How to configure Spring Security Authorization - Java Brains

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video you will learn how to configure spring security a nerd implement authorization authorization is to check if a request has the authority to perform what it needs to do so we'll take a spring will application with a couple of api's and we learn how to enable or disable access to API is depending on who the logged in user is you can configure spring security authorization to do a gazillion different things but the way to configure authorization that is how you configure authorization is basically what I'm going to teach you here so you can take this knowledge and you can apply to any spring security app so let's check it out [Music] all right so here is the starting point for the coat imagine you have a basic spring boot app with spring security dependency added and we have a couple of users set up in the system it really doesn't matter if these users are in memory or coming from a database or their Roth users or whatever else all we need is a couple of users with two different roles so that we can configure certainly appears to be accessible by one draw and some other API is to be accessible to another role the simplest way to set up users for learning purposes is using in-memory authentication and you can learn how to do this by checking out this card that's showing up over here okay once you've done this how do you configure authorization think of the default behavior of spring security when you add spring security dependency to your class path you immediately see spring security automatically authorizing all requests all of your api's are accessible only if you log in by entering the user ID and password of the users in the system no matter where the users are configured now what we want to do is enable a bunch of api's to have different levels of access control primarily I'm looking at three api's I'm on the first API to be accessible by everybody whether they're logged in or not the second API I want to be able to be accessed by only authenticated users so it doesn't matter if they have the role of a user or they have the role of admin but they need to be authenticated and I want the third API to be accessible by users who are not only authenticated but they also should have the role of admin so if somebody is logged in and they have the role of user they should not be able to access that third API so let's implement this but in order to do this we first need those API is in the application so that's what I'm gonna do first I'm gonna go to my controller the home resource and I'm gonna create a couple of API so I'm gonna create this admin API and the return is going to be welcome admin and I call this method as admin and I'm gonna create one more API which was the user API I'm gonna call the /user and the return say welcome user and the method name is user so what I'm going to do is enable spring access control to say okay the route URL which is slash which just says welcome should be accessible by everybody even if they haven't logged in the slash user should be accessible only by logged in users that is both user and admin and then the slash admin needs to be accessible only by to have the role of admin now let's you have to configure this kind of authorization this is fairly typical of most applications so if you're going to be addressing a pretty good number of typical use cases here the way to do this is by using an object of type HTTP security HTTP security lets you configure what are the paths and what are the access restrictions for those paths and we will learn how to do that but before we learn how to configure HTTP security the question is how do you get hold of this object how do you get access to this object on which you put your authorization configuration well the answer to that is very similar to how you get hold of the authentication object to configure authentication that is by using the web security configure adapter method so there is this class which you can put that extends web security configure our adapter and when you extend that class you get to override some of the methods these methods are hooks that spring security provides for you so when you implement those overridden methods you get access to certain key objects you use this technique to get the authentication manager builder in the last video to configure authentication similarly you can use the same technique to get the HTTP security object in order to configure authorization I know these names don't exactly match but this is how few to it this is how the API is built all right so what I'm gonna do is try to look at the over a double methods off that's web security configurator these are all the methods that I can override and here you can see there is a configure method which takes an HTTP security as an argument this is what we need as long as we can override this method you can write code to configure this instance which is passed into this method which is HTTP security I'm going to choose this and here is our method I'm gonna get rid off the super call and again very similar to authentication the V you specify this configuration is by using method chaining so there is this authorized request method on HTTP which kind of opens up the chain and you can specify this mapping of path to permission so I'm gonna use HTTP Security dot para is request to kind of open up that method chaining and this is where you specify the mapping of path to role I specify the path by using a method called and matchers this method lets me configure what the path should be by using ant wildcards you don't wanna be specifying each individual path and mentioning the permissions for each and every path in your app okay because that can get tedious depending on how many AP as you have in your application that's why you specify path patterns using wildcards the path pattern is specify using the ant format for example the slash star star path basically matches all paths where star star indicates all parts in the current level and any nested levels below this okay now that I have my path specified and my hands matter matches all the paths now what's the role I need to specify for this I can do this by using the hash roll method here I can specify a roll say a user and now in this line I'm asking spring security to ensure that all URLs the slash star star all URLs need to be accessible only by someone who has the user role if someone has any other role they are not able to access pretty much the entire application I can also specify multiple roles here using another method called has any role this takes in like a variable number of arguments so this allows users who have both the user role or the admin role to