Spring Boot Security Role Based Authorization
Hello. In this tutorial, we will understand the Spring Boot Role based Authorization flow. Role based authorization in a Spring Boot application refers to the practice of granting or denying access to certain resources or functionalities based on the roles assigned to users. With role based authorization, specific roles are defined within the application, such as “ADMIN”, “USER”, or “MANAGER”. Users are assigned one or more roles, and access control rules are configured to allow or restrict access based on these roles. By checking the roles of the authenticated user, the application can make authorization decisions and restrict access to certain endpoints, pages, or actions, ensuring that users can only perform operations that are appropriate for their assigned roles.
1. Introduction
Spring Security is a powerful and highly customizable security framework provided by the Spring ecosystem. It enables developers to add robust authentication, authorization, and other security features to their Java applications easily. It helps protect web applications, APIs, and other resources from unauthorized access, ensuring the confidentiality, integrity, and availability of sensitive data.
1.1 Key Features of Spring Security
- Authentication: Spring Security provides various authentication mechanisms out of the box, including username/password based authentication, LDAP, OAuth, OpenID Connect, and more. It supports multiple authentication providers, allowing you to integrate with different authentication sources.
- Authorization: With Spring Security, you can define fine grained access control rules using role based or permission based authorization. It enables you to protect your application’s resources and restrict access based on user roles or custom access rules.
- Web Security: Spring Security offers robust protection for web applications. It includes features such as CSRF (Cross Site Request Forgery) protection, session management, secure headers, and URL based security rules. It integrates seamlessly with Spring Web MVC and other popular frameworks.
- Method Security: Spring Security provides method level security to protect individual methods or service endpoints. By annotating methods with security annotations, you can enforce authorization rules based on user roles or other conditions.
- Security Events and Auditing: Spring Security generates security related events that can be used for auditing and monitoring purposes. You can configure event listeners to track authentication success/failure, access denied, session creation/destruction, and more.
- Integration with Spring Framework: Spring Security integrates seamlessly with the wider Spring ecosystem. It leverages Spring’s dependency injection, AOP (Aspect Oriented Programming), and other features, making it easy to configure and extend security functionalities.
- Customization and Extensibility: Spring Security provides a high level of customization and extensibility. You can override default behaviors, create custom authentication providers, access decision managers, and user detail services, and implement custom security filters to meet specific requirements.
Overall, Spring Security provides a comprehensive security framework for Java applications. It addresses common security concerns and provides developers with a wide range of tools and features to secure their applications effectively. Its flexibility and extensibility make it suitable for a variety of use cases, from simple username/password authentication to complex multi factor authentication and authorization scenarios.
1.2 What is Authorization flow?
In Spring Security, the authorization flow refers to the process of determining whether a user is allowed to access a particular resource or perform a specific action within an application. It involves evaluating the user’s credentials, roles, and permissions against defined security rules to grant or deny access.
1.2.1 Steps
The authorization flow in Spring Security typically follows these steps:
- Authentication: Before authorization can take place, the user needs to be authenticated. Authentication verifies the user’s identity by validating their credentials, such as username and password. Spring Security provides various authentication mechanisms, including form based authentication, LDAP, OAuth, OpenID Connect, and more.
- Access Control Rules: Once the user is authenticated, Spring Security evaluates access control rules to determine if the user is authorized to access the requested resource or perform a particular action. Access control rules can be defined based on roles, permissions, or other criteria.
- Role Based Authorization: Spring Security supports role based authorization, where access control rules are defined based on user roles. Roles represent a specific set of privileges or responsibilities within the application. Each user is assigned one or more roles, and access to resources is determined based on these roles. For example, an admin role may have access to all administrative features, while a user role may have limited access.
- Permission Based Authorization: In addition to role based authorization, Spring Security also supports permission based authorization. Permissions are more fine grained than roles and can be assigned to individual users or groups. Permissions allow for more granular control over access to specific resources or actions within an application.
- Authorization Decision: Once the access control rules are evaluated, Spring Security makes an authorization decision based on the user’s roles, permissions, or other criteria. If the user satisfies the defined access control rules, access is granted. Otherwise, access is denied.
