for those get confused in OAuth is authorization or Authentication here is quick help Link

There are few extra things one might wanna do while exploring authorization which comes handy in time of need. So here is the bonus part

Method-Level Authorization with Annotations

Spring Security supports method-level authorization through annotations, allowing you to secure individual methods based on user roles or permissions.

Example: Securing API Methods with Annotations

Consider a scenario where certain API methods require specific roles for access. Here’s how you can annotate your methods to enforce authorization:

@RestController
public class ApiController {

    @GetMapping("/api/public")
    public String publicEndpoint() {
        return "This is a public endpoint accessible to all users.";
    }

    @Secured("ROLE_USER")
    @GetMapping("/api/user")
    public String userEndpoint() {
        return "This endpoint is accessible to users with the ROLE_USER role.";
    }

    @Secured("ROLE_ADMIN")
    @GetMapping("/api/admin")
    public String adminEndpoint() {
        return "This endpoint is accessible to users with the ROLE_ADMIN role.";
    }
}

In this example, we’ve annotated our API methods with @Secured annotations, specifying the required roles for access. Spring Security will automatically handle authorization based on these annotations.

Interceptor-Based Authorization

This is one of my favourite technique. Interceptors provide a flexible way to intercept and process requests before they reach the controller methods. You can implement custom interceptors to enforce authorization logic.

Example: Implementing an Authorization Interceptor

Let’s create an interceptor to verify the presence of a JWT token in the request headers and ensure that it contains the necessary claims for authorization:

@Component
public class AuthorizationInterceptor implements HandlerInterceptor {

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        // Check JWT token in request headers
        String token = request.getHeader("Authorization");
        if (token == null || !token.startsWith("Bearer ")) {
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
            return false;
        }
        
        // Validate JWT token and extract claims
        // Implement your JWT validation logic here
        
        // Check for required claims (e.g., roles)
        // Implement your authorization logic here
        
        return true; // Proceed to controller method
    }
}

You can then register this interceptor to apply authorization logic to specific API endpoints or globally across the application.

Conclusion

Securing your Spring Boot APIs is crucial for protecting your application and its data. Whether you choose to implement role-based authorization with Spring Security or integrate with OAuth 2.0 providers, it’s essential to carefully design your authorization mechanisms according to your application’s requirements and security needs.

By leveraging annotations and interceptors, you can simplify the process of API authorization in your Spring Boot applications. Annotations provide a declarative way to specify authorization requirements at the method level, while interceptors offer a flexible mechanism for implementing custom authorization logic.

Choose the approach that best suits your application’s requirements and development preferences. Whether it’s annotating individual methods or implementing interceptors for global authorization enforcement, these techniques empower you to build secure and efficient APIs with ease.

Remember, security is an ongoing process, so regularly review and update your authorization mechanisms to stay ahead of potential threats.

Authorization
Spring
Java
Oauth2
How To

--

--

Manish Dixit
Manish Dixit

Written by Manish Dixit

47 Followers
6 Following

Lets explore things together

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams