{"id":122063,"date":"2024-05-03T13:11:41","date_gmt":"2024-05-03T10:11:41","guid":{"rendered":"https:\/\/www.javacodegeeks.com\/?p=122063"},"modified":"2024-05-03T13:13:55","modified_gmt":"2024-05-03T10:13:55","slug":"spring-security-authorizationmanager","status":"publish","type":"post","link":"https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html","title":{"rendered":"Spring Security AuthorizationManager"},"content":{"rendered":"<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n<p>Spring Security AuthorizationManager is part of <a href=\"https:\/\/docs.spring.io\/spring-security\/reference\/index.html\" target=\"_blank\" rel=\"noreferrer noopener\">Spring Security<\/a> that is an extension of the <a href=\"https:\/\/docs.spring.io\/spring-framework\/reference\/index.html\" target=\"_blank\" rel=\"noreferrer noopener\">Spring Framework<\/a> that supports common application security. It includes mandatory&nbsp;authentication for URLs, default login and logout forms, and default users. There are four key concepts:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Principal<\/strong>: an application request. It could be a user or web service.<\/li>\n<li><strong>Authentication<\/strong>: the process of verifying principals. It can be knowledge&nbsp;based authentication (username\/password), possession based authentication (access token), or multi-factor authentication.<\/li>\n<li><strong>Authorization<\/strong>: the process of verifying a principal has access to the resource.<\/li>\n<li><strong>Authority<\/strong>: a logical name representing permissions. A principal may have zero or more authorities.<\/li>\n<\/ul>\n<p>In this example, I will configure the Spring Security <code>AuthorizationManager<\/code> to protect Rest APIs in a spring boot application with the following steps:<\/p>\n<ul class=\"wp-block-list\">\n<li>Add Spring Security dependencies.<\/li>\n<li>Configure and enable Spring Security.<\/li>\n<li>Secure Rest APIs with role-based authorization<\/li>\n<li>Secure Rest APIs with customized <code>AuthorizationManager<\/code>.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">2. What Is Spring Security AuthorizationManager<\/h2>\n<p>The <a href=\"https:\/\/docs.spring.io\/spring-security\/site\/docs\/current\/api\/org\/springframework\/security\/authorization\/AuthorizationManager.html\">AuthorizationManager<\/a> is an interface that checks if an authenticated principal&nbsp;has access to a secured resource. <strong>AuthorizationManager<\/strong> instances are used by Spring Security to make final access control decisions and Spring Security provides several built-in implementations of <strong>AuthorizationManager<\/strong>, such as <a href=\"https:\/\/docs.spring.io\/spring-security\/site\/docs\/5.8.0\/api\/\/org\/springframework\/security\/access\/hierarchicalroles\/RoleHierarchyAuthoritiesMapper.html\" target=\"_blank\" rel=\"noreferrer noopener\">RoleHierarchyAuthoritiesMapper<\/a> and  <a href=\"https:\/\/docs.spring.io\/spring-security\/site\/docs\/current\/api\/org\/springframework\/security\/access\/hierarchicalroles\/RoleHierarchyImpl.html\" target=\"_blank\" rel=\"noreferrer noopener\">RoleHierarchyImpl<\/a>. It also provides custom access control mechanisms.<\/p>\n<p><strong>AuthorizationManager<\/strong> is often used in conjunction with other Spring Security components, such as method security annotations, web security configuration, etc. In this example, I will use role-based authorization&nbsp;and configure a web security configuration to protect the &#8220;<strong>custom<\/strong>&#8221; Rest API resource.<\/p>\n<h2 class=\"wp-block-heading\">3. Implementations of AuthorizationManager<\/h2>\n<p>In this step, I will create three Rest API resources and protect the API access with Spring Security AuthorizationManager. <\/p>\n<figure class=\"wp-block-table\">\n<table>\n<tbody>\n<tr>\n<td><strong>API Resource<\/strong><\/td>\n<td><strong>Authority<\/strong><\/td>\n<\/tr>\n<tr>\n<td>\/adminonly\/**<\/td>\n<td>ADMIN<\/td>\n<\/tr>\n<tr>\n<td>\/rolebased\/**<\/td>\n<td>USER<\/td>\n<\/tr>\n<tr>\n<td>\/anonymous<\/td>\n<td>authenticated&nbsp;user<\/td>\n<\/tr>\n<\/tbody>\n<\/table><figcaption class=\"wp-element-caption\">Table 1. API Resources and Authority<\/figcaption><\/figure>\n<p>I will configure four application users so we can use them to demonstrate the API resources are secured.<\/p>\n<figure class=\"wp-block-table\">\n<table>\n<tbody>\n<tr>\n<td><strong><strong>Principal&nbsp;<\/strong><\/strong><\/td>\n<td><strong>Authority<\/strong><\/td>\n<td><strong>Allowed API Resource<\/strong><\/td>\n<\/tr>\n<tr>\n<td>admin<\/td>\n<td>ADMIN<\/td>\n<td>\/adminonly<\/td>\n<\/tr>\n<tr>\n<td>user1, user 2<\/td>\n<td>USER<\/td>\n<td>\/rolebased<\/td>\n<\/tr>\n<tr>\n<td>guest<\/td>\n<td>GUEST<\/td>\n<td>\/anonymous<\/td>\n<\/tr>\n<\/tbody>\n<\/table><figcaption class=\"wp-element-caption\">Table 2. Allowed Users, Authority, and API Resources<\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\">3.1 Add Dependencies<\/h3>\n<p>Add &#8220;<strong>spring-boot-starter-security<\/strong>&#8221; and &#8220;<strong>spring-security-core<\/strong>&#8221; dependencies to the <strong>pom.xml<\/strong> to protect the Spring boot application with Spring Security feature.