Spring boot 3 & Spring security 6 - Roles and Permissions Based Authorization Explained!
Вставка
- Опубліковано 23 лип 2024
- Buy me a coffee: ko-fi.com/boualiali 🔐 Unlock the power of Spring Security and take your application's security to the next level! In this comprehensive tutorial, we dive deep into roles and permissions-based authorization using Spring Boot 3 and Spring Security 6. Whether you're a beginner or an experienced developer, this video has everything you need to level up your security game!
🎁 Spring Data JPA course: aliboucoding.com/p/the-full-g...
🎁 🚀 COUPON Code: EARLYBIRD20
Don't Forget to
===========================================
💯 Free courses here: aliboucoding.com/courses
💯 Subscribe to the youtube channel
💯 Join our Discord Community - / discord
💯 Join our Facebook Group - / 589612651142975
💯 Join our Instagram: / alibou_coding
00:00 Introduction to Spring Security
01:29 Understanding Roles and Permissions
03:50 Add Admin and Manager resources (Endpoints)
06:46 Create roles and permissions
16:38 Configuration-based Authorization using Request Matchers
22:08 Insert users at application startup
26:11 Test the configuration based Authorization
32:12 Annotation-based Authorization using @PreAuthorize
37:09 Test the annotation based Authorization
38:39 Choose the right authorization approach for your use case
42:29 Outro
By the end of this tutorial, you'll be able to:
✅ Implement role-based and permissions-based authorization in your Spring Boot applications.
✅ Choose the right authorization approach for your use case.
✅ Secure your application using annotations and configuration-based authorization.
✅ Create custom permission evaluators and leverage Spring Expression Language (SpEL) for complex security rules.
📚 Resources and Code Examples:
Spring Security Documentation: spring.io/projects/spring-sec...
Github Repository with Code Examples: github.com/ali-bouali/spring-...
Don't forget to 👍 like, 💬 comment, and 🔔 subscribe to stay updated with the latest content on Spring Boot and Java development!
🔎 Tags:
#SpringSecurity #SpringBoot #RolesAndPermissions #Authorization #Java #SpringFramework #WebDevelopment #Tutorial #microservices #microservicestutorial #springframework
#cicd #spring #learning #springboot #springtutorial #springsecurity #developpement #java #aliboucoding #alibou #springboot_3
Join the Micro Services course waiting list and get and get an exclusive *EARLY-BIRD discount*
aliboucoding.ck.page/d0f9317e13
I have been waiting for this video for a long time. Thank you ❤
Happy to help
Thank you so much, you are making the life easier.
You have the outstanding tutorials, çok teşekkür ederim kardeşim
After watching a lot of videos, I can say you are the best one who explains it very smoothly and clearly 🤩 Thank you Alibou for your hard efforts 🙏
thank you so much for the nice comment. really appreciate that
@@BoualiAli Hi bouali, I have a question. I am currently working on a project that requires to store the roles and permissions in a database. In this case, how can we apply and use the stored permissions in the database to authorize the actions? 🤔
I also have the similar requirement. Guide me on how this was implemented if already done.
congratulations, your videos are much more informative than many courses, a hug from brazil
Thank you 🙏
Really appreciate that
Thanks for this video Ali. A master class as always ❤🔥❤🔥❤🔥
Happy to know that
Jus occupied with some school work but once done I will follow. I love your content bro. God bless you
Really to have you with us. I will keep posting more and more content.
A lot is coming in different areas not only spring
One of the best tutorials out there!!
Happy you liked it!
Great video. U help me alot
Great tutorial, thanks very much. I was just searched role and permission based security
Glad it helped
Maasha Allah, Wollah I'm just so so happy that I don't even know what to say.
Thank you so much Alibou, this is exactly one of the things I wa thinking to add to my app and Boom 💥 here is it.
Waiting for the Swagger docs 😁
Thank you so so much, JazaakAllahu khairan ❤
Swagger docs is published now 😁
Perfect timing
thanks a lot Ali ! This was very helpful
Glad it helped!
thank you so much Alibou I learned a lot you are the best
Happy to hear that!
Really apreciate it! Super well explained.
