{"id":135668,"date":"2025-07-22T11:23:46","date_gmt":"2025-07-22T08:23:46","guid":{"rendered":"https:\/\/www.javacodegeeks.com\/?p=135668"},"modified":"2025-07-22T14:22:59","modified_gmt":"2025-07-22T11:22:59","slug":"spring-security-url-and-method-authorization","status":"publish","type":"post","link":"https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html","title":{"rendered":"Spring Security URL and Method Authorization"},"content":{"rendered":"<p>Controlling access to APIs based on the requested URL and HTTP method is a common requirement in modern web applications. Let us delve into understanding how Spring Security enables URL and HTTP method-based authorization to secure web applications effectively.<\/p>\n<h2><a name=\"section-1\"><\/a>1. What is Spring Security?<\/h2>\n<p>Spring Security is a powerful and highly customizable <a href=\"https:\/\/docs.spring.io\/spring-security\/reference\/index.html\" target=\"_blank\">authentication and access-control framework<\/a> for Java applications, especially those built with the <a href=\"https:\/\/spring.io\/projects\/spring-framework\" target=\"_blank\">Spring Framework<\/a>. It provides comprehensive <a href=\"https:\/\/spring.io\/guides\/topicals\/spring-security-architecture\/\" target=\"_blank\">security services<\/a> for both web and non-web applications. The framework enforces security policies by intercepting incoming HTTP requests and applying configured rules before passing the request to the application. Its modular design allows for easy integration and extension to meet specific security requirements. <a href=\"https:\/\/spring.io\/projects\/spring-security\" target=\"_blank\">Spring Security<\/a> is widely used in enterprise applications to implement login\/logout functionality, access control, and protection against various types of attacks.<\/p>\n<h3>1.1 Key Features Include<\/h3>\n<ul>\n<li>Support for multiple authentication mechanisms including username\/password, LDAP, OAuth2, OpenID Connect, and custom implementations<\/li>\n<li>Fine-grained authorization capabilities based on user roles, authorities, request URL patterns, HTTP methods, and more<\/li>\n<li>Built-in protections against common vulnerabilities such as CSRF (Cross-Site Request Forgery), XSS (Cross-Site Scripting), clickjacking, and session fixation<\/li>\n<li>Integration with popular frontend clients and REST APIs, allowing token-based authentication using JWT (JSON Web Token)<\/li>\n<li>Support for method-level security using annotations like <code>@PreAuthorize<\/code>, <code>@Secured<\/code>, and <code>@RolesAllowed<\/code><\/li>\n<li>Security context management to maintain user identity and roles throughout a session or request lifecycle<\/li>\n<\/ul>\n<h3>1.2 Best Practices and Common Pitfalls<\/h3>\n<ul>\n<li>Don\u2019t disable CSRF unless building a stateless API: Disabling CSRF on traditional apps can expose vulnerabilities.<\/li>\n<li>Use strong password encoders: Always hash passwords with <code>BCrypt<\/code>, <code>Argon2<\/code>, or <code>PBKDF2<\/code>.<\/li>\n<li>Separate security configuration per module: Keep security rules modular and aligned with application boundaries.<\/li>\n<li>Use HTTPS in production: To protect credentials and tokens in transit.<\/li>\n<\/ul>\n<h2><a name=\"section-2\"><\/a>2. Code Example<\/h2>\n<p>Before we dive into the implementation, make sure your Spring Boot project includes the necessary dependencies for Spring Security and Spring Web. Let&#8217;s add the dependency to <code>pom.xml<\/code> to include Spring Security in our project.<\/p>\n<pre class=\"brush:xml; wrap-lines:false;\">\n&lt;dependencies&gt;\n  &lt;dependency&gt;\n    &lt;groupId&gt;org.springframework.boot&lt;\/groupId&gt;\n    &lt;artifactId&gt;spring-boot-starter-web&lt;\/artifactId&gt;\n  &lt;\/dependency&gt;\n  &lt;dependency&gt;\n    &lt;groupId&gt;org.springframework.boot&lt;\/groupId&gt;\n    &lt;artifactId&gt;spring-boot-starter-security&lt;\/artifactId&gt;\n  &lt;\/dependency&gt;\n&lt;\/dependencies&gt;\n<\/pre>\n<p>These dependencies provide the necessary libraries to expose REST endpoints and apply security constraints. Now, let\u2019s build a Spring Boot application that exposes three REST API endpoints with role-based access control.<div style=\"display:inline-block; margin: 15px 0;\"> <div id=\"adngin-JavaCodeGeeks_incontent_video-0\" style=\"display:inline-block;\"><\/div> <\/div><\/p>\n<ul>\n<li>The <code>GET \/api\/users<\/code> endpoint can be accessed by users with either USER or ADMIN roles.<\/li>\n<li>The <code>POST \/api\/users<\/code> endpoint is restricted to users with the ADMIN role only, allowing them to create new users.<\/li>\n<li>The <code>DELETE \/api\/users\/{id}<\/code> endpoint is also limited to ADMIN users, enabling them to delete a user by their ID.