Spring boot 3 & Spring security 6 - Roles and Permissions Based Authorization Explained!

Join the Micro Services course waiting list and get and get an exclusive *EARLY-BIRD discount*
aliboucoding.ck.page/d0f9317e13

I have been waiting for this video for a long time. Thank you ❤

Thank you so much, you are making the life easier.

You have the outstanding tutorials, çok teşekkür ederim kardeşim

After watching a lot of videos, I can say you are the best one who explains it very smoothly and clearly 🤩 Thank you Alibou for your hard efforts 🙏

congratulations, your videos are much more informative than many courses, a hug from brazil

Thanks for this video Ali. A master class as always ❤‍🔥❤‍🔥❤‍🔥

Jus occupied with some school work but once done I will follow. I love your content bro. God bless you

One of the best tutorials out there!!

Great video. U help me alot

Great tutorial, thanks very much. I was just searched role and permission based security

Maasha Allah, Wollah I'm just so so happy that I don't even know what to say.
Thank you so much Alibou, this is exactly one of the things I wa thinking to add to my app and Boom 💥 here is it.
Waiting for the Swagger docs 😁
Thank you so so much, JazaakAllahu khairan ❤

thanks a lot Ali ! This was very helpful

thank you so much Alibou I learned a lot you are the best

Really apreciate it! Super well explained.

I LOVE YOU! THX for the video

THANK YOU SO MUCH I VE SEEN YOU !! U R GREAT

Great tutorial as usual!

This content is amazing Sr. Thanks.

another awesome helpful video 💪

thank you mate

Learned lot of things. Thanks a lot

great video thank you so much

T'es vraiment trop trop fort, c'est incroyable

Great Job Brother, Tried watching different videos to get better understanding, but yours was too good. Also, Your debugging part was impressive, consider making a video on it too.

You're the best!

Thank you Alibou for amazing contents! Please make a video about "Auditing entities in Spring boot".

Great video and explanation. Personally i prefer the PreAuthorize annotation on methods - to have a grainer control for the endpoints. But as Ali mentioned - it depends on what you want to achieve and how it works for you.

You are the best man

very good.

The best, Thanks

Сподобалося відео! Дякую

better clearance and better understanding, thx

Great video, great content.Kindly next time we can make the roles and permissions configurable so that different actions can be assigned to different roles via an endpoint for scalability.

It would be great if you could make a video on how to debug. Your explanations and your code are the best. Thanks for making Spring understandable!!

Thank you very much sir Ali ♥️, could you make us a video on the front-end using angular🙏.

Awesome video I really appreciate you ,
can make video how to create dynamic role and permission which admin user can change it anytime for any endpoint dynamically

Thank you for the video
I think the main concept here is that a role is a container for permissions

Great video! Could you also make a small video on the intellij shortcuts to cut down our development time like the one you used to replace the word on multiple lines at a single time?

Thanks for your videos, you provide AWESOME content in great depth. IF you can also do project based videos like e-commerce,learning management system, content management system so that we get a full scope to how to do projects,Thanks again

Great video, thanks for that and for the rest of your Spring tutorial.
Would be great if you can combine this Roles and Permissions Based Authorization together with Oauth2 and show how the provider (i.e. google) goes together with user, roles and permissions entities.

I love your video

like, brb later. Who is the man? You are the man

what if the role needs to be dynamic meaning not only tied to ADMIN, MANAGER ? is there a good way to handle it?

Awesome

Nice Video. In the video u mentioned about earlier video about User. Can u pls provide the link for the same

Hello, and thank you for the excellent course and quality content on your channel.
I've been following the series for a while, making some adjustments to fit my directory structure and architecture, but nothing significant. However, I'm encountering a problem where, regardless of the role I use, I get a 403 error when accessing the DemoController. The roles and permissions code is identical (I made sure to copy and paste your code from the repository), yet the issue persists. The console output correctly identifies the user role and details, but the 403 forbidden error persists.
Did I overlook something? Perhaps I missed a detail or misunderstood a part of the instructions. What steps can I take to debug this issue? Many thanks in advance.
P.S.: I apologize if my English isn't perfect; it's not my native language.Hello,

Thanks for the video. I am interested in a video about debugging.

Finally!!

What design pattern would you suggest to use to overlay this program?

Thank you for uploading such important educational video.. sir please upload Oauth 2.0 complete course, how can manage resource URL to Authorised for different particular user(role-base Authorization using OAuth2). And your all videos are deserving to get five star feedback.

