Spring Boot

Spring Boot Security – Spring REST Security Example

In the last two articles, I have demonstrated Spring Boot REST APIs through an example.

Furthermore, we have also seen how to validate bean properties using hibernate validators.

Particularly In this tutorial, we will see how to add secure our REST endpoints through spring security.

What is Spring Security

SpringSecurity It is a part of the Spring project that allows securing applications. 

Basically, it solves two problems:

Authentication: The process by which a user validates credentials against the system and acquires some roles.

Authorization: Process by which a user is given permission to access a resource. This will depend on the assigned roles.

For better understanding, let’s create a demo.

We will define two users in memory with their respective roles that will be loaded by the SpringSecurity module.

By using those credentials we will perform the authentication and authorization process.

In the last tutorial, we have created a simple User Management System (UMS).

We have also exposed a few REST APIs to perform CRUD operation.

Let’s add Spring security on that project.

How to add Spring Security?

Steps to add Spring Security in Spring Boot Project

  1. Add spring-boot-security-starter and spring-security-test in maven dependency.

  2. Create a Security configuration file (SpringSecurityConfiguration.java) and configure spring security.

Maven Dependency for Spring Security

To work with spring security, you have to add two dependencies.

The first one is spring-boot-starter-security and second is spring-security-test.

Complete pom.xml as below

Maven Dependency Tree

Now let’s take a look at UserController.

As of now none of the APIs are secure. That means anyone can access user data or modify and even delete user details.

Now let’s configure security inside a configuration file.

Configuring Spring Security

The first thing we are going to do is configure our application using WebSecurityConfigurerAdapter and then we will apply a basic security layer with user/password authentication.

WebSecurityConfigurerAdapter is a class that allows customization to HttpSecurity.

At first, let create a file SpringSecurityConfiguration and configure spring security.

Override two methods configure(AuthenticationManagerBuilder auth) and configure(AuthenticationManagerBuilder auth)

There are several mechanisms to authenticate the user including JDBC authentication, LDAP authentication.

But for this tutorial, we are doing in-memory authentication.

For the authentication, we have added two users’ root and test.

Here root is a user as well as admin.

Whereas, the test is just a user.

After adding authentication, it is time to add some simple authorization on each URL using roles:

In the above codeconfigure(HttpSecurity http) , we have specified that the only HTTP GET can be called by a user (test and root).

Whereas, HTTP POST, PUT, and DELETE can only be called by admin.

Let’s test our modifications using the PostMan.

Scenario – 1 When no authorization is provided

HTTP GET http://localhost:8080/api/user/getAll

Scenario -2 When ‘test’ credential provided

HTTP DELETE http://localhost:8080/api/user/getAll

Scenario – 3 When ‘root’ credential provided

HTTP DELETE http://localhost:8080/api/user/getAll


In this tutorial, we have learned about spring security and how to add spring security in a spring boot project.