Happy you liked it
I LOVE YOU! THX for the video
Happy you liked it
THANK YOU SO MUCH I VE SEEN YOU !! U R GREAT
You are so welcome!
Great tutorial as usual!
glad you liked it!
This content is amazing Sr. Thanks.
Glad you enjoy it!
another awesome helpful video 💪
My pleasure!
thank you mate
Learned lot of things. Thanks a lot
Glad to hear that!
great video thank you so much
Happy you liked it!
T'es vraiment trop trop fort, c'est incroyable
Really happy you liked it
Great Job Brother, Tried watching different videos to get better understanding, but yours was too good. Also, Your debugging part was impressive, consider making a video on it too.
Already published a video on debugging.
Go check it in my channel
You're the best!
Thank you
Thank you Alibou for amazing contents! Please make a video about "Auditing entities in Spring boot".
Sure, great Idea
Great video and explanation. Personally i prefer the PreAuthorize annotation on methods - to have a grainer control for the endpoints. But as Ali mentioned - it depends on what you want to achieve and how it works for you.
Great point!
You are the best man
Thank you my friend
very good.
The best, Thanks
Thank you too!
Сподобалося відео! Дякую
My pleasure. thank you so much for you feedback
(I use translations to understand it lol)
better clearance and better understanding, thx
Glad it helped
Great video, great content.Kindly next time we can make the roles and permissions configurable so that different actions can be assigned to different roles via an endpoint for scalability.
I will note that for the coming video
@@BoualiAli I appreciate.Good stuff man.
It would be great if you could make a video on how to debug. Your explanations and your code are the best. Thanks for making Spring understandable!!
I will create one ASAP
I really need that
@@Ikhideifidon the video is already published.
Enable the notifications so you won’t miss any new video
Thank you very much sir Ali ♥️, could you make us a video on the front-end using angular🙏.
Really happy you liked it
Already working on it
Awesome video I really appreciate you ,
can make video how to create dynamic role and permission which admin user can change it anytime for any endpoint dynamically
Yes, soon
Thank you for the video
I think the main concept here is that a role is a container for permissions
exact
Great video! Could you also make a small video on the intellij shortcuts to cut down our development time like the one you used to replace the word on multiple lines at a single time?
I will create a short for that (reel)
Thanks for your videos, you provide AWESOME content in great depth. IF you can also do project based videos like e-commerce,learning management system, content management system so that we get a full scope to how to do projects,Thanks again
I'm already working on a new course.
@@BoualiAli A simple User Management System will be perfect! :)
Great video, thanks for that and for the rest of your Spring tutorial.
Would be great if you can combine this Roles and Permissions Based Authorization together with Oauth2 and show how the provider (i.e. google) goes together with user, roles and permissions entities.
I’m already preparing a video about keycloack that will cover all that
@@BoualiAli thanks!
keycloack sounds great, you mean it will also allow Oauth2?
@@devozs yes
@@BoualiAli man, I was searching a video like this, and I just read this comment! With the quality of your content the wait will be worth it!
@@belerante4595 you will absolutely like the content
I love your video
Happy you liked it
like, brb later. Who is the man? You are the man
Thank youu
what if the role needs to be dynamic meaning not only tied to ADMIN, MANAGER ? is there a good way to handle it?
Awesome
Glad you think so!
Nice Video. In the video u mentioned about earlier video about User. Can u pls provide the link for the same
Hello, and thank you for the excellent course and quality content on your channel.
I've been following the series for a while, making some adjustments to fit my directory structure and architecture, but nothing significant. However, I'm encountering a problem where, regardless of the role I use, I get a 403 error when accessing the DemoController. The roles and permissions code is identical (I made sure to copy and paste your code from the repository), yet the issue persists. The console output correctly identifies the user role and details, but the 403 forbidden error persists.
Did I overlook something? Perhaps I missed a detail or misunderstood a part of the instructions. What steps can I take to debug this issue? Many thanks in advance.
P.S.: I apologize if my English isn't perfect; it's not my native language.Hello,
Thanks for the video. I am interested in a video about debugging.
WIP
Finally!!
Yess hahah
What design pattern would you suggest to use to overlay this program?