<\/li>\n<\/ul>\n<p>These endpoints demonstrate how to secure HTTP methods using Spring Security&#8217;s role-based authorization.<\/p>\n<h3>2.1 Create a Controller<\/h3>\n<p>The controller exposes the APIs we want to secure.<\/p>\n<pre class=\"brush:java; wrap-lines:false;\">\npackage com.example.demo.controller;\n\nimport org.springframework.web.bind.annotation.*;\n\n@RestController\n@RequestMapping(\"\/api\/users\")\npublic class UserController {\n\n    @GetMapping\n    public String getUsers() {\n        return \"Fetching all users\";\n    }\n\n    @PostMapping\n    public String createUser() {\n        return \"User created\";\n    }\n\n    @DeleteMapping(\"\/{id}\")\n    public String deleteUser(@PathVariable String id) {\n        return \"Deleted user with id: \" + id;\n    }\n}\n<\/pre>\n<p>The <code>UserController<\/code> class is annotated with <code>@RestController<\/code>, indicating that it is a RESTful web controller where each method returns a response body directly. The base URL for all endpoints in this class is set to <code>\/api\/users<\/code> using <code>@RequestMapping<\/code>. The <code>getUsers()<\/code> method is mapped to HTTP GET requests and returns a string indicating that all users are being fetched. The <code>createUser()<\/code> method handles HTTP POST requests and returns a message confirming user creation. The <code>deleteUser(String id)<\/code> method maps to HTTP DELETE requests with a dynamic path variable <code>id<\/code> and returns a message stating that the user with the specified ID has been deleted.<\/p>\n<h3>2.2 Configure Spring Security<\/h3>\n<p>Now, let\u2019s define role-based access rules.<\/p>\n<pre class=\"brush:java; wrap-lines:false;\">\npackage com.example.demo.config;\n\nimport org.springframework.context.annotation.Bean;\nimport org.springframework.context.annotation.Configuration;\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\nimport org.springframework.security.core.userdetails.User;\nimport org.springframework.security.core.userdetails.UserDetails;\nimport org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;\nimport org.springframework.security.crypto.password.PasswordEncoder;\nimport org.springframework.security.web.SecurityFilterChain;\n\n@Configuration\npublic class SecurityConfig {\n\n    @Bean\n    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {\n        http\n            .csrf().disable()\n            .authorizeHttpRequests(auth -&gt; auth\n                .requestMatchers(\"\/api\/users\").hasRole(\"ADMIN\")\n                .requestMatchers(\"\/api\/users\/**\").hasRole(\"ADMIN\")\n                .requestMatchers(\"\/api\/users\", org.springframework.http.HttpMethod.GET.name()).hasAnyRole(\"ADMIN\", \"USER\")\n                .anyRequest().authenticated()\n            )\n            .httpBasic();\n\n        return http.build();\n    }\n\n    @Bean\n    public PasswordEncoder passwordEncoder() {\n        return new BCryptPasswordEncoder();\n    }\n\n    @Bean\n    public org.springframework.security.core.userdetails.UserDetailsService users() {\n        UserDetails user = User.builder()\n            .username(\"user\")\n            .password(passwordEncoder().encode(\"user123\"))\n            .roles(\"USER\")\n            .build();\n\n        UserDetails admin = User.builder()\n            .username(\"admin\")\n            .password(passwordEncoder().encode(\"admin123\"))\n            .roles(\"ADMIN\")\n            .build();\n\n        return new org.springframework.security.provisioning.InMemoryUserDetailsManager(user, admin);\n    }\n}\n<\/pre>\n<p>The <code>SecurityConfig<\/code> class is annotated with <code>@Configuration<\/code>, indicating that it defines Spring Security-related configuration. The <code>filterChain(HttpSecurity http)<\/code> method configures the security filter chain. It disables CSRF protection for simplicity, then sets up authorization rules: only users with the ADMIN role can access <code>\/api\/users<\/code> and <code>\/api\/users\/**<\/code> for operations like POST or DELETE, while both ADMIN and USER roles are allowed to perform GET requests on <code>\/api\/users<\/code>. Any other request must be authenticated. The configuration also enables HTTP Basic authentication for login prompts via browser or tools like curl\/Postman. The <code>passwordEncoder()<\/code> method defines a <code>BCryptPasswordEncoder<\/code> bean to securely hash passwords. The <code>users()<\/code> method sets up an in-memory user store with two users: one with the USER role and one with the ADMIN role, both having their passwords encoded using BCrypt. This setup is ideal for simple demos or testing environments.<\/p>\n<h3>2.3 Main Application Class<\/h3>\n<p>Now let\u2019s add the main class to bootstrap the Spring Boot application.