1
1
.
.
4
4
.
.
3
3
S
S
e
e
c
c
u
u
r
r
i
i
t
t
y
y
E
E
x
x
p
p
r
r
e
e
s
s
s
s
i
i
o
o
n
n
s
s
-
-
@
@
P
P
r
r
e
e
A
A
u
u
t
t
h
h
o
o
r
r
i
i
z
z
e
e
-
-
R
R
o
o
l
l
e
e
s
s
&
&
A
A
u
u
t
t
h
h
o
o
r
r
i
i
t
t
i
i
e
e
s
s
I
I
n
n
f
f
o
o
When you add Spring Boot Starter Security every URL becomes unavailable unless you Sign In.
This tutorial shows how to loosen up this restriction by allowing access to certain URLs without having to Sign In.
We will do this by creating a Class SecurityConfig which extends and Overrides Method configure().
SecurityConfig.java
@EnableGlobalMethodSecurity(prePostEnabled = true)
MyController.java
@PreAuthorize("hasRole('ADMIN')")
@PreAuthorize("hasAnyRole('ADMIN', 'USER')")
Application Schema [Results]
Spring Boot Starters
GROUP
DEPENDENCY
DESCRIPTION
Web
Spring Web
Enables @Controller, @RequestMapping and Tomcat Server
Security
Spring Security
Enables Spring Security
P
P
r
r
o
o
c
c
e
e
d
d
u
u
r
r
e
e
Create Project: springboot_security_expression_secured (add Spring Boot Starters from the table)
Edit File: application.properties (specify Username, Password, Role)
Create Package: controllers (inside main package)
– Create Class: MyController.java (inside controllers package)
Create Package: config (inside main package)
– Create Class: SecurityConfig.java (inside config package)
application.properties
# SECURITY
spring.security.user.name = myuser
spring.security.user.password = mypassword
spring.security.user.roles = USER, LOADER
MyController
http://localhost:8080/endPoint1
Tomcat
ep1()
Browser
SecurityConfig
SecurityConfig.java
package com.ivoronline.springboot_security_expression_preauthorized.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
//SPECIFY ACCESS TO ENDPOINTS
httpSecurity.authorizeRequests()
.antMatchers("/endPoint1").denyAll() //No access (even after log in)
.antMatchers("/endPoint2").permitAll(); //No log in (anonymous access)
//REDIRECT TO LOGIN FORM
httpSecurity.formLogin();
}
}
MyController.java
package com.ivoronline.springboot_security_expression_preauthorized.controllers;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
public class MyController {
@ResponseBody
@RequestMapping("/endPoint1")
public String ep1() { return "endPoint1"; }
@ResponseBody
@RequestMapping("/endPoint2")
public String ep2() { return "endPoint2"; }
@PreAuthorize("hasRole('ADMIN')")
@ResponseBody
@RequestMapping("/endPoint3")
public String ep3() { return "endPoint3"; }
@PreAuthorize("hasAnyRole('ADMIN', 'USER')")
@ResponseBody
@RequestMapping("/endPoint4")
public String ep4() { return "endPoint4"; }
}
R
R
e
e
s
s
u
u
l
l
t
t
s
s
http://localhost:8080/endPoint1 denyAll() => deny ALL after Login
http://localhost:8080/endPoint2 permitAll() => allow ALL without Login
http://localhost:8080/endPoint3 hasRole("ADMIN") => deny USER after Login
http://localhost:8080/endPoint4 hasAnyRole("ADMIN", "USER") => allow USER after Login