Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) is a common authorization model that assigns roles to users. These roles define the permissions a user has to access resources or perform actions.
Key Components:
- Users: Individuals or entities accessing the system.
- Roles: Collections of permissions.
- Permissions: Specific actions allowed on resources.
Example:
- Users: John, Mary, Admin
- Roles: User, Manager, Admin
- Permissions: View reports, edit data, delete users
Implementation in Spring Security:
Spring Security supports RBAC through the @PreAuthorize and @PostAuthorize annotations.
@RestController
@RequestMapping("/api/products")
public class ProductController {
@PreAuthorize("hasRole('ROLE_ADMIN')")
@PostMapping
public Product createProduct(@RequestBody Product product) {
// ...
}
@PreAuthorize("hasAnyRole('ROLE_ADMIN', 'ROLE_MANAGER')")
@PutMapping("/{id}")
public Product updateProduct(@PathVariable Long id, @RequestBody Product product) {
// ...
}
}Granting Roles to Users:
You can assign roles to users in your UserDetailsService implementation.
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userRepository.findByUsername(username)
.orElseThrow(() -> new UsernameNotFoundException("User not found"));
List<GrantedAuthority> authorities = new ArrayList<>();
user.getRoles().forEach(role -> authorities.add(new SimpleGrantedAuthority("ROLE_" + role.getName())));
return new User(user.getUsername(), user.getPassword(), authorities);
}
Additional Considerations:
- Fine-grained control: Use Spring Expression Language (SpEL) for more complex authorization rules.
- Custom access decision managers: For advanced scenarios, you can create custom access decision managers.
- Separation of Concerns: Keep authorization logic separate from business logic for better maintainability.
In the next chapter, we’ll explore other authorization models and delve deeper into access control mechanisms.