This is Part 3 of our implementation of SpringBoot roles and Privileges for our Inventory Management System (InventoryMS). In this part we would discuss and implement granted authorities in Spring Boot.<\/p>\n
Parts 1 and 2 can be gotten from the links:<\/p>\n
<\/p>\n
In Spring Security, we have the concept of Granted Authority. This represents a privilege or a permission granted to a user to perform a certain action.<\/p>\n
What is difference between Role and Authority?<\/strong><\/p>\n This two represent the same concept and are basically the same. The difference is how Spring Boot handle the prefixing. A role is expected to be prefixed with “ROLE_” but an authority is not.<\/p>\n For example, the authority “ADMIN” is the same as the role “ROLE_ADMIN”.<\/p>\n hasRole() vs hasAuthority()<\/strong><\/p>\n This is also the same in concept. When you use hasRole(“ADMIN”), Spring Boot would expect that your role is named “ROLE_ADMIN”. However, if you use hasAuthority(“ADMIN”), Spring Boot would check if you have to role “ADMIN”<\/p>\n In our InventoryMS project, we would be using hasAuthority().<\/p>\n <\/p>\n To be able to achieve and efficient way to protect your API, you will have to design the routing pattern. What does this mean? It means you need some hierarchy for the API route. For example:<\/p>\n With this we would be able provide authorization at a granular level<\/p>\n <\/p>\n To be able to protect our REST API based on user roles, we would have to do the following:<\/p>\n return the users authorities (privileges) from UserPrincipal<\/strong><\/p>\n Here, we would need to update the getAuthorities method of the UserPrincipal class so that it returns a lit of SimpleGrantedAuthorities.<\/p>\n <\/p>\n At this point we would have to configure the permission on the routes. So we would have to check if the user has the required authority before the request is permitted.<\/p>\n The following changes would need to be made:<\/p>\n Then we would have to repeat this for all other roles we identified.<\/p>\n You could also create an enum type to hold these roles instead of using just strings. But I see no added benefits for taking this extra step.<\/p>\n Note that in our application, we use Roles only as grouping for privileges.<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" This is Part 3 of our implementation of SpringBoot roles and Privileges for our Inventory Management System (InventoryMS). In this part we would discuss and … <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[414],"tags":[],"_links":{"self":[{"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/posts\/1835"}],"collection":[{"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/comments?post=1835"}],"version-history":[{"count":1,"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/posts\/1835\/revisions"}],"predecessor-version":[{"id":1836,"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/posts\/1835\/revisions\/1836"}],"wp:attachment":[{"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/media?parent=1835"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/categories?post=1835"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/tags?post=1835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}2. Design the REST API Endpoint Pattern<\/strong><\/h4>\n
\n
3. Retrieving the User’s GrantedAuthorities<\/strong><\/h4>\n
@Override<\/span>\r\npublic<\/span> Collection<?<\/span> extends<\/span> GrantedAuthority><\/span> getAuthorities()<\/span> {<\/span>\r\n return<\/span> userPrivilegeAssignmentService.<\/span>getUserPrivileges<\/span>(<\/span>user.<\/span>getId<\/span>())<\/span>\r\n .<\/span>stream<\/span>()<\/span>\r\n .<\/span>map<\/span>(<\/span>privilege -><\/span> new<\/span> SimpleGrantedAuthority(<\/span>privilege.<\/span>getDescription<\/span>()))<\/span> \/\/ Use SimpleGrantedAuthority<\/span>\r\n .<\/span>collect<\/span>(<\/span>Collectors.<\/span>toList<\/span>());<\/span>\r\n}<\/span>\r\n<\/pre>\n4. Configure Authorization Rules<\/strong><\/h4>\n
...<\/span>\r\n...<\/span>\r\n.<\/span>authorizeHttpRequests<\/span>(<\/span>auth -><\/span> auth\r\n .<\/span>requestMatchers<\/span>(<\/span>\"\/register\"<\/span>).<\/span>permitAll<\/span>()<\/span>\r\n .<\/span>requestMatchers<\/span>(<\/span>\"\/login\"<\/span>).<\/span>permitAll<\/span>()<\/span>\r\n \r\n \/\/Configuration for the product module<\/span>\r\n .<\/span>requestMatchers<\/span>(<\/span>HttpMethod.<\/span>GET<\/span>,<\/span> \"\/api\/v1\/products\"<\/span>).<\/span>hasAuthority<\/span>(<\/span>\"VIEW_PRODUCT\"<\/span>)<\/span>\r\n .<\/span>requestMatchers<\/span>(<\/span>HttpMethod.<\/span>POST<\/span>,<\/span> \"\/api\/v1\/products\"<\/span>).<\/span>hasAuthority<\/span>(<\/span>\"CREATE_PRODUCT\"<\/span>)<\/span>\r\n .<\/span>requestMatchers<\/span>(<\/span>HttpMethod.<\/span>DELETE<\/span>,<\/span> \"api\/vi\/product\"<\/span>).<\/span>hasAuthority<\/span>(<\/span>\"DELETE_PRODUCT\"<\/span>)<\/span>\r\n \r\n \/\/Configuration for the order module<\/span>\r\n .<\/span>requestMatchers<\/span>(<\/span>HttpMethod.<\/span>GET<\/span>,<\/span> \"\/api\/v1\/products\"<\/span>).<\/span>hasAuthority<\/span>(<\/span>\"VIEW_PRODUCT\"<\/span>)<\/span>\r\n .<\/span>requestMatchers<\/span>(<\/span>HttpMethod.<\/span>POST<\/span>,<\/span> \"\/api\/v1\/products\"<\/span>).<\/span>hasAuthority<\/span>(<\/span>\"CREATE_PRODUCT\"<\/span>)<\/span> \r\n .<\/span>anyRequest<\/span>().<\/span>authenticated<\/span>()<\/span>\r\n )<\/span>\r\n...<\/span>\r\n...<\/span>\r\n<\/pre>\n