Photo by Aaron Huber on Unsplash
PART 3: Configuring security of the API end points
Spring Security Basics: Implementing Authentication and Authorization
In this section, to configure the security of the API end points a custom security configuration needs to be created. To achieve this let's go through the following steps.
Create the security configuration class
Make all APIs to be accessed only by logged in users
Allow /api/hello to be accessed by anyone
Restrict access to /api/admin to user with ADMIN role only
Access to the end points will be configured as follows.
API | Who can access |
api/hello | anyone |
api/protected | authenticated users |
api/admin | admin user |
Create the security configuration class
To implement a custom security configuration by overriding the default one we need to create a configuration class. This can be done with the help of @Configuration
annotation.
package com.gintophilip.springauth.web;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity securityConfig) throws Exception {
return securityConfig
.authorizeHttpRequests(auth->
auth.anyRequest().authenticated()
).formLogin(Customizer.withDefaults())
.build();
}
}
This will serve as our initial configuration. Here, we have mandated that every request must be authenticated. In the coming steps, we will configure the security settings as required.
Make all APIs to be accessed only by logged in users
There is nothing to do. Because the initial configuration we created satisfied the requirement. Hence we don't need to specify any special configuration for the API endpoint /api/protected
Allow /api/hello
to be accessed by anyone
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity securityConfig) throws Exception {
return securityConfig
.authorizeHttpRequests(auth->
auth.requestMatchers("/api/hello").permitAll().
anyRequest().authenticated()
).formLogin(Customizer.withDefaults())
.build();
}
Now run the application and attempt to access the APIs. The endpoint /api/hello
is now accessible to everyone, while all other endpoints still require users to log in.
Restrict access to /api/admin
to user with the ADMIN role only.
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity securityConfig) throws Exception {
return securityConfig
.authorizeHttpRequests(auth->
auth.requestMatchers("/api/hello")
.permitAll()
.requestMatchers("/api/admin").hasRole("ADMIN")
.anyRequest().authenticated()
).formLogin(Customizer.withDefaults())
.build();
}
At this point, the only API endpoint accessible to users is /api/hello
. All other endpoints are restricted by a login screen.