Home  >  Spring Security

Spring Security using @Secured Annotation

By Arvind Rai, December 26, 2013
In this page we learn, how to secure a service layer method using annotation in our application with spring security. Spring security provides @Secured annotation and to enable annotation based security we need to configure global-method-security namespace. @Secured can allow method access for more than one role. In the application it is our choice which method should be secure and which is not.

<global-method-security> in Spring Security

global-method-security is the namespace which is the first step to configure. It has the attribute secured-annotations which is enabled to get annotation based security. We configure it as
<global-method-security secured-annotations="enabled" />
 

How to configure @Secured in Spring Security

Suppose we have roles like ROLE_USER and ROLE_ADMIN. So we can define a method by annotating
@Secured("ROLE_ADMIN")
public void deleteUser(String name);
 
For more than two role we can define it like
@Secured ({"ROLE_USER", "ROLE_ADMIN"})
public void addUser(String name, String pwd);
 
Now we will discuss the demo. In our example we have taken two user and two role. One user is ram with password con1234 and role ROLE_ADMIN and another user is rahim with password con1234 and role ROLE_USER. In service layer we have an interface as IUserService. There is two method addUser and deleteUser. We have secured deleteUser() method for the ROLE_ADMIN and addUser() method can be accessed by both role. Find all the configurations.
IUserService.java
package com.concretepage.service;
import org.springframework.security.access.annotation.Secured;
public interface IUserService {
	@Secured ({"ROLE_USER", "ROLE_ADMIN"})
	public void addUser(String name, String pwd);
	@Secured("ROLE_ADMIN")
	public void deleteUser(String name);
}
 

UserService.java
package com.concretepage.service;
public class UserService implements IUserService {
	@Override
	public void addUser(String name, String pwd) {
		System.out.println("user added");
	}
	@Override
	public void deleteUser(String name) {
		System.out.println("user deleted");
	}
}
 
In the controller we calling both the method of service layer.
LoginController.java
package com.concretepage.security.controller;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import com.concretepage.service.IUserService;
@Controller
@RequestMapping("/login")
public class LoginController {
	@Autowired
	public IUserService userService;
	@RequestMapping(method = RequestMethod.GET)
	public String success(ModelMap map) {		
		userService.addUser("ABC", "abc");
		userService.deleteUser("ABC");
		map.addAttribute("msg", "Done Successfully");
		return "success";
	}  
}
 

security-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security-3.1.xsd">
	<http auto-config="true">
		<intercept-url pattern="/login" access="ROLE_USER,ROLE_ADMIN" />
		<logout logout-success-url="/login" />
	</http>
	<authentication-manager>
      <authentication-provider>
	   <user-service>
	    <user name="ram" password="con1234" authorities="ROLE_ADMIN" />
	    <user name="rahim" password="con1234" authorities="ROLE_USER" />
	  </user-service>
      </authentication-provider>
    </authentication-manager>
   <global-method-security secured-annotations="enabled" />
   <beans:bean name="userService" class="com.concretepage.service.UserService"/>  
</beans:beans>
 

Output UI

Spring Security using @Secured Annotation

Login with user ram and you will get success message.

Spring Security using @Secured Annotation

Login with user rahim and you will get access denied message.

Spring Security using @Secured Annotation

Now look at the output. First login with user ram. There will be no error because this is authorized for both role. But when we login with rahim. It will deny access for deleteUser() method.

Download Source Code

POSTED BY
ARVIND RAI
ARVIND RAI
FIND MORE TUTORILAS
comments powered by Disqus








Copyright ©2017 concretepage.com, all rights reserved |Privacy Policy | Contact Us