- Handling Access Denied: In case access is denied, Spring Security provides mechanisms to handle access denied scenarios. This can include redirecting the user to an access denied page, showing an error message, or returning an appropriate HTTP status code.
1.3 Understanding Roles and Authorities
In Spring Security, roles and authorities are used to define and manage user permissions and access control. They play a crucial role in determining what a user can and cannot do within an application. Let’s explore roles and authorities in more detail:
1.3.1 Roles
- A role represents a specific set of privileges or responsibilities assigned to a user. It is a higher level concept that groups related permissions.
- Roles are typically associated with multiple users and define common access control rules for those users.
- Roles can be hierarchical, allowing for more granular control over permissions. For example, an “ADMIN” role might have broader access than a “USER” role.
- Roles can be assigned to users either individually or in groups, depending on the specific requirements of the application.
- Roles are often used to control access to different sections or functionalities within an application.
1.3.2 Authorities
- An authority represents a permission or privilege that a user possesses within an application. It is a fine grained concept that specifies access to a specific resource or functionality.
- Authorities are typically assigned to individual users and define detailed access control rules for those users.
- Authorities can be used to control access to specific endpoints, methods, or functionalities within an application.
- Authorities are often defined independently of roles and can be assigned to users regardless of their role membership.
- Authorities allow for more precise control over what a user can do within an application.
1.3.3 Relationship between Roles and Authorities
- Roles and authorities can work together to provide a comprehensive access control mechanism.
- Roles group together related authorities, allowing for easier management of permissions for a group of users.
- Authorities can be assigned to users directly, regardless of their role membership, for more specific or individualized access control.
In Spring Security, roles and authorities are commonly used in combination to enforce access control. Role based access control (RBAC) is a widely used approach where users are assigned roles, and roles are associated with a set of authorities. By defining roles and authorities in Spring Security, you can easily configure and enforce fine grained access control rules to protect your application’s resources.
It’s important to note that the terms “roles” and “authorities” are used interchangeably in Spring Security documentation and examples, as they represent similar concepts. The choice of terminology may depend on the specific use case or application design.
1.4 Benefits of Spring Security
Spring Security provides several benefits for securing your applications:
- Robust Authentication: Spring Security offers various authentication mechanisms, including form based authentication, LDAP, OAuth, OpenID Connect, and more. It supports multiple authentication providers, allowing you to integrate with different authentication sources and ensure secure user authentication.
- Fine Grained Authorization: With Spring Security, you can define access control rules based on roles, permissions, or other criteria. This allows for granular control over which users can access specific resources or perform certain actions within your application.
- Integration with Spring Ecosystem: Spring Security seamlessly integrates with the wider Spring ecosystem, leveraging features like dependency injection, AOP (Aspect Oriented Programming), and others. This makes it easy to configure and extend security functionalities within your Spring based applications.
- Web Application Security: Spring Security protects against common web application security threats, such as CSRF (Cross Site Request Forgery) attacks, session management vulnerabilities, and secure header configurations. It also allows for URL based security rules and supports secure communication over HTTPS.
- Method Level Security: Spring Security enables securing individual methods or service endpoints within your application. By using annotations, you can enforce authorization rules based on user roles or other conditions, ensuring that sensitive methods are only accessible to authorized users.
- Security Events and Auditing: Spring Security generates security related events that can be used for auditing and monitoring purposes. You can configure event listeners to track authentication success/failure, access denied, session creation/destruction, and more, enabling you to monitor and analyze security related activities.
Overall, Spring Security provides a comprehensive and flexible security framework that helps protect your applications, enforce access control, and mitigate security risks effectively.
2. Spring Boot Role based Authorization
Let us dive into some practice stuff. To get started with Spring Boot Security Role based Authorization, you can follow these steps.