be able to access all URLs but any other user with any other role or a non authenticated user well you cannot access any URL now after you've done this and you've said the access rights you can also specify the type of login that you want spring security to do Here I am them at the chaining by using the and method and then I use the form login method to specify that an EDA form based login there are other login options of course but form login is a popular choice and as you've seen that's the default configuration spring security automatically configured for login when you added it okay so let's test this out by having this whole application accessible only by an admin user so I'm gonna say has role of admin which maps to the and match or slash star star so when I load the application a user role will not be able to access it as you can see the error says forbidden and the status is 403 so what I've done here is basically said the whole application up to be accessible only by somebody who has the admin role so I'm gonna be trying I need to try out the second user in my list which is user foo but now here's the problem how do I log this user out to try the other user we don't have a logout page by any chance to be well surprised we actually do have a logout page just like we had a login page created by default by spring security the framework has also created a logout endpoint and you can access that by typing slash logout now you see this nice form which asks for confirmation when I click on the button logs me out so it brings me back to the log in with the session removed well ok now let's try with the other user the admin user and I believe the user that we have for admin trollers fool so I'm gonna try logging in with foo and now I'm able to open up the page now let's actually change this code to something that makes more sense we want to do the slash root URL to be accessible by everybody and then the slash user to be accessible the user role and in the slash admin to be accessible by the admin role now let's start with seeing how you can allow access to a particular URL for everyone the way to do this is let's say for the root URL right so I'm gonna do a head matter for the root URL we're just slash and this is something that you typically allow for static assets right in any typical web application so let's say you have static slash CSS static JavaScript files so these are files that you want to allow irrespective of whether the user is logged in or not so for these kind of URLs the v2 tell spring security to allow any kind of access is by using this method called permit all right so this basically lets the user of the hook for any kind of authentication the spring security basically says hey this is free for all anybody can use this I'm just going to remove these static CSS and static J's elements over here but basically that's how you configure all those public URLs and say dot permit all but this is kind of not what we want what we want to do is to allow the user role access to the user URL and the admin role to have access to the admin URL and the via this is typically done is to go from the most restrictive to the least restrictive in terms of order all right so the most restrictive URL here is admin because only certain users can access it so we have the admin URL at the very top and this how it looks like the admin URL is at the very top and it's mapped to the role admin the user URL is below it because it's slightly less restrictive than admin but it's still restrictive compared to the other URLs and the slash user is mapped to the user role then it goes to slash which is permitted for everybody and then you end the chain and then you do a form login right so this is typically how you establish these chains the reason you do this is because if you put something that's least restrictive at the top so let's say you had a slash star star and a permit all if you put it at the very top it's gonna match all the requests and it's never gonna go to the least restrictive stuff all right so now that we've done this this is what the code looks like to allow these three URLs for different roles let's actually verify this I'm going to go to localhost 8080 and of course I'm gonna have to log out and then let's try with the user role use a role I'm able to enter slash user but if I enter a admin it doesn't let me all right so I'm going to log out again and then I'm going to go to login as foo who's the admin user and then I'm going to access slash admin it works this time now here's the problem slash user does not work because spring security doesn't really know that admin is of a higher role than user it's just two strings as far as spring security is concerned so what you need to do is set up the higher privilege of admin based on what kind of configuration what kind of roles you give it so admin needs to be added to the list here for a user so you basically use the other method here has any role that we've seen and then I add the admin role to this particular API as well so with this I'm basically telling hey spring security if it's a slash user I love both the user role and the admin role so this is a very brief introduction to have you can use HTTP security to configure different API URLs to be accessible by the different roles at any point of time there is a single user with a single set of roles that's trying to access the application and spring security is going to look at this map of URL to role to make that decision okay should we allow yes or should we not allowed no and if it's yes then it let you in if it's no you get that forbidden error with the 403 status code not that we have done the basics of authentication and authorization it's time to mourn two slightly more advanced stuff a lot of magic that's happening here we're just telling spring security what to do and then it somehow does it the question is how does it do it if you want to do some advanced development with spring security it's very important that you understand how spring security works under the hood check out this video where I explain exactly what's going on when spring security starts with your spring good application I'll see you there [Music]

Info

Channel: Java Brains

Views: 160,187

Rating: 4.9461961 out of 5

Keywords: java, java brains, tutorial, brains, koushik, kaushik, brainbytes, explained, java tutorial, learn java, java tutorial for beginners, java programming tutorial, java programming, java programming for beginners, spring, spring security, spring security tutorial for beginners, programming, spring boot, koushik kothagal, kothagal, beginner, java training, authorization, authentication

Id: payxWrmF_0k

Channel Id: undefined

Length: 14min 53sec (893 seconds)

Published: Wed Aug 21 2019