<\/p>\n<p><span style=\"text-decoration: underline\"><em>pom.xml<\/em><\/span><\/p>\n<pre class=\"brush:xml\"> &lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;\n&lt;project xmlns=\"http:\/\/maven.apache.org\/POM\/4.0.0\"\n\txmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\n\txsi:schemaLocation=\"http:\/\/maven.apache.org\/POM\/4.0.0 http:\/\/maven.apache.org\/xsd\/maven-4.0.0.xsd\"&gt;\n\t&lt;modelVersion&gt;4.0.0&lt;\/modelVersion&gt;\n\t&lt;artifactId&gt;spring-security-authmanager-demo&lt;\/artifactId&gt;\n\t&lt;version&gt;0.1-SNAPSHOT&lt;\/version&gt;\n\t&lt;name&gt;spring-security-authorizationmanager-demo&lt;\/name&gt;\n\t&lt;packaging&gt;war&lt;\/packaging&gt;\n\n\t&lt;parent&gt;\n\t\t&lt;groupId&gt;org.springframework.boot&lt;\/groupId&gt;\n\t\t&lt;artifactId&gt;spring-boot-starter-parent&lt;\/artifactId&gt;\n\t\t&lt;version&gt;3.0.5&lt;\/version&gt;\n\t&lt;\/parent&gt;\n\n\t&lt;properties&gt;\n\t\t&lt;start-class&gt;com.zheng.SpringSecurityApplication&lt;\/start-class&gt;\n\t&lt;\/properties&gt;\n\n\t&lt;dependencies&gt;\n\t\t&lt;dependency&gt;\n\t\t\t&lt;groupId&gt;org.springframework.boot&lt;\/groupId&gt;\n\t\t\t&lt;artifactId&gt;spring-boot-starter-web&lt;\/artifactId&gt;\n\t\t&lt;\/dependency&gt;\n\t\t&lt;dependency&gt;\n\t\t\t&lt;groupId&gt;org.springframework.boot&lt;\/groupId&gt;\n\t\t\t&lt;artifactId&gt;spring-boot-starter-security&lt;\/artifactId&gt;\n\t\t&lt;\/dependency&gt;\n\t\t&lt;dependency&gt;\n\t\t\t&lt;groupId&gt;org.springframework.security&lt;\/groupId&gt;\n\t\t\t&lt;artifactId&gt;spring-security-core&lt;\/artifactId&gt;\n\t\t&lt;\/dependency&gt;\n\t\t&lt;dependency&gt;\n\t\t\t&lt;groupId&gt;org.springdoc&lt;\/groupId&gt;\n\t\t\t&lt;artifactId&gt;springdoc-openapi-starter-webmvc-ui&lt;\/artifactId&gt;\n\t\t\t&lt;version&gt;2.0.0&lt;\/version&gt;\n\t\t&lt;\/dependency&gt;\n\t&lt;\/dependencies&gt;\n\n\t&lt;build&gt;\n\t\t&lt;finalName&gt;spring-security-authorizationmanager-demo&lt;\/finalName&gt;\n\t\t&lt;resources&gt;\n\t\t\t&lt;resource&gt;\n\t\t\t\t&lt;directory&gt;src\/main\/resources&lt;\/directory&gt;\n\t\t\t\t&lt;filtering&gt;true&lt;\/filtering&gt;\n\t\t\t&lt;\/resource&gt;\n\t\t&lt;\/resources&gt;\n\t\t&lt;plugins&gt;\n\t\t\t&lt;plugin&gt;\n\t\t\t\t&lt;groupId&gt;org.apache.maven.plugins&lt;\/groupId&gt;\n\t\t\t\t&lt;artifactId&gt;maven-war-plugin&lt;\/artifactId&gt;\n\t\t\t&lt;\/plugin&gt;\n\t\t&lt;\/plugins&gt;\n\t&lt;\/build&gt;\n\n\n&lt;\/project&gt;\n<\/pre>\n<h3 class=\"wp-block-heading\"><a name=\"step32\"><\/a>3.2 Create a Demo API Resource<\/h3>\n<p>Create a demo API Resource <code>RestDemoController<\/code> class which contains four API resources: &#8220;<code>\/custom<\/code>&#8220;, &#8220;<code>\/adminonly<\/code>&#8220;, &#8220;<code>\/rolebased<\/code>&#8220;, and &#8220;<code>\/anonymous<\/code>&#8220;.<\/p>\n<p><span style=\"text-decoration: underline\"><em>RestDemoController.java<\/em><\/span><\/p>\n<pre class=\"brush:java\">package com.zheng.controller;\n\nimport org.springframework.web.bind.annotation.GetMapping;\nimport org.springframework.web.bind.annotation.RestController;\n\n@RestController\npublic class RestDemoController {\n    @GetMapping(\"\/anonymous\")\n    public String anonymousResource() {\n        return \"anonymous, no security\";\n    }\n\n    @GetMapping(\"\/adminonly\")\n    public String adminResource() {\n        return \"admin only\";\n    }\n\n    @GetMapping(\"\/rolebased\")\n    public String authorOrEditorResource() {\n        return \"author or editor\";\n    }\n\n    @GetMapping(\"\/custom\")\n    public String customResource() {\n        return \"custom security\";\n    }\n    \n}\n\n<\/pre>\n<h3 class=\"wp-block-heading\">3.3 Configure and Enable Spring Security<\/h3>\n<p>Create a <code>SecurityConfig<\/code> class which configures and enables Spring Security to protect the four Rest API resources created at <a href=\"#step32\">step 3.2.<\/a> <div style=\"display:inline-block; margin: 15px 0;\"> <div id=\"adngin-JavaCodeGeeks_incontent_video-0\" style=\"display:inline-block;\"><\/div> <\/div><\/p>\n<ul class=\"wp-block-list\">\n<li>The &#8220;<code>adminonly<\/code>&#8221; API is authorized for the user who has the &#8220;<code>ADMIN<\/code>&#8221; role. <\/li>\n<li>The &#8220;<code>rolebased<\/code>&#8221; API is authorized for the user who has either &#8220;<code>USER<\/code>&#8221; or &#8220;<code>ADMIN<\/code>&#8221; role. <\/li>\n<li>The &#8220;<code>custom<\/code>&#8221; API is authorized with customized <code>AuthorizationManager<\/code>.<\/li>\n<li>The valid user is authorized&nbsp;to any other API resources. In this example, a valid user with &#8220;ADMIN&#8221; not &#8220;USER&#8221; role can access the &#8220;<code>anonymous<\/code>&#8221; API.