2.1 Creating a Spring Boot Project
Set up a new Spring Boot project or use an existing one. Include the necessary dependencies in your project’s pom.xml
file.
pom.xml
<!-- Spring Boot Starter --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <!-- Spring Security --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
2.2 Configure Application Properties
In this example, we have added the property server.port
with the value 8080
to specify the port number for the server to listen on. You can change the port number to any desired value according to your application’s needs.
application.properties
# Server Configuration server.port=8080
2.3 Configuring Spring Security
Create a configuration class to configure Spring Security. This class will extend WebSecurityConfigurerAdapter
and is responsible for configuring the security of your application. The SecurityConfig
class demonstrates a basic configuration where roles are used to restrict access to specific URL patterns and offers role based authorization.
SecurityConfig.java
package org.jcg.configuration; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/admin/**").hasRole("ADMIN") // URL pattern restricted to ADMIN role .antMatchers("/user/**").hasRole("USER") // URL pattern restricted to USER role .anyRequest().authenticated() .and() .formLogin() .and() .logout(); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("admin").password("{noop}admin123").roles("ADMIN") .and() .withUser("user").password("{noop}user123").roles("USER"); } }
Let’s break down the important parts of the class.
2.3.1 Class annotations
@Configuration
: Indicates that this class is a Spring configuration class.@EnableWebSecurity
: Enables Spring Security for the application.
2.3.2 configure(HttpSecurity http) method
- This method is used to configure the security rules for different URLs and HTTP methods.
- The
http
object allows you to define the security configuration. authorizeRequests()
: Specifies that the following rules will be applied to the requests.antMatchers("/admin/**").hasRole("ADMIN")
: Restricts the URL pattern/admin/**
to users with the “ADMIN” role.antMatchers("/user/**").hasRole("USER")
: Restricts the URL pattern/user/**
to users with the “USER” role.anyRequest().authenticated()
: Requires authentication for any other request that doesn’t match the previous patterns.formLogin()
: Enables form based authentication for login.logout()
: Enables logout functionality.
2.3.3 configureGlobal(AuthenticationManagerBuilder auth) method
- This method is used to configure the authentication mechanism.
auth.inMemoryAuthentication()
: Configures an in-memory user store for authentication.withUser("admin").password("{noop}admin123").roles("ADMIN")
: Defines a user with username “admin”, password “admin123”, and the “ADMIN” role.withUser("user").password("{noop}user123").roles("USER")
: Defines a user with username “user”, password “user123”, and the “USER” role.
2.3.4 Understanding {noop}
The {noop}
prefix in the password is used to indicate that the password is stored as plain text. This is not recommended for production use, as passwords should be hashed and stored securely.
2.4 Create REST APIs
Create a controller package, within the controller package add the following content to it:
2.4.1 Admin Controller
@RestController
: This annotation is used to indicate that the class is a controller and the methods inside it will handle the incoming requests and produce the response directly to the client, without the need for additional view resolvers.@RequestMapping("/admin")
: This annotation is used to specify the base URL path for all the methods inside the controller. In this case, all the endpoints in this controller will be prefixed with"/admin"
.public class AdminController
: This is the controller class definition.@GetMapping("/dashboard")
: This annotation maps the HTTP GET requests with the URL path"/admin/dashboard"
to thedashboard()
method. When a GET request is made to this URL, thedashboard()
method will be invoked.public String dashboard()
: This is thedashboard()
method, which is mapped to the"/admin/dashboard"
URL. It returns a string"Admin dashboard"
.@GetMapping("/reports")
: This annotation maps the HTTP GET requests with the URL path"/admin/reports"
to thereports()
method. When a GET request is made to this URL, thereports()
method will be invoked.public String reports()
: This is thereports()
method, which is mapped to the"/admin/reports"
URL. It returns a string"Admin reports"
.
AdminController.java
package org.jcg.controller; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; @RestController @RequestMapping("/admin") public class AdminController { @GetMapping("/dashboard") public String dashboard() { return "Admin dashboard"; } @GetMapping("/reports") public String reports() { return "Admin reports"; } }
2.4.1.1 Admin Controller Tests
In the example, we are using the @WebMvcTest
annotation to create a lightweight Spring MVC test context. The @WithMockUser
annotation is used to simulate an authenticated user with specific roles during the test. We specify the username and roles for the mock user.
