-
Configure DB authentication instead of In memory authentication
-
Add Role entity, Dao and Service layer for it.
public interface RoleService { Role add(Role role); Role getByName(String roleName); }
-
Configure role access to specific resources for
ADMINand forUSER. You should configure access to all endpoints in your application. Example:
POST: /register - all
GET: /cinema-halls - user/admin
POST: /cinema-halls - admin
GET: /movies - user/admin
POST: /movies - admin
GET: /movie-sessions/available - user/admin
POST: /movie-sessions - admin
PUT: /movie-sessions/{id} - admin
DELETE: /movie-sessions/{id} - admin
GET: /orders - user
POST: /orders/complete - user
PUT: /shopping-carts/movie-sessions - user
GET: /shopping-carts/by-user - user
GET: /users/by-email - admin
...
HINT:
- Let's store role names as enums and add enum
RoleNameinsideRoleclass. - Roles and first Admin user can be injected inside DataInitializer class using annotation @PostConstruct.
@PostConstruct
public void inject() {
Role adminRole = new Role();
adminRole.setRoleName(Role.RoleName.ADMIN);
roleService.add(adminRole);
Role userRole = new Role();
userRole.setRoleName(Role.RoleName.USER);
roleService.add(userRole);
User user = new User();
user.setEmail("admin@i.ua");
user.setPassword("admin123");
user.setRoles(Set.of(adminRole));
userService.add(user);
}- You can specify the different HTTP method access for the same endpoint. For example:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.POST,"/movies/**").hasRole("ADMIN")
.antMatchers(HttpMethod.GET,"/movies/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.permitAll()
.and()
.httpBasic()
.and()
.csrf().disable();
}
You can check yourself using this checklist