<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline\"><em>SecurityConfig.java<\/em><\/span><\/p>\n<pre class=\"brush:java; highlight:[24,31,32,33,34,35,66,67,68,69,70,71]\">package com.zheng.config;\n\nimport static org.springframework.security.config.Customizer.withDefaults;\n\nimport java.util.Random;\n\nimport org.apache.logging.log4j.LogManager;\nimport org.apache.logging.log4j.Logger;\nimport org.springframework.context.annotation.Bean;\nimport org.springframework.context.annotation.Configuration;\nimport org.springframework.security.authorization.AuthorizationDecision;\nimport org.springframework.security.authorization.AuthorizationManager;\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\nimport org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;\nimport org.springframework.security.core.userdetails.User;\nimport org.springframework.security.core.userdetails.UserDetails;\nimport org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;\nimport org.springframework.security.crypto.password.PasswordEncoder;\nimport org.springframework.security.provisioning.InMemoryUserDetailsManager;\nimport org.springframework.security.web.SecurityFilterChain;\nimport org.springframework.security.web.access.intercept.RequestAuthorizationContext;\n\n@Configuration\n@EnableWebSecurity\npublic class SecurityConfig {\n\tprivate static final Logger logger = LogManager.getLogger(SecurityConfig.class);\n\n\t@Bean\n\tSecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {\n\t\thttp.authorizeHttpRequests(authorize -&gt; authorize\n\t\t\t\t.requestMatchers(\"\/custom\/**\").access(customAuthManager())\n\t\t\t\t.requestMatchers(\"\/adminonly\/**\").hasRole(\"ADMIN\")\n\t\t\t\t.requestMatchers(\"\/rolebased\/**\")\n\t\t\t\t.hasAnyRole(\"ADMIN\", \"USER\")\n\t\t\t\t.anyRequest().authenticated())\n\t\t\t.formLogin(withDefaults())\n\t\t\t.apply(clientErrorLogging());\n\n\t\treturn http.build();\n\t}\n\n\t@Bean\n\tpublic ClientErrorLoggingConfigurer clientErrorLogging() {\n\t\treturn new ClientErrorLoggingConfigurer();\n\t}\n\n\t@Bean\n\tpublic InMemoryUserDetailsManager userDetailsService() {\n\t\t\tUserDetails admin = User.withUsername(\"admin\").password(passwordEncoder().encode(\"admin\")).roles(\"ADMIN\")\n\t\t\t\t.build();\n\t\tUserDetails author = User.withUsername(\"user1\").password(passwordEncoder().encode(\"user1\")).roles(\"USER\")\n\t\t\t\t.build();\n\t\tUserDetails editor = User.withUsername(\"user2\").password(passwordEncoder().encode(\"user2\")).roles(\"USER\")\n\t\t\t\t.build();\n\t\tUserDetails guest = User.withUsername(\"guest\").password(passwordEncoder().encode(\"guest\")).roles(\"GUEST\")\n\t\t\t\t.build();\n    return new InMemoryUserDetailsManager(admin, author, editor, guest);\n\t}\n\n\t@Bean\n\tPasswordEncoder passwordEncoder() {\n\t\treturn new BCryptPasswordEncoder();\n\t}\n\n\t@Bean\n\tAuthorizationManager customAuthManager() {\n\t\treturn (authentication, object) -&gt; {\n\t\t\tboolean nextBoolean = new Random().nextBoolean();\n\t\t\tlogger.info(\"nextBoolean=\" + nextBoolean);\n\t\t\treturn new AuthorizationDecision(nextBoolean);\n\t\t};\n\t}\n\n}\n<\/pre>\n<ul class=\"wp-block-list\">\n<li>line 24: annotation <code>@EnableWebSecurity<\/code> enables Spring Security.<\/li>\n<li>line 31: secure the &#8220;<code>\/custom\/<\/code>&#8221; URL with a customized authorization&nbsp;manager.<\/li>\n<li>line 32: secure the &#8220;<code>\/adminonly\/<\/code>&#8221; URL with &#8220;<code>ADMIN<\/code>&#8221; role.<\/li>\n<li>line 33, 34: secure the &#8220;<code>\/rolebased\/<\/code>&#8221; URL with either &#8220;<code>USER<\/code>&#8221; or &#8220;<code>ADMIN<\/code>&#8221; role.<\/li>\n<li>line 35: secure all other URLs with valid users.<\/li>\n<li>line 66-71: configure a customized <code>AuthorizationManager<\/code> which secures &#8220;custom&#8221; API. It uses a random boolean generator to return a <strong>AuthorizationDecision <\/strong>which allows or rejects the request at random.<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\">3.4 Configure an Error Handling for Invalid Logging User<\/h3>\n<h4 class=\"wp-block-heading\">3.4.1 Configure a Filter<\/h4>\n<p>Create <code>LoggingErrorFilter<\/code> which extends from <code>GenericFilterBean<\/code> to handle logging errors. The override <code>doFilter<\/code> method gets the <code>Authentication<\/code> object from <a href=\"https:\/\/docs.spring.io\/spring-security\/site\/docs\/current\/api\/org\/springframework\/security\/core\/context\/SecurityContext.html\" target=\"_blank\" rel=\"noreferrer noopener\">Spring Security Context<\/a> and logs the error message for invalid user&#8217;s request.