<\/p>\n<pre class=\"brush:java; wrap-lines:false;\">\npackage com.example.demo;\n\nimport org.springframework.boot.SpringApplication;\nimport org.springframework.boot.autoconfigure.SpringBootApplication;\n\n@SpringBootApplication\npublic class DemoApplication {\n    public static void main(String[] args) {\n        SpringApplication.run(DemoApplication.class, args);\n    }\n}\n<\/pre>\n<p>The <code>DemoApplication<\/code> class is annotated with <code>@SpringBootApplication<\/code>, which combines <code>@Configuration<\/code>, <code>@EnableAutoConfiguration<\/code>, and <code>@ComponentScan<\/code>. This serves as the entry point of the Spring Boot application. The <code>main<\/code> method uses <code>SpringApplication.run()<\/code> to launch the application.<\/p>\n<h3>2.4 How to Run the Application<\/h3>\n<p>To run the Spring Boot application, follow these steps:<\/p>\n<ul>\n<li>Ensure you have Java 17+ and Maven installed on your system.<\/li>\n<li>Open a terminal and navigate to the project directory.<\/li>\n<li>Run <code>mvn clean install<\/code> to build the project.<\/li>\n<li>Then run <code>mvn spring-boot:run<\/code> to start the application.<\/li>\n<li>By default, the server will start at <code>http:\/\/localhost:8080<\/code>.<\/li>\n<\/ul>\n<h4>2.4.1 Demo<\/h4>\n<p>You can now use Postman or curl to make authenticated HTTP requests to <code>\/api\/users<\/code> and verify access control as per the configured roles.<\/p>\n<ul>\n<li>GET \/api\/users using credentials <code>user:user123<\/code> : Allowed: Returns 200 OK (access granted to USER role)<\/li>\n<li>POST \/api\/users using credentials <code>user:user123<\/code> : Denied: Returns 403 Forbidden (USER role not permitted)<\/li>\n<li>POST \/api\/users using credentials <code>admin:admin123<\/code> : Allowed: Returns 200 OK (ADMIN role has access)<\/li>\n<li>DELETE \/api\/users\/1 using credentials <code>admin:admin123<\/code> : Allowed: Returns 200 OK (ADMIN role permitted to delete)<\/li>\n<li>DELETE \/api\/users\/1 using credentials <code>user:user123<\/code> : Denied: Returns 403 Forbidden (USER role not authorized)<\/li>\n<\/ul>\n<p>These test cases confirm that Spring Security is enforcing both role and HTTP method-based access control.<\/p>\n<h2><a name=\"section-3\"><\/a>3. Conclusion<\/h2>\n<p>Securing endpoints based on both URL and HTTP method is a practical and essential aspect of real-world application development. With Spring Security, developers can easily define precise rules such as allowing users to read data but restricting write\/delete actions to admins.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Controlling access to APIs based on the requested URL and HTTP method is a common requirement in modern web applications. Let us delve into understanding how Spring Security enables URL and HTTP method-based authorization to secure web applications effectively. 1. What is Spring Security? Spring Security is a powerful and highly customizable authentication and access-control &hellip;<\/p>\n","protected":false},"author":26931,"featured_media":242,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[297,30,854,125],"class_list":["post-135668","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-enterprise-java","tag-security","tag-spring","tag-spring-boot","tag-spring-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Spring Security URL and Method Authorization - Java Code Geeks<\/title>\n<meta name=\"description\" content=\"Spring security url http authorization: Learn how to secure URLs and HTTP methods using Spring Security with role-based access control.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Spring Security URL and Method Authorization - Java Code Geeks\" \/>\n<meta property=\"og:description\" content=\"Spring security url http authorization: Learn how to secure URLs and HTTP methods using Spring Security with role-based access control.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html\" \/>\n<meta property=\"og:site_name\" content=\"Java Code Geeks\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/javacodegeeks\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-22T08:23:46+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-22T11:22:59+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-security-logo.