Following tutorials show a different ways of specifying which Roles have access to which Endpoints.
Since Roles are assigned to Users this defines which Users have access to which Endpoints (depending on their Roles).
Or in other words which Roles (Users) are authorized to access which Endpoints.
Security Expressions - API allows you to define Roles and Authorities through API Expression.
SecurityConfig.java
httpSecurity.authorizeRequests()
.antMatchers("/endPoint1").denyAll() //No access (even after log in)
.antMatchers("/endPoint2").permitAll() //All have access (anonymous access without Login)
.antMatchers("/endPoint3").hasRole("ADMIN") //Only ADMIN ROLE can access (after log in)
.antMatchers("/endPoint4").hasAnyRole("ADMIN", "USER"); //Only ADMIN/USER ROLE can access (after log in)
Security Expressions - @Secured allows you to define access through Annotations that can only specify Roles.
SecurityConfig.java
@EnableGlobalMethodSecurity(securedEnabled = true)
MyController.java
@Secured("ROLE_ADMIN")
@Secured({"ROLE_ADMIN", "ROLE_USER"})
Security Expressions - @PreAuthorize allows you to define access through Annotations that can use Expressions.
SecurityConfig.java
@EnableGlobalMethodSecurity(prePostEnabled = true)
MyController.java
@PreAuthorize("hasRole('ADMIN')")
@PreAuthorize("hasAnyRole('ADMIN', 'USER')")
Ant Matchers are used to specify URL Patterns to which API Expression will be applied.
SecurityConfig.java
httpSecurity.authorizeRequests()
.antMatchers("/endPoint1").denyAll()
.antMatchers("/endPoint2", "/endPoint3").permitAll()
.antMatchers("/*", "/**", "/end*").permitAll()