{"id":1990,"date":"2022-11-10T12:00:00","date_gmt":"2022-11-10T11:00:00","guid":{"rendered":"https:\/\/kindsonthegenius.com\/blog\/role-based-authorization-in-spring-boot-spring-security\/"},"modified":"2026-07-05T03:26:10","modified_gmt":"2026-07-05T01:26:10","slug":"role-based-authorization-in-spring-boot-spring-security","status":"publish","type":"post","link":"https:\/\/kindsonthegenius.com\/blog\/role-based-authorization-in-spring-boot-spring-security\/","title":{"rendered":"Role-Based Authorization in Spring Boot \u2013 Spring Security"},"content":{"rendered":"<p>In this tutorial, you will learn how to add role-based authorization to a Spring Boot application.<\/p>\n<p>This tutorial would simply take you through all the steps you need to follow. However, you will have two links to the actual location of the steps as well as the source codes.<\/p>\n<p>There are basically 13 steps to follow:<\/p>\n<p style=\"text-align: center;\"><strong><a href=\"https:\/\/www.youtube.com\/watch?v=lD7HRqCc3Hw\" target=\"_blank\" rel=\"noopener\">Step by step video series of Role-Based Authorization with Spring Security here.<\/a><\/strong><\/p>\n<p><strong>Step 1 &#8211; Setup the Security Package<\/strong><\/p>\n<p>Here, you need to create a package that could contain the model, service, repository and controller for roles.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Step 2 &#8211; Create the Role Class<\/strong><\/p>\n<p>The role class would define the structure of a Role. Basically and Id and a description<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Step 3 &#8211; Refactor the User Class to Include Roles<\/strong><\/p>\n<p>You need to add roles field to the user class. In this way a User object can also hold the set of roles assigned to that user.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Step 4 &#8211; Setup the Role Repository and Service<\/strong><\/p>\n<p>You will need this communicate with the data store and also extend the functionality of the repository.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Step 5 &#8211; Write the Methods to Assign and Unassign Roles in the Service<\/strong><\/p>\n<p>The <strong>assign<\/strong> method takes two parameters (User\u00a0 and Role) and adds the role to the roles collection of the user. The <strong>unassign()<\/strong> method takes two parameters as well and performs the opposite.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Step 6 &#8211; Write the Method to get User roles<\/strong><\/p>\n<p>You need to write the method to retrieve the roles of the user. This method would be written in the service. It simply takes a user object and returns the roles property<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Step 7 &#8211; Write the Method to get roles User does not have<\/strong><\/p>\n<p>This method to get roles not yet assigned to a user is a bit trick. You will have to extend the UserRepository with an SQL native query to returns exactly this result. Next, you will write the method in the service that uses this method in the repository.<\/p>\n<p><a href=\"https:\/\/www.kindsonthegenius.com\/spring-boot\/complete-application-with-spring-boot-role-based-authorization\/\" target=\"_blank\" rel=\"noopener\">This seven steps are detailed here in Part 1 of Role-Based Authorization<\/a><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Step 8 &#8211; Create the UserController and Roles Management Page<\/strong><\/p>\n<p>Then you need to create the RoleController. This would contain method to GET, ADD, EDIT\u00a0 and DELETE a role. Next, create the HTML page for roles management<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Step 9 &#8211; Create the UserEdit Page<\/strong><\/p>\n<p>The UserEdit page is the page that allows you to manage the roles assigned to a particular user. Via this page, you would be able to view, assign and unassign roles to a user. This would require some JavaScript (<a href=\"https:\/\/github.com\/KindsonTheGenius\/fleetmsv2\" target=\"_blank\" rel=\"noopener\">See Complete Application in GitHub<\/a>)<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Step 10 &#8211; Write the controller method to serve the UserEdit page<\/strong><\/p>\n<p>The HTML page for Users would have an Edit button to edit the User. This button would launch the UserEdit page. So you need to write the method in the UserController to serve up the UserEdit page.<\/p>\n<p>Then you need to create the UserEdit page. It would have 3 sections:<\/p>\n<ul>\n<li>user data section<\/li>\n<li>roles currently assigned to user<\/li>\n<li>roles available to assign<\/li>\n<\/ul>\n<p>The sketch for this page can be found\u00a0<a href=\"https:\/\/www.kindsonthegenius.com\/spring-boot\/wp-content\/uploads\/2021\/10\/UserEdit-Layout-Page.jpg?189db0&amp;189db0\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p><strong>Step 11 &#8211; Write the Controller Methods to Assign and Unassign Roles<\/strong><\/p>\n<p>There would be controller methods for assign and unassign user role. This methods receives the user id and role id as URL query parameters.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Step 12 &#8211; Restrict Access to Page by Role<\/strong><\/p>\n<p>Now we must restrict access to certain pages based on the user&#8217;s role. This is configured in the security config using antmatchers. You would have to specify two things:<\/p>\n<ul>\n<li>the route you want to protect<\/li>\n<li>the role a user needs to have to be able to access that route<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>Step 13 &#8211; Updating the Authorities Collection<\/strong><\/p>\n<p>In the UserPrincipal class, you need to update the getAuthorities() method to fetch authorities from the roles repository. Authorities are mapped to roles.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Step 14 &#8211; Configure the Access Denied Page<\/strong><\/p>\n<p>You will have to display some access denied page when a user tries to access a url route without having the required role.<\/p>\n<p>This is configured in the web security config.<\/p>\n<p><a href=\"https:\/\/www.kindsonthegenius.com\/spring-boot\/complete-application-with-spring-boot-part-8-role-based-authorization-2\/\" target=\"_blank\" rel=\"noopener\">Details of steps 8 to 14 can be found here<\/a><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to add role-based authorization to a Spring Boot application. This tutorial would simply take you through all the &hellip; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"pagelayer_contact_templates":[],"_pagelayer_content":"","footnotes":""},"categories":[414],"tags":[],"class_list":["post-1990","post","type-post","status-publish","format-standard","hentry","category-programming"],"_links":{"self":[{"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/posts\/1990","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/comments?post=1990"}],"version-history":[{"count":1,"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/posts\/1990\/revisions"}],"predecessor-version":[{"id":2158,"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/posts\/1990\/revisions\/2158"}],"wp:attachment":[{"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/media?parent=1990"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/categories?post=1990"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kindsonthegenius.com\/blog\/wp-json\/wp\/v2\/tags?post=1990"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}