<\/p>\n<p><span style=\"text-decoration: underline\"><em>LoggingErrorFilter.java<\/em><\/span><\/p>\n<pre class=\"brush:java; highlight:[32,44,45,46,47,48,49,50]\">package com.zheng.config;\n\nimport jakarta.servlet.FilterChain;\nimport jakarta.servlet.ServletException;\nimport jakarta.servlet.ServletRequest;\nimport jakarta.servlet.ServletResponse;\nimport jakarta.servlet.http.HttpServletResponse;\nimport org.apache.logging.log4j.LogManager;\nimport org.apache.logging.log4j.Logger;\nimport org.springframework.http.HttpStatus;\nimport org.springframework.security.core.Authentication;\nimport org.springframework.security.core.context.SecurityContextHolder;\nimport org.springframework.web.filter.GenericFilterBean;\n\nimport java.io.IOException;\nimport java.util.List;\n\npublic class LoggingErrorFilter extends GenericFilterBean {\n\n\tprivate static final Logger logger = LogManager.getLogger(LoggingErrorFilter.class);\n\n\tprivate List&lt;HttpStatus&gt; errorCodes;\n\n\tpublic LoggingErrorFilter(List&lt;HttpStatus&gt; errorCodes) {\n\t\tthis.errorCodes = errorCodes;\n\t}\n\n\t@Override\n\tpublic void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)\n\t\t\tthrows IOException, ServletException {\n\n\t\tAuthentication auth = SecurityContextHolder.getContext().getAuthentication();\n\n\t\tif (auth == null) {\n\t\t\tchain.doFilter(request, response);\n\t\t\treturn;\n\t\t}\n\t\tint status = ((HttpServletResponse) response).getStatus();\n\t\tif (status &lt; 400 || status &gt;= 500) {\n\t\t\tchain.doFilter(request, response);\n\t\t\treturn;\n\t\t}\n\n\t\tif (errorCodes == null) {\n\t\t\tlogger.info(\"User \" + auth.getName() +  \" encountered error \" + status);\n\t\t} else {\n\t\t\tif (errorCodes.stream().anyMatch(s -&gt; s.value() == status)) {\n\t\t\t\tlogger.info(\"User \" + auth.getName() + \" encountered error \" + status);\n\t\t\t}\n\t\t}\n\n\t\tchain.doFilter(request, response);\n\t}\n\n}\n<\/pre>\n<ul class=\"wp-block-list\">\n<li>line 32: access the <code>authentication<\/code> object associated with the current session&#8217;s Spring Security Context.<\/li>\n<li>line 44-50: log the authentication error message for invalid users.<\/li>\n<\/ul>\n<h4 class=\"wp-block-heading\">3.4.2 Create a Logging Error Handler<\/h4>\n<p>Configure the <code>LoggingErrorConfigurer<\/code> class which extends from the <code>AbstractHttpConfigurer<\/code> base class provided from Spring Security for configuring HTTP security so we can use the log message to explain why the user is rejected the access.<\/p>\n<p><span style=\"text-decoration: underline\"><em>LoggingErrorConfigurer.java<\/em><\/span><\/p>\n<pre class=\"brush:java highlight:[10,29]\">package com.zheng.config;\n\nimport org.springframework.http.HttpStatus;\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\nimport org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;\nimport org.springframework.security.web.access.intercept.AuthorizationFilter;\n\nimport java.util.List;\n\npublic class LoggingErrorConfigurer extends AbstractHttpConfigurer&lt;LoggingErrorConfigurer, HttpSecurity&gt; {\n\n    private List&lt;HttpStatus&gt; errorCodes;\n\n    public LoggingErrorConfigurer(List&lt;HttpStatus&gt; errorCodes) {\n        this.errorCodes = errorCodes;\n    }\n\n    public LoggingErrorConfigurer() {\n\n    }\n\n    @Override\n    public void init(HttpSecurity http) throws Exception {\n        \/\/ initialization code\n    }\n\n    @Override\n    public void configure(HttpSecurity http) throws Exception {\n        http.addFilterAfter(new LoggingErrorFilter(errorCodes),  AuthorizationFilter.class);\n    }\n\n}\n<\/pre>\n<ul class=\"wp-block-list\">\n<li>line 10: extends from <code>AbstractHttpConfigurer<\/code> to configure HTTP security.<\/li>\n<li>line 29: add <code>LoggingErrorFilter<\/code> to the filter chain in a Spring Security application.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">4. Launch SpringSecurityApplication<\/h2>\n<p>Launch the <code>SpringSecurityApplication<\/code> and confirm the application is started with the server log.<\/p>\n<p><span style=\"text-decoration: underline\"><em>SpringSecurityApplication.java<\/em><\/span><\/p>\n<pre class=\"brush:java\">package com.zheng;\n\nimport org.springframework.boot.SpringApplication;\nimport org.springframework.boot.autoconfigure.SpringBootApplication;\n\n@SpringBootApplication\npublic class SpringSecurityApplication {\n\n    public static void main(String[] args) {\n        SpringApplication.run(SpringSecurityApplication.class, args);\n    }\n}\n<\/pre>\n<p>Confirm the application is started with server log.<\/p>\n<p><span style=\"text-decoration: underline\"><em>server.log<\/em><\/span><\/p>\n<pre class=\"brush:plain\">2024-04-30T08:24:12.406-05:00  INFO 22252 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port(s): 8080 (http) with context path ''\n2024-04-30T08:24:12.416-05:00  INFO 22252 --- [           main] com.zheng.SpringSecurityApplication      : Started SpringSecurityApplication in 2.912 seconds (process running for 3.305)\n<\/pre>\n<h2 class=\"wp-block-heading\">5. Demo Rest APIs are Protected<\/h2>\n<p>In this step, I will demonstrate how the API resources created at <a href=\"#step32\">step 3.2<\/a> are secured via <a href=\"https:\/\/swagger.io\/tools\/swagger-ui\/\">Swagger U<\/a>I.