Mastering Springboot Security

Authorization & Role-Based Access Control (RBAC)

Learning Outcome

5

Authorization secures endpoints and business logic

4

Spring supports roles and authorities together

3

Roles contain permissions for allowed actions

2

RBAC controls access using assigned roles

1

JWT handles user authentication and identity

In the previous lecture, we understood how stateless authentication using JWT works....

JWT helps the application identify:

“Who is the user?”

But after identifying the user, another important question arises:

“What is this user allowed to access?”

After authentication:

Should every user access everything

Should a normal user delete data

Should admin features be public

No , right?

Now, this is where   Authorization   comes into play.

It is commonly handled using: RBAC (Role based access control)

It controls:

“What is the user allowed to access or perform?”

  • Which APIs can be accessed
  • Which operations are permitted
  • Which resources should remain restricted

What is RBAC?

Role-Based Access Control is a mechanism that restricts system access based on roles.

Users are assigned roles

Roles define allowed actions

Manage access through roles

Why Roles Alone Are Not Enough

Roles + Permissions

Granular control

Better scalability

Precise access management

Roles Only

Limited flexibility

Hard to customize access

All-or-nothing approach

Real systems often use Roles + Permissions together

ROLE_ Prefix in Spring Security

Convention

Roles must start with ROLE_

Example

  •  ROLE_USER
  •  ROLE_ADMIN

Internally

hasRole("ADMIN") checks for
ROLE_ADMIN


http.authorizeHttpRequests(auth ->
    auth.requestMatchers("/admin/**")
        .hasRole("ADMIN") // Checks ROLE_ADMIN
);

GrantedAuthority authority =
    new SimpleGrantedAuthority("ROLE_ADMIN");

Roles vs Authorities in Spring

Roles

Prefix

Automatically prefixed with ROLE_

Usage

High-level grouping

Method

hasRole()

Example

ROLE_ADMIN

Authorities

Prefix

No prefix required

Usage

Fine-grained control

Method

hasAuthority()

Example

DELETE_USER

Authorization Levels

Endpoint-Level

Security configuration applied to URLs and request paths. It checks access before the request reaches the controller.

URL Patterns

Method-Level

Security applied directly to service methods using annotations. Offers fine-grained control over business logic.

@PreAuthorize

Both layers control access, but at different points of execution

Endpoint-Level Security

Configuration

Defined in SecurityFilterChain bean

Target

Applied to URLs/Endpoints

Execution

Works before controller logic

Execution

Works before controller logic

Request Filtering

Checks permissions during request flow

Execution

Works before controller logic

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
  return http
    .authorizeHttpRequests(auth -> auth
      .requestMatchers("/admin/**")
        .hasRole("ADMIN")
      .requestMatchers("/user/**")
        .hasAnyRole("USER", "ADMIN")
    )
  .build();
}

Method-Level Security

Applied Directly

Secures specific business logic methods

Fine-Grained Control

More precise than URL patterns

@Service
public class ProductService {

  // Using Role
  @PreAuthorize("hasRole('ADMIN')")
  public void deleteProduct() { ... }

  // Using Authority
  @PreAuthorize("hasAuthority('DELETE_USER')")
  public void removeUser() { ... }
}

Execution

Works before controller logic

Annotations

Uses @PreAuthorize or @PostAuthorize

Service Layer Security

Protects core application functionality

Execution

Works before controller logic

401 vs 403 (Critical Difference)

401

Unauthorized

User is NOT authenticated

No valid token or credentials

"Who are you?"

403

Forbidden

User is authenticated

But does NOT have permission

"You are not allowed"

Complete Authorization Flow

User sends request with JWT

Server authenticates
user

Roles/Authorities extracted from token

Access rules are
checked

01

02

03

04

Allowed -Request proceeds

05

Denied - 403 Forbidden returned

05

Real-World Example

USER_Role

View products

Browse catalog

ADMIN_Role

View products

Delete products

Test Scenario

user

user

user

DELETE /api/products/1

DELETE /api/products/1

403 Forbidden

200 Allowed

admin

Summary

5

Identify 401 and 403 authorization errors

4

Apply endpoint and method-level security

3

Differentiate roles and authorities clearly

2

Explain RBAC working in Spring Security

1

Understand authentication and authorization differences

Quiz

A.  JWT directly controls user permissions

B.  RBAC is used for authentication only

C. Roles define what actions users can perform

D. Authorities always require ROLE_ prefix

Which statement correctly describes RBAC in Spring Security?

A.  JWT directly controls user permissions

B.  RBAC is used for authentication only

C. Roles define what actions users can perform

D. Authorities always require ROLE_ prefix

Which statement correctly describes RBAC in Spring Security?

Quiz-Answer

SpringBoot - Authorization & Role-Based Access Control (RBAC)

By Content ITV

SpringBoot - Authorization & Role-Based Access Control (RBAC)

  • 129

More from Content ITV