Introduction
In this tutorial I will show you an example on @PreAuthorize annotation – hasRole example in Spring Security. @PreAuthorize is the most useful annotation that decides whether a method can actually be invoked or not based on user’s role. hasRole() method returns true if the current principal has the specified role. By default if the supplied role does not start with ROLE_ will be added. This can be customized by modifying the defaultRolePrefix on DefaultWebSecurityExpressionHandler.
You can check my tutorial on hasPermission @PreAuthorize annotation – hasPermission example in Spring Security
Where is @PreAuthorize applicable?
This @PreAuthorize annotation is generally applicable on the method as a Method Security Expression. For example,
Home » org.springframework » spring-web » 3.0.2.RELEASE. Spring Web » 3.0.2.RELEASE. Spring Web Categories: Web Frameworks: Date (Apr 02, 2010) Files: pom (4 KB) jar (374 KB) View All: Repositories: Central Alfresco OpenMind Sonatype Spring Releases: Used By: 5,199 artifacts: Note: There is a new version for this artifact.
which means that access will only be allowed for users with the role ROLE_USER. Obviously the same thing could easily be achieved using a traditional configuration and a simple configuration attribute for the required role.
Prerequisites
Eclipse, Java 1.8, Gradle 4.10.2, Spring Boot 2.1.5
Example with Source Code
Let’s see the working example below…
Creating Project
Create a gradle project in Eclipse, the project structure looks similar to the below image:
Updating Build Script
We will add the required dependencies for our Spring Security PreAuthorize hasRole example.
We have added dependencies for spring security.
Creating Configuration Class
The below class configures Spring Security.
We need below security configuration using Java annotation in order to use authorization.
Enable Web Security using below class. Configure global-method-security pre-post-annotation using Java configuration.
Here, the in-memory authentication has been provided. Ideally in the application, the authentication should happen through database or LDAP or any other third party API etc.
We have used PasswordEncoder because plain text password is not acceptable in current version of Spring Security and you will get below exception if you do not use PasswordEncoder.
As the passwords are in encrypted format in the below class, so you won’t find it easier until I tell you. The password for user is user and for admin is admin.
Source code of the configuration class is given below:
Here in the above class, admin has USER as well as ADMIN roles but user has only one role USER. Therefore admin can access its own URL as well as user’s URL but user can access only its own URL but not admin’s URL.
Creating REST Controller
Now create below REST Controller class to test the user’s access to a particular URL based on role using @PreAuthorize annotation.
Creating Main Class
Spring Boot application created as standalone application and can be easily deployed into embedded Tomcat server using main class.
Testing the Application
Run the main class to deploy your application into Tomcat server.
Now access the URL http://localhost:8080/admin using credentials user/user then you will get HTTP Status 403 – Access is denied because user does not have role ADMIN.
But if you had logged in using credentials admin/admin, you could have got the access.
Source Code
Thanks for reading.
Tags:![Spring Spring](http://www.jcombat.com/wp-content/uploads/2017/01/MessageConverter1.png)