This chapter covers
- Method security in Spring applications
- Preauthorization of methods based on authorities, roles, and permissions
- Postauthorization of methods based on authorities, roles, and permissions
Up to now, we’ve discussed various ways of configuring authentication. We started with the most straightforward approach, HTTP Basic, in chapter 2, and then I showed you how to set form login in chapter 6. However, in terms of authorization, we only discussed configuration at the endpoint level. Suppose your app is not a web application—can’t you use Spring Security for authentication and authorization as well? Spring Security is a good fit for scenarios where your app isn’t used via HTTP endpoints. In this chapter, you’ll learn how to configure authorization at the method level. We’ll use this approach to configure authorization in both web and non-web applications, and we’ll call it method security (figure 11.1).
Figure 11.1 Method security allows you to be more granular and apply authorization rules at any specifically chosen level of your application.
For non-web applications, method security allows us to implement authorization rules even if we don’t have endpoints. In web applications, this approach gives us the flexibility to apply authorization rules to different app layers, not just at the endpoint level. Let’s dive into the chapter and learn how to apply authorization at the method level with method security.