Spring Method Security with PreAuthorize

Friends don’t let friends write user auth. Tired of managing your own users? Try Okta’s API and Java SDKs today. Authenticate, manage, and secure users in any application within minutes.

This tutorial will explore two ways to configure authentication and authorization in Spring Boot using Spring Security. One method is to create a WebSecurityConfigurerAdapter and use the fluent API to override the default settings on the HttpSecurity object. Another is to use the @PreAuthorize annotation on controller methods, known as method-level security or expression-based security. The latter will be the main focus of this tutorial. However, I will present some HttpSecurity code and ideas by way of contrast.

The first authentication method is HttpSecurity, which is global and is by default applied to all requests. Finer-grained control is possible, however, using pattern matching for endpoints, and the fluent API exposed by the HttpSecurity is quite powerful. This is where configuration options such as OAuth 2.0, Form Login, and HTTP Basic are exposed. It is a great place to set global authentication policies.

Method-level security is implemented by placing the @PreAuthorize annotation on controller methods (actually one of a set of annotations available, but the most commonly used). This annotation contains a Spring Expression Language (SpEL) snippet that is assessed to determine if the request should be authenticated. If access is not granted, the method is not executed and an HTTP Unauthorized is returned. In practice, using the @PreAuthorize annotation on a controller method is very similar to using HttpSecurity pattern matchers on a specific endpoint. There are some differences, however.

Differentiate Between Spring Security’s @PreAuthorize and HttpSecurity

The first difference is subtle, but worth mentioning. HttpSecurity method rejects the request earlier, in a web request filter, before controller mapping has occurred. In contrast, the @PreAuthorize assessment happens later, directly before the execution of the controller method. This means that configuration in HttpSecurity is appied before @PreAuthorize.

Second, HttpSecurity is tied to URL endpoints while @PreAuthorize is tied to controller methods and is actually located within the code adjacent to the controller definitions. Having all of your security in one place and defined by web endpoints has a certain neatness to it, especially in smaller projects, or for more global settings; however, as projects get larger, it may make more sense to keep the authorization policies near the code being protected, which is what the annotation-based method allows.

Another advantage that @PreAuthorize presents over HttpSecurity is the use of SpEL. Spring Expression Language allows you to make authorization decisions based on complex expressions that can access built-in authentication objects (such as authentication and principal), dependency-injected method parameters, and query parameters. In this tutorial you will mostly look at two expressions: hasAuthority() and hasRole(). The Spring docs are again a great place to dig deeper.

Before we dive into the project, I want to also mention that Spring also provides a @PostAuthorize annotation. Not surprisingly, this is a method-level authorization annotation that is assessed after the method executes. Why would we want to do that? It allows the method to perform its own authorization checks based on whatever controller logic it likes before the annotation is assessed. The downside is that because the controller method is executed before the annotation is assessed, this could result is inefficiency, depending on the implementation.

Dependencies

The dependencies for this tutorial are pretty simple. You need: 1) Java 8+ installed, and 2) an Okta developer account.

If you do not have Java installed, go to AdoptOpenJDK. On *nix systems, you can also use SDKMAN.

If you do not already have a free Okta developer account, go to our website and sign up.

Start a Sample Project Using Spring Initializr

To get the project started, you can use the Spring Initializr. However, while it’s worth taking a gander at the page, you don’t even have to bother going there to create the project. You can use the REST API and curl.

Open a terminal and cd to wherever you want the project file .zip to end up. Run the command below, which will download the zipped Spring Boot project.

There isn’t much to the project to begin with except the build.gradle file and the DemoApplication.java class file. However, the whole project structure is there already set up for you.

The build.gradle file also has the two Spring dependencies you need for this example:

Add a WebController

The sample app in its current state doesn’t do much. You need to add a controller to define some endpoints and responses.

Add a new file src/main/java/com/okta/preauthorize/application/WebController.java:

This controller defines two endpoints: / and /restricted. You will be adding method-level security to the /restricted endpoint in a bit. Right now, however, no security has been configured.

Go ahead and run the application. From the root project directory, run:

Once Spring Boot has finished launching, navigate to http://localhost:8080.

You’ll notice a login form appears. Whoa! Where did that come from?!

The form is automatically generated by Spring Boot. Take a look at the Spring class WebSecurityConfigurerAdapter and the method configure(HttpSecurity http). This is where the default authentication settings are configured.