Lesson 3: URL Authorization

1. Main Goal

The goal of this lesson is to explain the basics of URL Authorization.


2. Lesson Notes

The relevant module you need to import when you're starting with this lesson is: m1-lesson3

If you want to skip and see the complete implementation, feel free to jump ahead and import: m1-lesson4


The credentials used in the code of this lesson are: user/pass (in memory).

Important: Note that there is a known problem in the video - the general anyRequest() and the more specific .antMatchers("/delete/**") - should be in the reverse order (the more specific first, the more general last).


Starting from our previous security config, we are going to override the following:

@Override
protected void configure(HttpSecurity http) throws Exception { 
    http
      .authorizeRequests().anyRequest().authenticated()
      .and().formLogin()
      .and().httpBasic();
}

Notice that this is actually the default implementation of this method - which we are going to copy and use as a good starting point.

We can change this by adding some extra configuration for the delete operation:

.antMatchers("/delete/**").hasRole("ADMIN")

Finally, we're going to look at a few examples using:

  • hasAuthority
  • hasAnyRole
  • hasAnyAuthority

And briefly mention:

  • hasIpAddress
  • access
  • anonymous
  • denyAll, permitAll
  • fullyAuthenticated, rememberMe


3. Differences in Boot 2

As we've mentioned in the lesson A Basic Security Java Config, in Spring Boot 2, the password must be encrypted. This means that we need to define a bean of type PasswordEncoder and use it to encrypt the password when creating the user credentials.


4. Resources

- Spring Security Reference - Authorization


LSS - URL Authorization - transcript.pdf
Complete and Continue