<\/p>\n<h3 class=\"wp-block-heading\">5.1 Configure an OpenAPI Swagger UI<\/h3>\n<p>In this step, I will configure an OpenAPI Swagger UI for the spring boot project so the three API resources created at <a href=\"#step32\">step 3.2<\/a> can be tested in browser with the following steps:<\/p>\n<ul class=\"wp-block-list\">\n<li>Add <strong>springdoc-openapi-starter-webmvc-ui<\/strong> dependency.<\/li>\n<li>Configure an <code>OpenAPI<\/code> bean.<\/li>\n<\/ul>\n<h4 class=\"wp-block-heading\">5.1.1 Add OpenAPI Dependencies<\/h4>\n<p>Add <code>springdoc-openapi-starter-webmvc-ui<\/code> dependency to the pom.xml.<\/p>\n<p><span style=\"text-decoration: underline\"><em>pom.xml dependency<\/em><\/span><\/p>\n<pre class=\"brush:xml\">\t\t&lt;dependency&gt;\n\t\t\t&lt;groupId&gt;org.springdoc&lt;\/groupId&gt;\n\t\t\t&lt;artifactId&gt;springdoc-openapi-starter-webmvc-ui&lt;\/artifactId&gt;\n\t\t\t&lt;version&gt;2.0.0&lt;\/version&gt;\n\t\t&lt;\/dependency&gt;<\/pre>\n<h4 class=\"wp-block-heading\">5.1.2 Configure OpenAPI<\/h4>\n<p>Configure an <code>OpenAPI<\/code> Spring bean so it will enable the OpenAPI documentation for the API resources created at <a href=\"#step32\">step 3.2<\/a>.<\/p>\n<p><span style=\"text-decoration: underline\"><em>SwaggerConfig.java<\/em><\/span><\/p>\n<pre class=\"brush:java\">package com.zheng.config;\n\nimport org.springframework.context.annotation.Bean;\nimport org.springframework.context.annotation.Configuration;\n\nimport io.swagger.v3.oas.models.OpenAPI;\nimport io.swagger.v3.oas.models.info.Info;\n\n@Configuration\npublic class SwaggerConfig {\n\n\t@Bean\n\tpublic OpenAPI api() {\n\t\treturn new OpenAPI().info(new Info().title(\"DEMO Rest API\").description(\"Demo Rest API\").version(\"v1.0.0\"));\n\t}\n\n}\n<\/pre>\n<h4 class=\"wp-block-heading\">5.1.3 Launch Open API Swagger UI<\/h4>\n<p>Open a browser and launch the <a href=\"http:\/\/localhost:8080\/swagger-ui\/index.html\">http:\/\/localhost:8080\/swagger-ui\/index.html<\/a>. It will pop up the default login form provided by Spring Security for the first time. Once entered a valid username and password, then it displays the swagger UI <code>index.html<\/code> page as the following screenshot.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/swaggeruiAPI.jpg\"><img decoding=\"async\" width=\"658\" height=\"877\" src=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/swaggeruiAPI.jpg\" alt=\"\" class=\"wp-image-122087\" srcset=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/swaggeruiAPI.jpg 658w, https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/swaggeruiAPI-225x300.jpg 225w\" sizes=\"(max-width: 658px) 100vw, 658px\" \/><\/a><figcaption class=\"wp-element-caption\">Figure 1 Swagger UI Documentation<\/figcaption><\/figure>\n<\/div>\n<p>After the <code>SpringSecurityApplication<\/code> is started, login into <a href=\"http:\/\/localhost:8080\/swagger-ui\/index.html?continue\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/localhost:8080\/swagger-ui\/index.html?continue<\/a> with &#8220;<strong>user1<\/strong>&#8220;, &#8220;<strong>admin<\/strong>&#8220;, &#8220;<strong>guest<\/strong>&#8221; users, and click the &#8220;<strong>Try it out<\/strong>&#8221; button for the 4 API to confirm the resources are secured.<\/p>\n<h3 class=\"wp-block-heading\">5.2 Demo Admin User<\/h3>\n<p>As the SecurityConfig outlined at <a href=\"#step33\">step 3.3<\/a>, the &#8220;<strong>admin<\/strong>&#8221; user can access all resources. Executing the API resources in Swagger UI page as showing here, the &#8220;<code>admin<\/code>&#8221; user should get 200 <strong>ok<\/strong> response for &#8220;<code>adminonly<\/code>&#8220;, &#8220;<code>rolebased<\/code>&#8220;, and &#8220;<code>anonymous<\/code>&#8221; APIs as the screenshot.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/admin.jpg\"><img decoding=\"async\" width=\"821\" height=\"812\" src=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/admin.jpg\" alt=\"\" class=\"wp-image-122095\" srcset=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/admin.jpg 821w, https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/admin-300x297.jpg 300w, https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/admin-768x760.jpg 768w\" sizes=\"(max-width: 821px) 100vw, 821px\" \/><\/a><figcaption class=\"wp-element-caption\">Figure 2. Admin User<\/figcaption><\/figure>\n<\/div>\n<h3 class=\"wp-block-heading\">5.3 Demo User1 User<\/h3>\n<p><code>User1 <\/code>has &#8220;USER&#8221; role and can access &#8220;\/<code>rolebased<\/code>&#8221; API with <code>200 ok<\/code> response. It will get <code>403<\/code> forbidden error when accessing the &#8220;\/<code>adminonly<\/code>&#8221; resource.<\/p>\n<p><span style=\"text-decoration: underline\"><em>Forbidden Response<\/em><\/span><\/p>\n<pre class=\"brush:xml\">{\n  \"timestamp\": \"2024-04-30T14:23:46.007+00:00\",\n  \"status\": 403,\n  \"error\": \"Forbidden\",\n  \"path\": \"\/adminonly\"\n}<\/pre>\n<p>Confirmed the API protection by viewing the server log and looking for &#8220;User user1 encountered error 403&#8221; log message.