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"150\" \/>\n\t<meta property=\"og:image:height\" content=\"150\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Yatin Batra\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@javacodegeeks\" \/>\n<meta name=\"twitter:site\" content=\"@javacodegeeks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Yatin Batra\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-url-and-method-authorization.html#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-url-and-method-authorization.html\"},\"author\":{\"name\":\"Yatin Batra\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/person\\\/cda31a4c1965373fed40c8907dc09b8d\"},\"headline\":\"Spring Security URL and Method Authorization\",\"datePublished\":\"2025-07-22T08:23:46+00:00\",\"dateModified\":\"2025-07-22T11:22:59+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-url-and-method-authorization.html\"},\"wordCount\":896,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-url-and-method-authorization.html#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/spring-security-logo.jpg\",\"keywords\":[\"Security\",\"Spring\",\"Spring Boot\",\"Spring Security\"],\"articleSection\":[\"Enterprise Java\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-url-and-method-authorization.html#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-url-and-method-authorization.html\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-url-and-method-authorization.html\",\"name\":\"Spring Security URL and Method Authorization - Java Code Geeks\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-url-and-method-authorization.html#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-url-and-method-authorization.html#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/spring-security-logo.jpg\",\"datePublished\":\"2025-07-22T08:23:46+00:00\",\"dateModified\":\"2025-07-22T11:22:59+00:00\",\"description\":\"Spring security url http authorization: Learn how to secure URLs and HTTP methods using Spring Security with role-based access control.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-url-and-method-authorization.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-url-and-method-authorization.html\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-url-and-method-authorization.html#primaryimage\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/spring-security-logo.jpg\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/spring-security-logo.jpg\",\"width\":150,\"height\":150},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/spring-security-url-and-method-authorization.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Java\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/category\\\/java\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Enterprise Java\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/category\\\/java\\\/enterprise-java\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Spring Security URL and Method Authorization\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#website\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\",\"name\":\"Java Code Geeks\",\"description\":\"Java Developers Resource Center\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\"},\"alternateName\":\"JCG\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.javacodegeeks.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\",\"name\":\"Exelixis Media P.C.\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/exelixis-logo.png\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/exelixis-logo.png\",\"width\":864,\"height\":246,\"caption\":\"Exelixis Media P.C.\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/javacodegeeks\",\"https:\\\/\\\/x.com\\\/javacodegeeks\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/person\\\/cda31a4c1965373fed40c8907dc09b8d\",\"name\":\"Yatin Batra\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/Yatin.batra_.jpg\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/Yatin.batra_.jpg\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/12\\\/Yatin.batra_.jpg\",\"caption\":\"Yatin Batra\"},\"description\":\"An experience full-stack engineer well versed with Core Java, Spring\\\/Springboot, MVC, Security, AOP, Frontend (Angular &amp; React), and cloud technologies (such as AWS, GCP, Jenkins, Docker, K8).\",\"sameAs\":[\"https:\\\/\\\/www.javacodegeeks.com\"],\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/author\\\/yatin-batra\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Spring Security URL and Method Authorization - Java Code Geeks","description":"Spring security url http authorization: Learn how to secure URLs and HTTP methods using Spring Security with role-based access control.