Role-Based Authorization in Spring Boot – Spring Security

In this tutorial, you will learn how to add role-based authorization to a Spring Boot application.

This tutorial would simply take you through all the steps you need to follow. However, you will have two links to the actual location of the steps as well as the source codes.

There are basically 13 steps to follow:

Step by step video series of Role-Based Authorization with Spring Security here.

Step 1 – Setup the Security Package

Here, you need to create a package that could contain the model, service, repository and controller for roles.


Step 2 – Create the Role Class

The role class would define the structure of a Role. Basically and Id and a description


Step 3 – Refactor the User Class to Include Roles

You need to add roles field to the user class. In this way a User object can also hold the set of roles assigned to that user.


Step 4 – Setup the Role Repository and Service

You will need this communicate with the data store and also extend the functionality of the repository.


Step 5 – Write the Methods to Assign and Unassign Roles in the Service

The assign method takes two parameters (User  and Role) and adds the role to the roles collection of the user. The unassign() method takes two parameters as well and performs the opposite.


Step 6 – Write the Method to get User roles

You need to write the method to retrieve the roles of the user. This method would be written in the service. It simply takes a user object and returns the roles property


Step 7 – Write the Method to get roles User does not have

This method to get roles not yet assigned to a user is a bit trick. You will have to extend the UserRepository with an SQL native query to returns exactly this result. Next, you will write the method in the service that uses this method in the repository.

This seven steps are detailed here in Part 1 of Role-Based Authorization


Step 8 – Create the UserController and Roles Management Page

Then you need to create the RoleController. This would contain method to GET, ADD, EDIT  and DELETE a role. Next, create the HTML page for roles management


Step 9 – Create the UserEdit Page

The UserEdit page is the page that allows you to manage the roles assigned to a particular user. Via this page, you would be able to view, assign and unassign roles to a user. This would require some JavaScript (See Complete Application in GitHub)


Step 10 – Write the controller method to serve the UserEdit page

The HTML page for Users would have an Edit button to edit the User. This button would launch the UserEdit page. So you need to write the method in the UserController to serve up the UserEdit page.

Then you need to create the UserEdit page. It would have 3 sections:

  • user data section
  • roles currently assigned to user
  • roles available to assign

The sketch for this page can be found here.

Step 11 – Write the Controller Methods to Assign and Unassign Roles

There would be controller methods for assign and unassign user role. This methods receives the user id and role id as URL query parameters.


Step 12 – Restrict Access to Page by Role

Now we must restrict access to certain pages based on the user’s role. This is configured in the security config using antmatchers. You would have to specify two things:

  • the route you want to protect
  • the role a user needs to have to be able to access that route


Step 13 – Updating the Authorities Collection

In the UserPrincipal class, you need to update the getAuthorities() method to fetch authorities from the roles repository. Authorities are mapped to roles.


Step 14 – Configure the Access Denied Page

You will have to display some access denied page when a user tries to access a url route without having the required role.

This is configured in the web security config.

Details of steps 8 to 14 can be found here




Kindson Munonye is currently completing his doctoral program in Software Engineering in Budapest University of Technology and Economics

View all posts by kindsonthegenius →

Leave a Reply

Your email address will not be published. Required fields are marked *