Spring Security @Secured: Method-Level Protection

In this Spring Security tutorial, you will learn how to enable and use the Method Level Security with a @Secured annotation.

@Secured is a Spring Security annotation used to specify that a method should be executed only if the authenticated user has the required roles or authorities.

When you use this annotation, you can specify the required roles or authorities using the “value” attribute of the annotation. For example, you can use the @Secured annotation to specify that a method should only be executed if the authenticated user has the “ROLE_ADMIN” role, as follows:

@Secured("ROLE_ADMIN")
public void performAdminOperation() {
    // code that can be executed by a user in ADMIN role
}

There are other useful method-level security annotations like the ones below. It is useful to know how they work as well.

If you are interested in video lessons, then I also show how to create user Roles and Authorities and how to use Spring Method Level Security annotations in my video course: RESTful Web Services, Spring Boot, Spring MVC, and JPA.

Add Spring Security Dependency

To use Spring Method Level security and the @Secured annotation in your Spring Boot application you will need to add Spring Security dependency to pom.xml file. Below is a code snippet that you can use to add Spring Security to your Spring Boot Project.

<dependency>
 <groupId>org.springframework.boot</groupId>
 <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Configure Roles and Authorities

The Spring Method Level security is used in Spring Boot applications that have user Roles and Authorities configured. If your Spring Boot application does not have Roles or Authorities configured yet, below are a few tutorials that can help you learn how to enable Basic Authentication and configure Roles and Authorities.

Enable @Secured Annotation

To enable @Secured annotation in your Spring Boot application you will need to first enable the Global Method Security by adding the @EnableGlobalMethodSecurity annotation to any Class in your application which has the @Configuration annotation or is a configuration class itself. For example, if your application has Spring Security enabled and at least Basic Authentication configured, you should then most likely have a Java class with @EnableWebSecurity annotation like the one below. You can add the @EnableGlobalMethodSecurity annotation and enable method level security in that class as well. 

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurity{
   
    @Bean
    public SecurityFilterChain configure(HttpSecurity http) throws Exception {
        // Some code here
    }
}

Notice the use of securedEnabled=true in @EnableGlobalMethodSecurity annotation. The securedEnabled=true is what enables the @Secured annotation.

Now when you have Spring Security enabled, Roles and Authorities configured and you have also enabled Global Method Security, you can use the @Secured annotation on a method level and restrict access to some web service endpoints or business methods to specific user Roles and Authorities.

Using @Secured Annotation

@Secured annotation is used on a method level. For example, you can add the @Secured annotation above the @RequestMapping method that handles HTTP DELETE request to allow only those users who have an ADMIN Role to invoke this method.

Note: @Secured annotation takes in an Authority name. If this annotation is being used with a Role name, then do not forget to use the “ROLE_” prefix. Below is an example with @Secured annotation that uses a role name.

@Secured("ROLE_ADMIN")  
@DeleteMapping(path = "/{id}", produces = { MediaType.APPLICATION_XML_VALUE, MediaType.APPLICATION_JSON_VALUE })
@Transactional
public OperationStatusModel deleteUser(@PathVariable String id) {
 OperationStatusModel returnValue = new OperationStatusModel();
 returnValue.setOperationName(RequestOperationName.DELETE.name());

 userService.deleteUser(id);

 returnValue.setOperationResult(RequestOperationStatus.SUCCESS.name());
 return returnValue;
}

Supporting Multiple Authorities

@Secured annotation can be used with multiple Roles and Authorities. For example, if you want a method to be invoked by users who are assigned either ROLE_ADMIN or SUPERADMIN, you can provide both authorities in the curly brackets.

@Secured ({"ROLE_ADMIN", "ROLE_SUPERADMIN"})

I hope this tutorial was helpful to you.

If you are interested to learn how other security annotations work, then have a look at the following tutorials:

To learn more about Spring Boot and Spring Security, have a look at Spring MVC tutorials on this site many of which have video tutorials provided. And if you are interested in learning how to build RESTful Web Microservices with Spring Boot and Spring Cloud, then have a look at Spring Cloud tutorials.

 

Leave a Reply

Your email address will not be published. Required fields are marked *