The testAdminEndpoints
method performs GET requests to the admin endpoints /admin/dashboard
and /admin/reports
and verifies that the response status is 200 OK and the content matches the expected output.
AdminControllerTest.java
package org.jcg.controller; import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; import org.springframework.security.test.context.support.WithMockUser; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; import org.springframework.test.web.servlet.result.MockMvcResultMatchers; @WebMvcTest(AdminController.class) public class AdminControllerTest { @Autowired private MockMvc mockMvc; @Test @WithMockUser(username = "admin", roles = "ADMIN") public void testDashboardEndpoint() throws Exception { mockMvc.perform(MockMvcRequestBuilders.get("/admin/dashboard")) .andExpect(MockMvcResultMatchers.status().isOk()) .andExpect(MockMvcResultMatchers.content().string("Admin dashboard")); } @Test @WithMockUser(username = "admin", roles = "ADMIN") public void testReportsEndpoint() throws Exception { mockMvc.perform(MockMvcRequestBuilders.get("/admin/reports")) .andExpect(MockMvcResultMatchers.status().isOk()) .andExpect(MockMvcResultMatchers.content().string("Admin reports")); } }
2.4.2 User Controller
@RestController
: This annotation is used to indicate that the class is a controller and the methods inside it will handle the incoming requests and produce the response directly to the client, without the need for additional view resolvers.@RequestMapping("/user")
: This annotation is used to specify the base URL path for all the methods inside the controller. In this case, all the endpoints in this controller will be prefixed with"/user"
.public class UserController
: This is the controller class definition.@GetMapping("/profile")
: This annotation maps the HTTP GET requests with the URL path"/user/profile"
to theprofile()
method. When a GET request is made to this URL, theprofile()
method will be invoked.public String profile()
: This is theprofile()
method, which is mapped to the"/user/profile"
URL. It returns a string"User profile"
.@GetMapping("/settings")
: This annotation maps the HTTP GET requests with the URL path"/user/settings"
to thesettings()
method. When a GET request is made to this URL, thesettings()
method will be invoked.public String settings()
: This is thesettings()
method, which is mapped to the"/user/settings"
URL. It returns a string"User settings"
.
UserController.java
package org.jcg.controller; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; @RestController @RequestMapping("/user") public class UserController { @GetMapping("/profile") public String profile() { return "User profile"; } @GetMapping("/settings") public String settings() { return "User settings"; } }
2.4.2.1 User Controller Tests
In the example, we are using the @WebMvcTest
annotation to create a lightweight Spring MVC test context. The @WithMockUser
annotation is used to simulate an authenticated user with specific roles during the test. We specify the username and roles for the mock user.
The testUserEndpoints
method performs GET requests to the user endpoints /user/profile
and /user/settings
and verifies the response status and content.
UserControllerTest.java
package org.jcg.controller; import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; import org.springframework.security.test.context.support.WithMockUser; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; import org.springframework.test.web.servlet.result.MockMvcResultMatchers; @WebMvcTest(UserController.class) public class UserControllerTest { @Autowired private MockMvc mockMvc; @Test @WithMockUser(username = "user", roles = "USER") public void testProfileEndpoint() throws Exception { mockMvc.perform(MockMvcRequestBuilders.get("/user/profile")) .andExpect(MockMvcResultMatchers.status().isOk()) .andExpect(MockMvcResultMatchers.content().string("User profile")); } @Test @WithMockUser(username = "user", roles = "USER") public void testSettingsEndpoint() throws Exception { mockMvc.perform(MockMvcRequestBuilders.get("/user/settings")) .andExpect(MockMvcResultMatchers.status().isOk()) .andExpect(MockMvcResultMatchers.content().string("User settings")); } }
2.5 Create Spring Boot Main class
The main class is responsible for starting the Spring Boot application and initializing the necessary configurations and beans. It serves as the entry point for the application and triggers the execution of the application’s components, such as controllers, services, and repositories.
