What is the feature with I can prevent users from accessing certain content in spring security

Question

I'm quite new to spring security and I don't know how to search for this kind of functionality. My problem is. I authenticate the user with spring security. Lets say with form based auth. So the user is logged in. He can navigate through the app. Let's say we have a webapp that stores transactions in a db, and retrieves them by id. If we wanna see the transaction detail we send a request with the transaction id. So for example /transaciontapp/gettransaction?id=134. In the previous page the app only loaded the transaction that belonged to that particular user. But now I can edit the link to any id, and with a get method, being a logged in user I can see transaction that I'm not supposed to. So in spring security, how can I handle that, to restrict certain content to certain users?

Answer 1

I want to suggest you to read the official Spring Security Reference to get an overall idea first, what Spring Security is about.

A starting point is simply adding it to your project, e.g. using Gradle by adding the dependency compile('org.springframework.boot:spring-boot-starter-security'). The next step is creating a configuration class for it. This contains how authentication should work for your project.

@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    // your rules
}

Those rules define how to approach topics like

• Technically: e.g. HTTP Basic Auth, Token based, Cookie based, Form based
• Where are credentials stored: in-memory, custom UserDetailService implementation
• Adding filters for HTTP requests
• Settings for session management
• Rules for different routes; What to protect how? Anonymous login? Roles?
• Security concerns like Cross Site Request Forgery or Cross Origin Request Strategy

Please read the documentation and see a lot of other Stack Overflow questions regarding Spring Security before asking such a basic one.