<\/p>\n<p><span style=\"text-decoration: underline\"><em>user 1 server.log<\/em><\/span><\/p>\n<pre class=\"brush:plain\">com.zheng.config.LoggingErrorFilter      : User user1 encountered error 403<\/pre>\n<h3 class=\"wp-block-heading\">5.4 Demo Guest User<\/h3>\n<p>The &#8220;<code>guest<\/code>&#8221; user does not have &#8220;USER&#8221; nor &#8220;ADMIN&#8221;role and can access only &#8220;\/<code>anonymous<\/code>&#8221; API. It may get <code>200<\/code> <code>ok<\/code> response if the <code>nextBoolean=true<\/code> when accessing the &#8220;<code>\/custom<\/code>&#8221; resource.<\/p>\n<p><span style=\"text-decoration: underline\"><em>guest server log<\/em><\/span><\/p>\n<pre class=\"brush:plain\">2024-04-30T11:14:27.753-05:00  INFO 30264 --- [nio-8080-exec-6] com.zheng.config.SecurityConfig          : nextBoolean=false\n2024-04-30T11:14:27.753-05:00  INFO 30264 --- [nio-8080-exec-6] com.zheng.config.LoggingErrorFilter      : User guest encountered error 403\n2024-04-30T11:16:08.964-05:00  INFO 30264 --- [nio-8080-exec-1] com.zheng.config.SecurityConfig          : nextBoolean=true\n<\/pre>\n<h3 class=\"wp-block-heading\">5.5 Demo Invalid User<\/h3>\n<p>It will display a &#8220;<strong>Bad credentials<\/strong>&#8221; error message to protect the resources when entering an invalid username and password.<\/p>\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/invaliduser.jpg\"><img decoding=\"async\" width=\"985\" height=\"467\" src=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/invaliduser.jpg\" alt=\"\" class=\"wp-image-122098\" srcset=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/invaliduser.jpg 985w, https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/invaliduser-300x142.jpg 300w, https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/invaliduser-768x364.jpg 768w\" sizes=\"(max-width: 985px) 100vw, 985px\" \/><\/a><figcaption class=\"wp-element-caption\">Figure 3. Invalid User<\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\">6. Conclusion<\/h2>\n<p>In this example, I demonstrated&nbsp;how to configure and enable Spring Security AuthorizationManager to protect&nbsp;Rest APIs in a spring boot application. It protects the Rest APIs with role-based authorization and customized <code>AuthorizationManager<\/code>. <\/p>\n<h2 class=\"wp-block-heading\">7. Download<\/h2>\n<p>You can download the source code for this spring boot security demo project.<\/p>\n<div class=\"download\"><strong>Download<\/strong><br \/>\nYou can download the full source code of this example here: <a href=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/spring-security-authmgr-demo-2.zip\"><strong>Spring Security AuthorizationManager<\/strong><\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>1. Introduction Spring Security AuthorizationManager is part of Spring Security that is an extension of the Spring Framework that supports common application security. It includes mandatory&nbsp;authentication for URLs, default login and logout forms, and default users. There are four key concepts: Principal: an application request. It could be a user or web service. Authentication: the &hellip;<\/p>\n","protected":false},"author":128892,"featured_media":242,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[125],"class_list":["post-122063","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-enterprise-java","tag-spring-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Spring Security AuthorizationManager - Java Code Geeks<\/title>\n<meta name=\"description\" content=\"1. Introduction Spring Security AuthorizationManager is part of Spring Security that is an extension of the Spring Framework that supports common\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Spring Security AuthorizationManager - Java Code Geeks\" \/>\n<meta property=\"og:description\" content=\"1. Introduction Spring Security AuthorizationManager is part of Spring Security that is an extension of the Spring Framework that supports common\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html\" \/>\n<meta property=\"og:site_name\" content=\"Java Code Geeks\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/javacodegeeks\" \/>\n<meta property=\"article:published_time\" content=\"2024-05-03T10:11:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-05-03T10:13:55+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-security-logo.