How to integrate Spring Security for Role based url/method access -

i need provide role based access rest apis , have seen use @preauthorize, @secured this. not sure changes should make , in place use custom token based authentication mechanism generate token session , handle myself.

  @requestmapping(value = "login", method = requestmethod.post)         public @responsebody result login(@requestbody credentials credentials) {         return loginservice.login(credentials.getusername(), credentials.getpassword());         } 

the result class contains generated token user passing on each request.

now idea changes should make restrict access of api if user in particular role

for example if want restrict api findbyid accessed user if part of admin_role have add preauthorize annotation not sure how determine user role , block user automatically.

@preauthorize("admin_role") @requestmapping(value = "{id}", method = requestmethod.get) public @responsebody group findbyid(@pathvariable int id) {     return groupparser.getgroupbyid(id, groupservice.getgrouptree()); } 

what need tweak spring security configuration. below example xml config (i'm more used it); however, doable in javaconfig.

basically, spring security fired

<http ....> ... </http> 

element. you'll need write (or that)

<beans:bean id="authenticatedvoter" class="org.springframework.security.web.access.expression.webexpressionvoter">         <beans:property name="expressionhandler" ref="..." /> </beans:bean>  <beans:bean id="rolevoter"         class="org.springframework.security.access.vote.rolevoter">         <beans:property name="roleprefix" value="" /> <!-- if want customize role prefix --> </beans:bean>  <beans:bean id="accessdecisionmanager" class="org.springframework.security.access.vote.affirmativebased">         <beans:constructor-arg>                 <beans:list>                         <beans:ref bean="rolevoter" />                         <beans:ref bean="authenticatedvoter" />                 </beans:list>         </beans:constructor-arg> </beans:bean>  <!-- use-expressions enables @preauthorize --> <http use-expressions="true" access-decision-manager-ref="accessdecisionmanager"> .... </http> 

note beans added: 3 spring components.

the first holds unspecified reference. expects implementing securityexpressionhandler: in case you'll have provide defaultmethodsecurityexpressionhandler

then, add custom token configuration, you'll need write filter of own , wire http element. can quite extending spring classes , customizing behaviour

public class myclientauthenticationfilter extends onceperrequestfilter {     ....      @override     protected void dofilterinternal(httpservletrequest request, httpservletresponse response, filterchain chain) throws servletexception, ioexception {         // custom logics here         // throw exception not authenticated     } } 

and wire up

<bean class="x.y.z.myclientauthenticationfilter" id="myclientauthenticationfilter" /> <http ....>     <custom-filter ref="myclientauthenticationfilter" before="basic_auth_filter" /> </http> 

you should done.

just remember include spring-security-aspects in build: spring security @preauthorize , other annotations intercepted via aop, hence you'll need provide these aspects in classpath.

also, keep in mind not full configuration: take very long post wire up: jut example how start.

for deeper infos, rely on spring security documentation itself.

last note: if you're using jvaconfig instead of xml, there should annotations can rid of part of thi config, custom filter.

hope helps.