marjanovicbrane/spring-crm-multirole-security-jdbc-bcrypt-authentication

In this project I used Spring Security for JDBC authentication and authorization with custom login page.I applied authorization for appropriate user roles (EMPLOYEE, MANAGER or ADMIN).I also made registration form, so we can register a new user and choose appropriate role for that user, we can save it to the database.In this project I also used bcrypt algorithm for password encryption.

Spring CRM with multi-role (drop-down list) and security using JDBC authentication with BCRYPT algorithm

In this project I used Spring Security for JDBC authentication and authorization with custom login page.I applied authorization for appropriate user roles (EMPLOYEE, MANAGER or ADMIN).

I also made registration form, so we can register a new user and choose appropriate role for that user, we can save it to the database.User can have multiroles (drop-down list).User can have 3 roles:EMPLOYEE, MANAGER and ADMIN.With appropriate role, only that user can access some additional information and pages on the web app.

In this example I made 2 separated databases.In first database we have all customers that we are going to show when we are log in our app.

In second database we have all users and authorities.

In this project as we can see I used bcrypt algorithm for password encryption, this is one-way encrypted hashing, so the password in the database can never be decrypted. To protect against CSRF attacks I used additional authentication data/token into all HTML forms.On this way we can prevent evil website to tricks us into executing an action on a web application that you are currently logged in.For each request we have randomly generated token and Spring Security verifies token before processing.

When we are logged in our app with appropriate username and password, we have security authorization, so the user with role EMPLOYEE can only get the list of customers from the database.

User with role MANAGER can see all the customers, can add a new customer and can UPDATE the customers.

Adding a new customer and saving to the database with MANAGER role.

Updating existing customers and saving to the database with MANAGER role.We have now pre-populated form.

User with role ADMIN can see all the customers (READ), can CREATE, UPDATE and DELETE the customers from the database.User with ADMIN role can perform all CRUD methods.

I also added logout button, because we want to logout the user from the system, on that way we also removing http session, cookies, etc…

If some other user which is not authorized trys to access some additional information and pages, he will get access denied page with message.