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"150\" \/>\n\t<meta property=\"og:image:height\" content=\"150\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Mary Zheng\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@javacodegeeks\" \/>\n<meta name=\"twitter:site\" content=\"@javacodegeeks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mary Zheng\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-authorizationmanager.html#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-authorizationmanager.html\"},\"author\":{\"name\":\"Mary Zheng\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/person\\\/33e795ab61de7fab61ed89b4de1668f5\"},\"headline\":\"Spring Security AuthorizationManager\",\"datePublished\":\"2024-05-03T10:11:41+00:00\",\"dateModified\":\"2024-05-03T10:13:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-authorizationmanager.html\"},\"wordCount\":1053,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-authorizationmanager.html#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/spring-security-logo.jpg\",\"keywords\":[\"Spring Security\"],\"articleSection\":[\"Enterprise Java\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-authorizationmanager.html#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-authorizationmanager.html\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-authorizationmanager.html\",\"name\":\"Spring Security AuthorizationManager - Java Code Geeks\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-authorizationmanager.html#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-authorizationmanager.html#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/spring-security-logo.jpg\",\"datePublished\":\"2024-05-03T10:11:41+00:00\",\"dateModified\":\"2024-05-03T10:13:55+00:00\",\"description\":\"1. Introduction Spring Security AuthorizationManager is part of Spring Security that is an extension of the Spring Framework that supports common\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-authorizationmanager.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-authorizationmanager.html\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-authorizationmanager.html#primaryimage\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/spring-security-logo.jpg\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/spring-security-logo.jpg\",\"width\":150,\"height\":150},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-authorizationmanager.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Java\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/category\\\/java\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Enterprise Java\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/category\\\/java\\\/enterprise-java\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Spring Security AuthorizationManager\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#website\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\",\"name\":\"Java Code Geeks\",\"description\":\"Java Developers Resource Center\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\"},\"alternateName\":\"JCG\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.javacodegeeks.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\",\"name\":\"Exelixis Media P.C.\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/exelixis-logo.png\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/exelixis-logo.png\",\"width\":864,\"height\":246,\"caption\":\"Exelixis Media P.C.\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/javacodegeeks\",\"https:\\\/\\\/x.com\\\/javacodegeeks\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/person\\\/33e795ab61de7fab61ed89b4de1668f5\",\"name\":\"Mary Zheng\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/cropped-Mary-Zheng-96x96.jpg\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/cropped-Mary-Zheng-96x96.jpg\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/cropped-Mary-Zheng-96x96.jpg\",\"caption\":\"Mary Zheng\"},\"description\":\"Mary graduated from the Mechanical Engineering department at ShangHai JiaoTong University. She also holds a Master degree in Computer Science from Webster University. During her studies she has been involved with a large number of projects ranging from programming and software engineering. She worked as a lead Software Engineer where she led and worked with others to design, implement, and monitor the software solution.\",\"sameAs\":[\"https:\\\/\\\/www.javacodegeeks.com\\\/\"],\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/author\\\/mary-zheng\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Spring Security AuthorizationManager - Java Code Geeks","description":"1. Introduction Spring Security AuthorizationManager is part of Spring Security that is an extension of the Spring Framework that supports common","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html","og_locale":"en_US","og_type":"article","og_title":"Spring Security AuthorizationManager - Java Code Geeks","og_description":"1. Introduction Spring Security AuthorizationManager is part of Spring Security that is an extension of the Spring Framework that supports common","og_url":"https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html","og_site_name":"Java Code Geeks","article_publisher":"https:\/\/www.facebook.com\/javacodegeeks","article_published_time":"2024-05-03T10:11:41+00:00","article_modified_time":"2024-05-03T10:13:55+00:00","og_image":[{"width":150,"height":150,"url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-security-logo.jpg","type":"image\/jpeg"}],"author":"Mary