Spring security requests authorization

Question

I am new to spring security and was checking how to authorize requests to URLs in my application.

According to the documentation here, we add authorization as follow:

protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers("/resources/**", "/signup", "/about").permitAll()
            .antMatchers("/admin/**").hasRole("ADMIN")
            .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")
            .anyRequest().authenticated()
            .and()
        // ...
        .formLogin();
}

As this method worked fine for me, I was wondering if there's another dynamic way to specify this configuration. By using some sort of annotations for our REST controllers for example?

I have a solution in mind that would be really practical, but I wanted to make sure that there's no other way to do this before starting to develop my own code.

Thank you for your help.

Answer 1

Yes there is an annotations as @Secured/@PreAuthorize/@PostAuthorize. this annotations are preferred way for applying method-level security, and supports Spring Expression Language out of the box, and provide expression-based access control.

for e.g

@PreAuthorize("hasRole('ADMIN')") public String yourControllerMethod() { return response; }

for detail check here.

Answer 2

The only other way is to use the @Secured/@PreAuthorize/@PostAuthorize annotations. But you must put them on all webservices you want to secure.

Usually, when I build a webservices application, I like to authorize all requests on the WebSecurityConfigurerAdapter, and then secure requests one by one with these annotations.