@Boulaali Ali ---- Can we handle roles or add new roles to system/app from db or file etc.. dynamically may be from UI etc. with our restarting application in Spring Boot. And also needs to apply these ne roles and permissions on ui pages as well with easy. Please consider PhpRad application where we Can define roles to existing pages from UI

Awesome as always.... Debugging Video please

great

COUPON Code: *EARLYBIRD20* => Spring Data J PA course: aliboucoding.com/p/the-full-guide-to-master-spring-boot-data-jpa

yeahh thank youu 🤓🤓🤓

Hey, first and foremost, I want to express my gratitude for your time and the incredible effort you put into creating quality content for us. Your tutorials have been immensely helpful in my learning journey. I am currently working on a project where I would like to incorporate JWT (JSON Web Tokens) into my Spring Boot/Angular application. After conducting extensive research on the subject, I couldn't find anything that clarifies the concept and its implementation better than your videos.
If possible, I kindly request if you could expedite the creation of a tutorial that demonstrates the integration of JWT in both the backend (Spring Boot) and the frontend (Angular). I truly value your expertise, and having your guidance in this particular area would be invaluable to me. I understand if this request might be challenging or time-consuming, so please let me know if it is feasible within a reasonable timeframe.
Lastly, I would like to mention how much I appreciate your channel and the valuable insights you consistently provide. Your tutorials have been instrumental in deepening my understanding of various concepts, and I truly admire your teaching style. Thank you once again for your dedication and contribution to the learning community.

Great video. Have developed a video on Debugging on Intelij IDEA?

Thanks for this awesome tutorial, please when are you doing the tutorial on debugging as you said in the video using Intellij, thanks.

Hi Ali, Great tutorial. I was wondering, if I wanted to implement a situation where the manager can grant or revoke permissions to admins i.e have a table of permissions mapped to a user(admin) and the manager can add and remove permission to different resources from the admins permission list. How do I go about this instead of hardcoding the resources that all admins should be able to access. Thanks again for this lesson.

can we implement authorisation at the Gateway level? this will reduce changing a lot of code in the application in the downstream of Gateway.

Thank you so much for this great content! I have a question I would like to ask: I am developing a project in microservice architecture and I have 3 independent services in different repos. My system also has discovery server and API gateway in separate repos. I want to apply role-based auth to services with jwt. I implemented jwt to API Gateway, but I want to control these requests on a role-based basis, just like in the video. If I do the same implementation as you did in your video to the api gateway, can I achieve role-based auth using only @PreAuthorize("hasRole('ADMIN')") or @PreAuthorize("hasAuthority('admin:create')") annotations in the other 3 services? ?

Thanks so much, boss, I'm a bit skeptical about what and while we need to seperate authority i.e (admin:create, admin:delete etc.) , are you saying if i use (admin:create) on all the endpoint(methods), i will not be able to access the resources? Like. Thnaks

hello alibu and congratulations for the perfect job. I build a rest api and i have an entity called event. I use command objects for response and i am wondering how i can implement the authorities because for example in a Get ~/event/ request if user is admin I need to return adminEventCommandObject if use is HR i need to return hREventCommandObject etc.

Thank Sir, Plz include with the jwt Exception too

Great tutorial, We need intellij debugging video with your secret tips ❤😍🔥

Would love to see user management and authentication with Keycloak

hey I have a small doubt , say I have admin with create and read only permission so how can i implement this coustomization of premission

I am having a hard time to follow your video. Which order I should watch the video of Spring security series ?

Hello~ thank you for sharing your tutorial! I appreciate it!. I just followed your code in spring security. I just have a problem which are not allowed different kind of users for login. I have no idea why.

Very nice and clear video. I also wanted to ask is it common in java that the permissions are hard coded and not stored in db for an example. I see many people doing this approach, but didn't come across any that used db to store user permissions.

Hello sir! is it possible to store files/folders (server) in a multiuser app
so that only users with certain roles or only the owner can access it
read/modify after. How to do this in springboot. A similar project would help me but I
can't find any on github. Can you help me?

Great content.
Please make a video on debug in intelliJ.
Thanks

Thank you, one of the best tutorial on Permissions and Roles I have ever seen. Please create a new tutorial about how to implement granularity and hierarchy of each role. Let's say I have list of 1000 companies from 100 countries, I would like an user responsible for updating ONLY companies from Germany, while other ONLY from USA, and UK . How would you do it? Would you create 100 Permissions? for each country?