Zheng","twitter_card":"summary_large_image","twitter_creator":"@javacodegeeks","twitter_site":"@javacodegeeks","twitter_misc":{"Written by":"Mary Zheng","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html#article","isPartOf":{"@id":"https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html"},"author":{"name":"Mary Zheng","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/person\/33e795ab61de7fab61ed89b4de1668f5"},"headline":"Spring Security AuthorizationManager","datePublished":"2024-05-03T10:11:41+00:00","dateModified":"2024-05-03T10:13:55+00:00","mainEntityOfPage":{"@id":"https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html"},"wordCount":1053,"commentCount":0,"publisher":{"@id":"https:\/\/www.javacodegeeks.com\/#organization"},"image":{"@id":"https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html#primaryimage"},"thumbnailUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-security-logo.jpg","keywords":["Spring Security"],"articleSection":["Enterprise Java"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html","url":"https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html","name":"Spring Security AuthorizationManager - Java Code Geeks","isPartOf":{"@id":"https:\/\/www.javacodegeeks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html#primaryimage"},"image":{"@id":"https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html#primaryimage"},"thumbnailUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-security-logo.jpg","datePublished":"2024-05-03T10:11:41+00:00","dateModified":"2024-05-03T10:13:55+00:00","description":"1. Introduction Spring Security AuthorizationManager is part of Spring Security that is an extension of the Spring Framework that supports common","breadcrumb":{"@id":"https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html#primaryimage","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-security-logo.jpg","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-security-logo.jpg","width":150,"height":150},{"@type":"BreadcrumbList","@id":"https:\/\/www.javacodegeeks.com\/spring-security-authorizationmanager.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.javacodegeeks.com\/"},{"@type":"ListItem","position":2,"name":"Java","item":"https:\/\/www.javacodegeeks.com\/category\/java"},{"@type":"ListItem","position":3,"name":"Enterprise Java","item":"https:\/\/www.javacodegeeks.com\/category\/java\/enterprise-java"},{"@type":"ListItem","position":4,"name":"Spring Security AuthorizationManager"}]},{"@type":"WebSite","@id":"https:\/\/www.javacodegeeks.com\/#website","url":"https:\/\/www.javacodegeeks.com\/","name":"Java Code Geeks","description":"Java Developers Resource Center","publisher":{"@id":"https:\/\/www.javacodegeeks.com\/#organization"},"alternateName":"JCG","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.javacodegeeks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.javacodegeeks.com\/#organization","name":"Exelixis Media P.C.","url":"https:\/\/www.javacodegeeks.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","width":864,"height":246,"caption":"Exelixis Media P.C."},"image":{"@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/javacodegeeks","https:\/\/x.com\/javacodegeeks"]},{"@type":"Person","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/person\/33e795ab61de7fab61ed89b4de1668f5","name":"Mary Zheng","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/cropped-Mary-Zheng-96x96.jpg","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/cropped-Mary-Zheng-96x96.jpg","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/04\/cropped-Mary-Zheng-96x96.jpg","caption":"Mary Zheng"},"description":"Mary graduated from the Mechanical Engineering department at ShangHai JiaoTong University. She also holds a Master degree in Computer Science from Webster University. During her studies she has been involved with a large number of projects ranging from programming and software engineering. She worked as a lead Software Engineer where she led and worked with others to design, implement, and monitor the software solution.","sameAs":["https:\/\/www.javacodegeeks.com\/"],"url":"https:\/\/www.javacodegeeks.com\/author\/mary-zheng"}]}},"_links":{"self":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/122063","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/users\/128892"}],"replies":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/comments?post=122063"}],"version-history":[{"count":0,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/122063\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/media\/242"}],"wp:attachment":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/media?parent=122063"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/categories?post=122063"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/tags?post=122063"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}