MainApplication.java
package org.jcg; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; @SpringBootApplication public class MainApplication { public static void main(String[] args) { SpringApplication.run(MainApplication.class, args); } }
3. Output
You can now run the Spring Boot application. The endpoints will be secured according to the roles defined in the SecurityConfig class.
3.1 Scenario: Accessing admin endpoints with an admin role
In Scenario 1, we are considering the situation where a user with an admin role is accessing the admin endpoints of the application. The user, with the appropriate permissions and privileges, is authorized to access these endpoints and perform related actions.
In the given scenario, two requests are made to the server. The first request is a GET request to the “/admin/dashboard” endpoint, and the second request is a GET request to the “/admin/reports” endpoint. Both of these endpoints are specific to the admin role and are meant to provide functionality related to the administration of the application.
When the first request is made to “/admin/dashboard”, the server processes the request and returns the response “Admin dashboard”. This response could be in the form of HTML content, JSON data, or any other appropriate format based on the application’s implementation.
Output 1
Request: GET /admin/dashboard Output: "Admin dashboard"
Similarly, when the second request is made to “/admin/reports”, the server processes the request and returns the response “Admin reports”. This response could contain the desired reports or any relevant information specific to the admin role.
Output 2
Request: GET /admin/reports Output: "Admin reports"
These responses indicate that the user with the admin role has successfully accessed the admin endpoints and received the expected output. It confirms that the user’s authentication and authorization have been validated, granting them access to the designated resources.
3.2 Scenario: Accessing user endpoints with a user role
In the given scenario, we are considering the situation where a user is accessing the user endpoints of the application. These endpoints are specifically designed to cater to the functionalities and features related to user profiles and settings.
In the first request, a GET request is made to the “/user/profile” endpoint. This endpoint is responsible for retrieving and displaying the user’s profile information. The server processes the request and generates a response containing the user’s profile details. The output “User profile” indicates that the server successfully retrieved the user’s profile information and returned it as a response.
Output 1
Request: GET /user/profile Output: "User profile"
Similarly, in the second request, a GET request is made to the “/user/settings” endpoint. This endpoint handles operations related to user settings, such as updating preferences, managing notifications, or modifying account details. The server processes the request and generates a response containing the user’s settings information. The output “User settings” signifies that the server successfully retrieved the user’s settings and returned them as the response.
Output 2
Request: GET /user/settings Output: "User settings"
In both cases, the user is authorized to access these endpoints and retrieve their profile and settings information. The output provided in the response confirms that the requests were processed successfully, and the user received the expected information.
3.3 Scenario: Accessing admin endpoints with a user role
In the given scenario, we are considering the situation where a user attempts to access the admin endpoints of the application without having the necessary authorization or role as an admin.
In the first request, a GET request is made to the “/admin/dashboard” endpoint, which is specifically designed for accessing the admin dashboard. However, the server processes the request and determines that the user does not have the required role or authorization to access this endpoint. As a result, the server generates a response with the output “Access Denied” and returns an HTTP 403 Forbidden status code. This indicates that the user’s request to access the admin dashboard has been denied due to insufficient privileges.
Output 1
Request: GET /admin/dashboard Output: Access Denied (HTTP 403 Forbidden)
Similarly, in the second request, a GET request is made to the “/admin/reports” endpoint, which is intended for accessing admin reports. Again, the server evaluates the request and finds that the user lacks the necessary authorization to access this endpoint. Consequently, the server generates a response with the output “Access Denied” and returns the same HTTP 403 Forbidden status code, indicating that the user’s request to access the admin reports has been denied.
Output 2
Request: GET /admin/reports Output: Access Denied (HTTP 403 Forbidden)
These outputs are designed to inform the user that they do not have the required permissions to access the admin endpoints. The HTTP 403 Forbidden status code is a standard response indicating that the server understood the request, but refuses to authorize it due to insufficient privileges.
Overall, in this scenario, the user is unable to access the admin dashboard and admin reports as they lack the appropriate role or authorization. This security measure ensures that only authorized administrators can access these sensitive areas of the application.
3.4 Scenario: Accessing user endpoints with an admin role
In the given scenario, we are considering a situation where a user attempts to access the user specific endpoints of the application without having the necessary authorization or role as a regular user.
