Previous Lecture Complete and continue  

  Lesson 3: URL Authorization

1. Main Goal

The goal of this lesson is to explain the basics of URL Authorization.


2. Lesson Notes

The relevant module you need to import when you're starting with this lesson is: m1-lesson3

If you want to skip and see the complete implementation, feel free to jump ahead and import: m1-lesson4

The credentials used in the code of this lesson are: user/pass (in memory).

Important: Note that there is a known problem in the video - the general anyRequest() and the more specific .antMatchers("/delete/**") - should be in the reverse order (the more specific first, the more general last).


Starting from our previous security config, we are going to override the following:

@Override
protected void configure(HttpSecurity http) throws Exception { 
    http
      .authorizeRequests().anyRequest().authenticated()
      .and().formLogin()
      .and().httpBasic();
}

Notice that this is actually the default implementation of this method - which we are going to copy and use as a good starting point.

We can change this by adding some extra configuration for the delete operation:

.antMatchers("/delete/**").hasRole("ADMIN")

Finally, we're going to look at a few examples using:

  • hasAuthority
  • hasAnyRole
  • hasAnyAuthority

And briefly mention:

  • hasIpAddress
  • access
  • anonymous
  • denyAll, permitAll
  • fullyAuthenticated, rememberMe


3. Resources

- Spring Security Reference - Authorization


Module 1 - Lesson 3 - transcript.pdf