Spring Security Simple Authorization

Posted on by antonogeo

This post follows the Spring Security Simple Authentication  post but adds a simple authorization logic to our solution. We will continue with the same application, but now we will create a page that will be accessible only by some users. We will achieve that by assigning to the users roles and restrict their authorities based on them.

Like before, we ask the user for his credentials. If correct, he enters to the application’s dashboard. If wrong, he gets error message.

We will have two user types, the simple users who can access only the dashboard, and the admins who can access the dashboard and the admin page. If a simple user tries to access the admin page, he will get redirected to the 403 page.

The full github repository can be found here:  SpringSecuritySimpleAuthorization

Technologies Used

  • Spring MVC
  • Spring Security
  • Hibernate
  • MySQL
  • Maven
  • Jsp , Jstl

Database

In order to achieve authorization we need roles or authorities/permissions and of course we need to store them. We create a role table with a unique role name and map it to the user table using one to one relationship. After the creation we insert the two roles, user and admin, and the users.

queries.sql

CREATE TABLE role
(
  role_id BIGINT NOT NULL PRIMARY KEY AUTO_INCREMENT,
  name VARCHAR(200) NOT NULL,
  UNIQUE (name)
);


CREATE TABLE user
(
  user_id BIGINT NOT NULL PRIMARY KEY AUTO_INCREMENT ,
  username VARCHAR(400) NOT NULL,
  password VARCHAR(400) NOT NULL,
  role_id BIGINT,
  FOREIGN KEY (role_id) REFERENCES role(role_id)
);


INSERT INTO role (name) VALUE("USER");
INSERT INTO role (name) VALUE("ADMIN");

INSERT INTO user (username, password, role_id) VALUES ("testUser", "$2a$10$04TVADrR6/SPLBjsK0N30.Jf5fNjBugSACeGv1S69dZALR7lSov0y",1);
INSERT INTO user (username, password, role_id) VALUES ("testAdmin", "$2a$10$04TVADrR6/SPLBjsK0N30.Jf5fNjBugSACeGv1S69dZALR7lSov0y",2);

 

Implementation

The only file that needs to change, in order to achieve authorization, is the spring security configuration file. We will simply add the new restricted admin page to our list, and demand the admin role for someone to access it.

spring-security.xml

<http auto-config="true" use-expressions="true">

    <intercept-url pattern="/dashboard**" access="isAuthenticated()" />
    <intercept-url pattern="/admin**" access="hasAuthority('ADMIN')" />

    <access-denied-handler error-page="/403" />

    <form-login
        login-page="/login"
        default-target-url="/dashboard"
        authentication-failure-url="/login?error"
        username-parameter="username"
        password-parameter="password" />

    <logout logout-success-url="/login?logout" />

</http>

With just this small configuration update we now have access control to our application. Spring Security will demand the admin role everytime someone tries to access the admin page.

Installation and Run

  • Run the database/queries.sql  queries to your database.
  • Add your database credentials to resources/db.properties file.
  • Build the project using mvn clean install
  • Run the application using tomcat

Test Credentials

Username Password Role
testUser 123456 user
testAdmin 123456 admin