Thank you for uploading such important educational video.. sir please upload Oauth 2.0 complete course, how can manage resource URL to Authorised for different particular user(role-base Authorization using OAuth2). And your all videos are deserving to get five star feedback.
coming soon
@Boulaali Ali ---- Can we handle roles or add new roles to system/app from db or file etc.. dynamically may be from UI etc. with our restarting application in Spring Boot. And also needs to apply these ne roles and permissions on ui pages as well with easy. Please consider PhpRad application where we Can define roles to existing pages from UI
Awesome as always.... Debugging Video please
Already published.
Enable the notifications for next times
great
COUPON Code: *EARLYBIRD20* => Spring Data J PA course: aliboucoding.com/p/the-full-guide-to-master-spring-boot-data-jpa
yeahh thank youu 🤓🤓🤓
My pleasure
Hey, first and foremost, I want to express my gratitude for your time and the incredible effort you put into creating quality content for us. Your tutorials have been immensely helpful in my learning journey. I am currently working on a project where I would like to incorporate JWT (JSON Web Tokens) into my Spring Boot/Angular application. After conducting extensive research on the subject, I couldn't find anything that clarifies the concept and its implementation better than your videos.
If possible, I kindly request if you could expedite the creation of a tutorial that demonstrates the integration of JWT in both the backend (Spring Boot) and the frontend (Angular). I truly value your expertise, and having your guidance in this particular area would be invaluable to me. I understand if this request might be challenging or time-consuming, so please let me know if it is feasible within a reasonable timeframe.
Lastly, I would like to mention how much I appreciate your channel and the valuable insights you consistently provide. Your tutorials have been instrumental in deepening my understanding of various concepts, and I truly admire your teaching style. Thank you once again for your dedication and contribution to the learning community.
I really appreciate your comment and how motivating it is.
I'm already working on an angular course that should be released soon. I will cover almost everything in it
@@BoualiAli thank u sir , we are impatiently waiting.
Thanks for ur time once again
Great video. Have developed a video on Debugging on Intelij IDEA?
yes
Thanks for this awesome tutorial, please when are you doing the tutorial on debugging as you said in the video using Intellij, thanks.
Already published sometime ago.
Enable the notifications, I'm always saying that so you don't miss any videos
@@BoualiAli Thanks much
Hi Ali, Great tutorial. I was wondering, if I wanted to implement a situation where the manager can grant or revoke permissions to admins i.e have a table of permissions mapped to a user(admin) and the manager can add and remove permission to different resources from the admins permission list. How do I go about this instead of hardcoding the resources that all admins should be able to access. Thanks again for this lesson.
You can store them in a database or use OAuth2 instead and it will handle everything for you
can we implement authorisation at the Gateway level? this will reduce changing a lot of code in the application in the downstream of Gateway.
Thank you so much for this great content! I have a question I would like to ask: I am developing a project in microservice architecture and I have 3 independent services in different repos. My system also has discovery server and API gateway in separate repos. I want to apply role-based auth to services with jwt. I implemented jwt to API Gateway, but I want to control these requests on a role-based basis, just like in the video. If I do the same implementation as you did in your video to the api gateway, can I achieve role-based auth using only @PreAuthorize("hasRole('ADMIN')") or @PreAuthorize("hasAuthority('admin:create')") annotations in the other 3 services? ?
Happy you liked it
yes you can achieve this in the same way you described
Thanks so much, boss, I'm a bit skeptical about what and while we need to seperate authority i.e (admin:create, admin:delete etc.) , are you saying if i use (admin:create) on all the endpoint(methods), i will not be able to access the resources? Like. Thnaks
it always depends on you needs and business rules
hello alibu and congratulations for the perfect job. I build a rest api and i have an entity called event. I use command objects for response and i am wondering how i can implement the authorities because for example in a Get ~/event/ request if user is admin I need to return adminEventCommandObject if use is HR i need to return hREventCommandObject etc.
Can you please post in the discord server?
Thank Sir, Plz include with the jwt Exception too
Check the exception handling video. it wil help you
Great tutorial, We need intellij debugging video with your secret tips ❤😍🔥
Already done.