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html","og_locale":"en_US","og_type":"article","og_title":"Spring Security URL and Method Authorization - Java Code Geeks","og_description":"Spring security url http authorization: Learn how to secure URLs and HTTP methods using Spring Security with role-based access control.","og_url":"https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html","og_site_name":"Java Code Geeks","article_publisher":"https:\/\/www.facebook.com\/javacodegeeks","article_published_time":"2025-07-22T08:23:46+00:00","article_modified_time":"2025-07-22T11:22:59+00:00","og_image":[{"width":150,"height":150,"url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-security-logo.jpg","type":"image\/jpeg"}],"author":"Yatin Batra","twitter_card":"summary_large_image","twitter_creator":"@javacodegeeks","twitter_site":"@javacodegeeks","twitter_misc":{"Written by":"Yatin Batra","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html#article","isPartOf":{"@id":"https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html"},"author":{"name":"Yatin Batra","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/person\/cda31a4c1965373fed40c8907dc09b8d"},"headline":"Spring Security URL and Method Authorization","datePublished":"2025-07-22T08:23:46+00:00","dateModified":"2025-07-22T11:22:59+00:00","mainEntityOfPage":{"@id":"https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html"},"wordCount":896,"commentCount":0,"publisher":{"@id":"https:\/\/www.javacodegeeks.com\/#organization"},"image":{"@id":"https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html#primaryimage"},"thumbnailUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-security-logo.jpg","keywords":["Security","Spring","Spring Boot","Spring Security"],"articleSection":["Enterprise Java"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html","url":"https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html","name":"Spring Security URL and Method Authorization - Java Code Geeks","isPartOf":{"@id":"https:\/\/www.javacodegeeks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html#primaryimage"},"image":{"@id":"https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html#primaryimage"},"thumbnailUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-security-logo.jpg","datePublished":"2025-07-22T08:23:46+00:00","dateModified":"2025-07-22T11:22:59+00:00","description":"Spring security url http authorization: Learn how to secure URLs and HTTP methods using Spring Security with role-based access control.","breadcrumb":{"@id":"https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html#primaryimage","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-security-logo.jpg","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/spring-security-logo.jpg","width":150,"height":150},{"@type":"BreadcrumbList","@id":"https:\/\/www.javacodegeeks.com\/spring-security-url-and-method-authorization.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.javacodegeeks.com\/"},{"@type":"ListItem","position":2,"name":"Java","item":"https:\/\/www.javacodegeeks.com\/category\/java"},{"@type":"ListItem","position":3,"name":"Enterprise Java","item":"https:\/\/www.javacodegeeks.com\/category\/java\/enterprise-java"},{"@type":"ListItem","position":4,"name":"Spring Security URL and Method Authorization"}]},{"@type":"WebSite","@id":"https:\/\/www.javacodegeeks.com\/#website","url":"https:\/\/www.javacodegeeks.com\/","name":"Java Code Geeks","description":"Java Developers Resource Center","publisher":{"@id":"https:\/\/www.javacodegeeks.com\/#organization"},"alternateName":"JCG","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.javacodegeeks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.javacodegeeks.com\/#organization","name":"Exelixis Media P.C.","url":"https:\/\/www.javacodegeeks.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","width":864,"height":246,"caption":"Exelixis Media P.C."},"image":{"@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/javacodegeeks","https:\/\/x.com\/javacodegeeks"]},{"@type":"Person","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/person\/cda31a4c1965373fed40c8907dc09b8d","name":"Yatin Batra","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/12\/Yatin.batra_.jpg","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/12\/Yatin.batra_.jpg","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/12\/Yatin.batra_.jpg","caption":"Yatin Batra"},"description":"An experience full-stack engineer well versed with Core Java, Spring\/Springboot, MVC, Security, AOP, Frontend (Angular &amp; React), and cloud technologies (such as AWS, GCP, Jenkins, Docker, K8).","sameAs":["https:\/\/www.javacodegeeks.com"],"url":"https:\/\/www.javacodegeeks.com\/author\/yatin-batra"}]}},"_links":{"self":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/135668","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/users\/26931"}],"replies":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/comments?post=135668"}],"version-history":[{"count":0,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/135668\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/media\/242"}],"wp:attachment":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/media?parent=135668"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/categories?post=135668"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/tags?post=135668"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}