I just found GOLD..........Thank you for this @BoualiAli

It was a very helpful video. One thing I wanna ask is that if we have two different entities lets say buyer and seller which have there own controllers and repositories then how will we be managing their repositories in ApplicationConfig. Thanks and waiting for a reply

In this particular use case when I am already using role do I need add permissions anymore? Is it not redundant?

Many thanks for this!
Just one thing puzzles me, why do you include ADMIN_* permissions in hasAnyAuthority of requestMatchers(*, "/management"), wouldn't it work already if you just included MANAGER_*?
I think you defined the admin role as containing all the manager permissions, wouldn't that be sufficient already?

Great video as it explains Authorisation in more details. I am having an issue when I am trying to add a new role after the data has been loaded to MySQL DB. So if I create a new role "READ_ONLY" , and add that role during service call, I get 403 Error with message that "Data truncated for column 'role' at row 1". Now if I use "ddl-auto=create-drop", then it will work because this will always pre-populate the Role values from scratch but if I am using "ddl-auto=update", and add new Role like mentioned above, I will get the above error. Not sure if this is happening with MySQL only.

hello Bouali, i want to ask how can i implement an option for deleting an account and that the user that created an account can delete his own account.

Hey, could you do a video about this jwt and add angular please.

@BoualiAli
How can I save and get the role, permission and resource from database?

What the differences between role and permission? and can I use role only to meet the authorization requirement ?

I hope this message finds you in good health. I would like to express my deep appreciation for discovering your channel, and I am truly grateful for the valuable content you provide. Your work has been immensely helpful to me. I do have a question that I would like to pose.
As a novice in the field of Spring Security, I am wondering if it would be beneficial for me to watch your previous video titled "Spring Boot 3.0 - Secure your API with JWT Token [2023]" as a starting point. Is this video considered a foundational resource that would aid in better comprehension before proceeding further?
Thank you for your continuous efforts, and I eagerly anticipate your response.

How can we utilize this microservice with Spring Cloud Gateway and share user details and user authorization among other microservices?

please make a video handle the security exceptions. cause the right resource pretty much missing on the internet

very nice tutorial, but I have a doubt that how to give permissions dynamically like if a new user added to the system then how to give roles and permissions to that user?
if any one know please let me know ):

Salam alibou merci bc dieu te protege inchaallah
S il te plait j ai un petite question
J ai implémenté la sécurité sur un projet j ai récupéré ton code mais j ai un souci
Le problème moi j utilise une entité role (relation many to many ) et pour les privilèges j utilise une entité (many to many avec rôles)
Quand je cree un user dans le token generer je ne vois pas les rôles et les authoritie
Je voudrai savoir à quel moment je dois m intervenir pour résoudre se problème
Lah yarham waldik

Hello! I attempted to follow your instructions and had some success. However, when I tried to use the @PreAuthorize annotation in either the admin or management controller, I consistently received a 403 error (the previous requestMatchers worked fine)

Can you explain to us how to make a many to many relationship (many users has many roles)?

in 9:28 what is the shortcut that did u use ?

Is there a way to handle permissions in keycloak?

why the user or admin , when he registre give him token ?

Nice video, but How to use this service for multiple microservices. to provide authentication as per role.

If you face this error -> Access denied and loop error issue,
after creating get user request/update user.
Watch Bouali's video titled 'How To Fix Infinite Recursion Loop in Spring Boot'.
Thanks, Bouali.

Authorize using azure ad ... Manage permissions in local database

Is the generated token for each roles changes every time?

DEBUG FOR INTELLIJ 🙏

Please add video on debugging

Question
In your video 42:10min above of AdminController class you used @PreAuthorize("hasRole('ADMIN')")
Now you deploy your code it works fine but In database I added another role called "SUPER_ADMIN"
And want to apply in the AdminController then is it possible to achieve without deploying the app with the value like
This @PreAuthorize("hasRoles('ADMIN, SUPER_ADMIN')") hardcoded with controller
1. I don't want to deploy I will assign any ROLE to ANY USER using UI click it will save database
2. I don't what to use @PreAuthorize as hard coded without using @PreAuthorize I will check api URL and check user
has permission to access that in each request.
How I may achieve that any IDEA
Moreover I found ROLE in spring security is simple STRING it don't allow any custom object as my own defined
It's a huge obstacle to build custom security