by In this tutorial, you will learn how to add role-based authorization to a Spring Boot application.
This tutorial would simply take you through all the steps you need to follow. However, you will have two links to the actual location of the steps as well as the source codes.
There are basically 13 steps to follow:
Step by step video series of Role-Based Authorization with Spring Security here.
Step 1 – Setup the Security Package
Here, you need to create a package that could contain the model, service, repository and controller for roles.
Step 2 – Create the Role Class
The role class would define the structure of a Role. Basically and Id and a description
Step 3 – Refactor the User Class to Include Roles
You need to add roles field to the user class. In this way a User object can also hold the set of roles assigned to that user.
Step 4 – Setup the Role Repository and Service
You will need this communicate with the data store and also extend the functionality of the repository.
Step 5 – Write the Methods to Assign and Unassign Roles in the Service
The assign method takes two parameters (User and Role) and adds the role to the roles collection of the user. The unassign() method takes two parameters as well and performs the opposite.
Step 6 – Write the Method to get User roles
You need to write the method to retrieve the roles of the user. This method would be written in the service. It simply takes a user object and returns the roles property
Step 7 – Write the Method to get roles User does not have
This method to get roles not yet assigned to a user is a bit trick. You will have to extend the UserRepository with an SQL native query to returns exactly this result. Next, you will write the method in the service that uses this method in the repository.
This seven steps are detailed here in Part 1 of Role-Based Authorization
Step 8 – Create the UserController and Roles Management Page
Then you need to create the RoleController. This would contain method to GET, ADD, EDIT and DELETE a role. Next, create the HTML page for roles management
Step 9 – Create the UserEdit Page
The UserEdit page is the page that allows you to manage the roles assigned to a particular user. Via this page, you would be able to view, assign and unassign roles to a user. This would require some JavaScript (See Complete Application in GitHub)
Step 10 – Write the controller method to serve the UserEdit page
The HTML page for Users would have an Edit button to edit the User. This button would launch the UserEdit page. So you need to write the method in the UserController to serve up the UserEdit page.
Then you need to create the UserEdit page. It would have 3 sections:
- user data section
- roles currently assigned to user
- roles available to assign
The sketch for this page can be found here.
Step 11 – Write the Controller Methods to Assign and Unassign Roles
There would be controller methods for assign and unassign user role. This methods receives the user id and role id as URL query parameters.
Step 12 – Restrict Access to Page by Role
Now we must restrict access to certain pages based on the user’s role. This is configured in the security config using antmatchers. You would have to specify two things:
- the route you want to protect
- the role a user needs to have to be able to access that route
Step 13 – Updating the Authorities Collection
In the UserPrincipal class, you need to update the getAuthorities() method to fetch authorities from the roles repository. Authorities are mapped to roles.
Step 14 – Configure the Access Denied Page
You will have to display some access denied page when a user tries to access a url route without having the required role.
This is configured in the web security config.
Details of steps 8 to 14 can be found here
