# Authorization : SecurityFilterChain

By
Paul Tomoiu
In 
Published 2023-07-01

This tutorial explains how the authorization works in Spring Boot using Spring Security 6.

This tutorial consider you have already created the application from My first Spring Boot Service using Spring Security , disabled the CSRF and Authentication: InMemoryUserDetailsManager.

In addition, of what we have got from the articles above, we need to add the authorization mechanism. An authorization mechanism is already in place, but we will extend it.

The following bean is responsible for implementing the authorization mechanism:

@Bean
public SecurityFilterChain myFilterChain1(HttpSecurity http) throws Exception {
        // We have a Basic authentication (username & password)
        http.httpBasic(Customizer.withDefaults())
        // CSRF is disabled
        .csrf(csrf -> csrf.disable())
        // Only authenticated requests are allowed for URL pattern "/employee/*"
        .authorizeHttpRequests((authorize) -> authorize
        .requestMatchers("/employee/info2").hasAnyRole("admin")
        .requestMatchers("/employee/all", "/employee/info").hasAnyRole("admin", "read")
        .requestMatchers("/employee/add", "/employee/delete").hasAnyRole("admin", "write")
        .anyRequest().denyAll()
        );

        return http.build();
}

Here we have the whole configuration class:

ProjectSpringSecurityConfig.java
package com.demo.springsecurity.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;

import java.util.ArrayList;
import java.util.List;

@Configuration
@EnableWebSecurity
public class ProjectSpringSecurityConfig {

    @Bean
    public SecurityFilterChain myFilterChain1(HttpSecurity http) throws Exception {
        // We have a Basic authentication (username & password)
        http.httpBasic(Customizer.withDefaults())
            // CSRF is disabled
            .csrf(csrf -> csrf.disable())

            .authorizeHttpRequests((authorize) -> authorize
                 .requestMatchers("/employee/info2").hasAnyRole("admin")
                 .requestMatchers("/employee/all", "/employee/info").hasAnyRole("admin", "read")
                 .requestMatchers("/employee/add", "/employee/delete").hasAnyRole("admin", "write")
                 .anyRequest().denyAll()
            );

        return http.build();
    }

    @Bean
    public UserDetailsService users() {
        List<UserDetails> userDetailsList = new ArrayList<>();

        User.UserBuilder builder = User.builder();

        UserDetails userDan = builder
                .username("dan")
                .password(passwordEncoder().encode("d"))
                .roles("read")
                .build();

        UserDetails userAnna = builder
                .username("anna")
                .password(passwordEncoder().encode("a"))
                .roles("write")
                .build();

        UserDetails admin = builder
                .username("admin")
                .password(passwordEncoder().encode("a"))
                .roles("admin")
                .build();

        userDetailsList.add(userDan);
        userDetailsList.add(userAnna);
        userDetailsList.add(admin);

        return new InMemoryUserDetailsManager(userDetailsList);
    }

    @Bean
    public PasswordEncoder passwordEncoder()
    {
        return new BCryptPasswordEncoder();
    }
}

The Security Filter Chain let only the authenticated user to pass through it.

As you can see, the SecurityFilterChain Bean implements the Spring Security authorization. We can define more SecurityFilterChain Beans, but in that case, we need to add @Order annotation on each for specifying the order of filters.

Enjoy Spring Security Authorization !

© Copyright www.free-it-tutorials.com, 2022-2024. All rights reserved. This website does not represent any corporation (Oracle, Microsoft, etc) in any way. This site is not using cookies, but it use some services that might use cookies. All information is supposed to be accurate, but it is not guaranteed to be correct. The usage of the information from this website is strictly at your own risk. If you don't like these policies, you have to stop using the website.