In the first request, a GET request is made to the “/user/profile” endpoint, which is specifically designed for accessing the user’s profile information. However, the server processes the request and determines that the user does not have the required role or authorization to access this endpoint. As a result, the server generates a response with the output “Access Denied” and returns an HTTP 403 Forbidden status code. This indicates that the user’s request to access their profile has been denied due to insufficient privileges.
Output 1
Request: GET /user/profile Output: Access Denied (HTTP 403 Forbidden)
Similarly, in the second request, a GET request is made to the “/user/settings” endpoint, which is intended for accessing the user’s settings. Again, the server evaluates the request and finds that the user lacks the necessary authorization to access this endpoint. Consequently, the server generates a response with the output “Access Denied” and returns the same HTTP 403 Forbidden status code, indicating that the user’s request to access their settings has been denied.
Output 2
Request: GET /user/settings Output: Access Denied (HTTP 403 Forbidden)
These outputs are designed to inform the user that they do not have the required permissions to access their profile and settings. The HTTP 403 Forbidden status code is a standard response indicating that the server understood the request, but refuses to authorize it due to insufficient privileges.
Overall, in this scenario, the user is unable to access their profile and settings as they lack the appropriate role or authorization. This security measure ensures that only authorized users can access their personal information and modify their settings within the application.
3.5 Scenario: Accessing unauthorized endpoints
In this scenario, we are considering requests made to two specific endpoints: “/other” and “/public”. These endpoints are not associated with any specific role or authorization requirements and are meant to be publicly accessible. However, the server processes the requests and determines that the user does not have the necessary privileges to access these endpoints.
In the first request, a GET request is made to the “/other” endpoint. Since this endpoint is not associated with any specific role based authorization, it is expected to be accessible by any user. However, the server evaluates the request and finds that the user does not have the required authorization. As a result, the server generates a response with the output “Access Denied” and returns an HTTP 403 Forbidden status code. This indicates that the user’s request to access the “/other” endpoint has been denied due to insufficient privileges.
Output 1
Request: GET /other Output: Access Denied (HTTP 403 Forbidden)
Similarly, in the second request, a GET request is made to the “/public” endpoint, which is also expected to be publicly accessible. However, the server evaluates the request and determines that the user lacks the necessary privileges. Consequently, the server generates a response with the output “Access Denied” and returns the HTTP 403 Forbidden status code, indicating that the user’s request to access the “/public” endpoint has been denied.
Output 2
Request: GET /public Output: Access Denied (HTTP 403 Forbidden)
These outputs inform the user that they do not have the required permissions to access the “/other” and “/public” endpoints. The HTTP 403 Forbidden status code is a standard response indicating that the server understood the request but refuses to authorize it due to insufficient privileges.
4. Conclusion
In conclusion, Spring Security is a powerful framework that provides robust authentication and authorization mechanisms for Java applications. It offers a wide range of features and functionalities to secure your application and protect sensitive resources.
Throughout Spring Boot Role Based Authorization article, we have explored the key concepts and features of Spring Security. We learned about authentication, which verifies the identity of users, and saw various authentication mechanisms supported by Spring Security. These mechanisms allow you to integrate with different authentication sources, such as username/password based authentication, LDAP, OAuth, and more.
We also discussed authorization, which controls access to resources based on defined rules. Spring Security enables you to define access control rules using roles or permissions. Role based authorization allows you to group related authorities and assign them to users, while permission based authorization provides more fine grained control over access.
Additionally, we explored web security features provided by Spring Security, such as CSRF protection, session management, and URL based security rules. We also discussed method level security, which allows you to protect individual methods or service endpoints.
Spring Security offers seamless integration with the wider Spring ecosystem, leveraging features like dependency injection, AOP, and more. It provides customization and extensibility options, allowing you to override default behaviors and implement custom security filters or authentication providers to meet specific requirements.
Furthermore, we touched on the importance of security events and auditing for monitoring and tracking purposes. Spring Security generates security related events that can be used for auditing authentication success/failure, access denied events, session creation/destruction, and more.