Method-Level Security

Learn how to implement security on the method level by using some keywords.

We'll cover the following

Enabling method-level security
Simplified security policy
Adding a new item, if authorized
Deleting an existing item with method-level security
Testing unauthorized users
Testing properly authorized users

Having put in a basic amount of security, it’s time to point out some of its issues. HTTP verb and URL rules like pathMatchers(POST, "/").hasRole(...) grant us fine-grained control, but it has its limitations:

Changes in the controller class could require changes in our security policy.
As we add more controllers and, as a result, more lines to our SecurityWebFilterChain bean, this could get unwieldy.
What about chunks of code that need role-based security but aren’t directly linked to web endpoints?

This is where method-level security steps in.

By applying a Spring Security annotation directly on the method, we can secure things directly where our business logic is located. We can avoid having to manage security rules for the URLs of a dozen controllers and instead keep the domain of security right alongside the logic of business.

To explore method-level security, we need something a little more substantial than a couple of web methods. So for this section, we’ll add a REST API using Spring HATEOAS.

Get hands-on with 1200+ tech skills courses.

Getting Started

Building a Web App with Spring Boot

Data Access with Spring Boot

Developer Tools for Spring Boot

Testing with Spring Boot

Operations with Spring Boot

Building APIs with Spring Boot

Messaging with Spring Boot

RSocket with Spring Boot

Securing Our Application with Spring Boot

Epilogue

Appendix

Method-Level Security