Subscribe and enable the notification so you won't miss any new video
already done 🤩 thank you again ❤️
Would love to see user management and authentication with Keycloak
Already preparing the content
hey I have a small doubt , say I have admin with create and read only permission so how can i implement this coustomization of premission
Just create the role and assign the required permissions to it as explained
I am having a hard time to follow your video. Which order I should watch the video of Spring security series ?
Hello~ thank you for sharing your tutorial! I appreciate it!. I just followed your code in spring security. I just have a problem which are not allowed different kind of users for login. I have no idea why.
Can you explain a bit more please?
Very nice and clear video. I also wanted to ask is it common in java that the permissions are hard coded and not stored in db for an example. I see many people doing this approach, but didn't come across any that used db to store user permissions.
Yes if you have already all the scopes predefined. Otherwise it can be stored into a database to make more dynamic and scalable.
I will try to make a video explaining that
@@BoualiAli that would be amazing to see, hopefully we can see that video coming to light.
Hello sir! is it possible to store files/folders (server) in a multiuser app
so that only users with certain roles or only the owner can access it
read/modify after. How to do this in springboot. A similar project would help me but I
can't find any on github. Can you help me?
Yes it is possible.
You need to perform the check and secure the endpoint for the authorized users
Great content.
Please make a video on debug in intelliJ.
Thanks
Sure I will
@@BoualiAli looking forward to it..😊😊
Thank you, one of the best tutorial on Permissions and Roles I have ever seen. Please create a new tutorial about how to implement granularity and hierarchy of each role. Let's say I have list of 1000 companies from 100 countries, I would like an user responsible for updating ONLY companies from Germany, while other ONLY from USA, and UK . How would you do it? Would you create 100 Permissions? for each country?
Glad you liked it!
What is the answer for the question ?
I just found GOLD..........Thank you for this @BoualiAli
It was a very helpful video. One thing I wanna ask is that if we have two different entities lets say buyer and seller which have there own controllers and repositories then how will we be managing their repositories in ApplicationConfig. Thanks and waiting for a reply
Can you please explain a bit more, I didn't get the topic
In this particular use case when I am already using role do I need add permissions anymore? Is it not redundant?
check my github account
Many thanks for this!
Just one thing puzzles me, why do you include ADMIN_* permissions in hasAnyAuthority of requestMatchers(*, "/management"), wouldn't it work already if you just included MANAGER_*?
I think you defined the admin role as containing all the manager permissions, wouldn't that be sufficient already?
thank you.
I need to double check the code. I forgot honestly
Great video as it explains Authorisation in more details. I am having an issue when I am trying to add a new role after the data has been loaded to MySQL DB. So if I create a new role "READ_ONLY" , and add that role during service call, I get 403 Error with message that "Data truncated for column 'role' at row 1". Now if I use "ddl-auto=create-drop", then it will work because this will always pre-populate the Role values from scratch but if I am using "ddl-auto=update", and add new Role like mentioned above, I will get the above error. Not sure if this is happening with MySQL only.
One walkthrough is to add a new value like "READ_ONLY" to the columns directly in the database. But that won't be good practice for Production DB.
Check the data compatibility: type, length,...
hello Bouali, i want to ask how can i implement an option for deleting an account and that the user that created an account can delete his own account.
you need to implement the logic to do that
Hey, could you do a video about this jwt and add angular please.
Working on it
@BoualiAli
How can I save and get the role, permission and resource from database?
Just create entities for them and add the relations
@@BoualiAli checking, will update soon.
What the differences between role and permission? and can I use role only to meet the authorization requirement ?
they are almost the same.
Permission and more granular comparing to roles.
Roles are global, meanwhile permissions are specific to user actions (who can do what)
You can use only roles to meet the auth requirements
I hope this message finds you in good health. I would like to express my deep appreciation for discovering your channel, and I am truly grateful for the valuable content you provide. Your work has been immensely helpful to me. I do have a question that I would like to pose.
As a novice in the field of Spring Security, I am wondering if it would be beneficial for me to watch your previous video titled "Spring Boot 3.0 - Secure your API with JWT Token [2023]" as a starting point. Is this video considered a foundational resource that would aid in better comprehension before proceeding further?
