Swiftorial Logo
Home
Swift Lessons
Tutorials
Learn More
Career
Resources

Authentication and Authorization

Authentication and authorization are critical components of application security. Authentication verifies the identity of users, while authorization determines their access rights. This guide covers setting up authentication and authorization in a Spring Boot application using Spring Security, including configuring in-memory and JDBC authentication, defining access control rules, and implementing role-based access control.

Key Concepts of Authentication and Authorization

  • Authentication: Verifying the identity of a user or service.
  • Authorization: Determining whether an authenticated user has permission to access a specific resource.
  • Role-Based Access Control (RBAC): Restricting access based on user roles.
  • Security Context: Holds the authentication and authorization information for the current user.

Adding Dependencies

Include the Spring Security dependency in your pom.xml file:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Configuring In-Memory Authentication

Set up in-memory authentication by configuring users, passwords, and roles:

Example: In-Memory Authentication

// SecurityConfiguration.java
package com.example.myapp.config;

import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("user")
            .password(passwordEncoder().encode("password"))
            .roles("USER")
            .and()
            .withUser("admin")
            .password(passwordEncoder().encode("admin"))
            .roles("ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/public/**").permitAll()
            .antMatchers("/admin/**").hasRole("ADMIN")
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .loginPage("/login")
            .permitAll()
            .and()
            .logout()
            .permitAll();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

Configuring JDBC Authentication

Set up JDBC authentication to authenticate users from a database:

Example: JDBC Authentication

// SecurityConfiguration.java
@Autowired
private DataSource dataSource;

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.jdbcAuthentication()
        .dataSource(dataSource)
        .usersByUsernameQuery("select username, password, enabled from users where username = ?")
        .authoritiesByUsernameQuery("select username, authority from authorities where username = ?");
}

Defining Access Control Rules

Define authorization rules to control access to different resources:

Example: URL-Based Authorization

// SecurityConfiguration.java
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
        .authorizeRequests()
        .antMatchers("/public/**").permitAll()
        .antMatchers("/admin/**").hasRole("ADMIN")
        .anyRequest().authenticated()
        .and()
        .formLogin()
        .loginPage("/login")
        .permitAll()
        .and()
        .logout()
        .permitAll();
}

Example: Method-Based Authorization

// MyService.java
package com.example.myapp.service;

import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Service;

@Service
public class MyService {

    @PreAuthorize("hasRole('ADMIN')")
    public void adminMethod() {
        // Admin only logic
    }

    @PreAuthorize("hasRole('USER')")
    public void userMethod() {
        // User only logic
    }
}

Implementing Role-Based Access Control (RBAC)

Use roles to control access to different parts of the application:

Example: Defining Roles

// SecurityConfiguration.java
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.inMemoryAuthentication()
        .withUser("user")
        .password(passwordEncoder().encode("password"))
        .roles("USER")
        .and()
        .withUser("admin")
        .password(passwordEncoder().encode("admin"))
        .roles("ADMIN");
}

Example: Using Roles in Authorization

// SecurityConfiguration.java
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
        .authorizeRequests()
        .antMatchers("/public/**").permitAll()
        .antMatchers("/admin/**").hasRole("ADMIN")
        .anyRequest().authenticated()
        .and()
        .formLogin()
        .loginPage("/login")
        .permitAll()
        .and()
        .logout()
        .permitAll();
}

Testing Authentication and Authorization

Verify that authentication and authorization work as expected by testing the application:

  • Access public pages to ensure they are accessible without authentication.
  • Access protected pages to verify that authentication is required.
  • Log in using different roles to test authorization rules.

Key Points

  • Authentication: Verifying the identity of a user or service.
  • Authorization: Determining whether an authenticated user has permission to access a specific resource.
  • Role-Based Access Control (RBAC): Restricting access based on user roles.
  • Security Context: Holds the authentication and authorization information for the current user.
  • Include the Spring Security dependency in your pom.xml file.
  • Set up in-memory or JDBC authentication to authenticate users.
  • Define access control rules to control access to different resources using URL-based or method-based authorization.
  • Use roles to control access to different parts of the application.
  • Verify that authentication and authorization work as expected by testing the application.

Conclusion

Authentication and authorization are essential for securing applications. By setting up authentication and defining access control rules, you can ensure that only authorized users have access to protected resources. Implementing role-based access control further enhances security by restricting access based on user roles. Happy coding!