Thank you for your continuous efforts, and I eagerly anticipate your response.
I really appreciate your comment and feedback and I'm always happy to help.
the answer is yes, start with that video, the the logout video, after that the refresh token video and finally this one.
I will post a video combining all the security tutorials I created so you can have a full one
@@BoualiAli thank you for your answer , this is what I'm currently doing.
thank you for your help again and for your time
.
How can we utilize this microservice with Spring Cloud Gateway and share user details and user authorization among other microservices?
Nothing special, just implement it on the API Gateway level
please make a video handle the security exceptions. cause the right resource pretty much missing on the internet
Sure
Allah bless you ❤@@BoualiAli
very nice tutorial, but I have a doubt that how to give permissions dynamically like if a new user added to the system then how to give roles and permissions to that user?
if any one know please let me know ):
I will make a video for that too, soon
Salam alibou merci bc dieu te protege inchaallah
S il te plait j ai un petite question
J ai implémenté la sécurité sur un projet j ai récupéré ton code mais j ai un souci
Le problème moi j utilise une entité role (relation many to many ) et pour les privilèges j utilise une entité (many to many avec rôles)
Quand je cree un user dans le token generer je ne vois pas les rôles et les authoritie
Je voudrai savoir à quel moment je dois m intervenir pour résoudre se problème
Lah yarham waldik
dans le UserDetailsService tu dois rendre la methode @Transactional et puis to fais un mapping dans la classe User -> getAuthorities
Hello! I attempted to follow your instructions and had some success. However, when I tried to use the @PreAuthorize annotation in either the admin or management controller, I consistently received a 403 error (the previous requestMatchers worked fine)
Did you add the annotation to enable the @PreAuthorize?
@BoualiAli, my bad. I forgot to enable the method. Thank you very much!
Can you explain to us how to make a many to many relationship (many users has many roles)?
Check the spring data jpa playlist
in 9:28 what is the shortcut that did u use ?
All the shortcuts that I use are displayed in the green popup
Is there a way to handle permissions in keycloak?
Yes, check the keycloack video
why the user or admin , when he registre give him token ?
I just wanted to speed up things.
check the latest video, it up to date and better implemented
Nice video, but How to use this service for multiple microservices. to provide authentication as per role.
Implement it on the gateway
@@BoualiAli if possible pls make video on that..
If you face this error -> Access denied and loop error issue,
after creating get user request/update user.
Watch Bouali's video titled 'How To Fix Infinite Recursion Loop in Spring Boot'.
Thanks, Bouali.
thanks for sharing
Authorize using azure ad ... Manage permissions in local database
I will try
Is the generated token for each roles changes every time?
yes
DEBUG FOR INTELLIJ 🙏
Already published
Please add video on debugging
Coming next week
Love you 😘
Question
In your video 42:10min above of AdminController class you used @PreAuthorize("hasRole('ADMIN')")
Now you deploy your code it works fine but In database I added another role called "SUPER_ADMIN"
And want to apply in the AdminController then is it possible to achieve without deploying the app with the value like
This @PreAuthorize("hasRoles('ADMIN, SUPER_ADMIN')") hardcoded with controller
1. I don't want to deploy I will assign any ROLE to ANY USER using UI click it will save database
2. I don't what to use @PreAuthorize as hard coded without using @PreAuthorize I will check api URL and check user
has permission to access that in each request.
How I may achieve that any IDEA
Moreover I found ROLE in spring security is simple STRING it don't allow any custom object as my own defined
It's a huge obstacle to build custom security
If you add a new role to your application ==> this means that you have new requirements / logic. So it makes sens change the code, write tests, ....
@@BoualiAli Thanks for the reply brother ... it's not always true that (If you add a new role to your application ==> this means that you have new requirements / logic) but for now I agree to with you but I don't to hard code like this { @PreAuthorize("hasRole('ADMIN')") } it will apply on fly I mean run time when request enters in the method. on the other hand spring security role only takes string and all it's implementation it's another barrier to customise it smoothly. By the way Thanks you and Take Care bro