added global method security

Author: Juraj Veverka

spring/spring-security/README.md

@@ -15,11 +15,18 @@ After login, each request must use same cookie JSESSIONID, because server is tra
 ### Logout
 * __GET__ http://localhost:8888/services/security/logout
 
+### Users, Passwords and Roles
+* joe / secret, ROLE_USER
+* jane / secret, ROLE_USER, ROLE_ADMIN
+* alice / secret, ROLE_PUBLIC
+
 ### Get protected data
-* __GET__ http://localhost:8888/services/data/all
+GET protected data for different user roles:
+* __GET__ http://localhost:8888/services/data/users/all (ROLE_USER, ROLE_ADMIN)
+* __GET__ http://localhost:8888/services/data/admins/all (ROLE_ADMIN)
 
 ### Get public data
-* __GET__ http://localhost:8888/services/public/all
+* __GET__ http://localhost:8888/services/public/data/all
 
 ### Build and run
 ```

spring/spring-security/src/main/java/itx/examples/springboot/security/springsecurity/SpringSecurityApplication.java

@@ -2,8 +2,10 @@
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 
 @SpringBootApplication
+@EnableGlobalMethodSecurity(securedEnabled = true)
 public class SpringSecurityApplication {
 
 	public static void main(String[] args) {

spring/spring-security/src/main/java/itx/examples/springboot/security/springsecurity/rest/DataRestController.java

@@ -6,28 +6,40 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 
 @RestController
-@RequestMapping("/services/data/")
+@RequestMapping("/services/data")
 public class DataRestController {
 
     private static final Logger LOG = LoggerFactory.getLogger(DataRestController.class);
 
     @Autowired
     private DataService dataService;
 
-    @GetMapping("/all")
-    public ResponseEntity<ServerData> getData(Authentication authentication) {
+    @Secured({"ROLE_USER", "ROLE_ADMIN"})
+    @GetMapping("/users/all")
+    public ResponseEntity<ServerData> getForUsersData(Authentication authentication) {
         LOG.info("getData: authentication={}", authentication.getName());
         authentication.getAuthorities().forEach(a->{
             LOG.info("  authority={}", a.getAuthority());
         });
-        return ResponseEntity.ok().body(dataService.getSecuredData("Secured for " + authentication.getName()));
+        return ResponseEntity.ok().body(dataService.getSecuredData("Secured for USER/ADMIN " + authentication.getName()));
+    }
+
+    @Secured("ROLE_ADMIN")
+    @GetMapping("/admins/all")
+    public ResponseEntity<ServerData> getDataForAdmins(Authentication authentication) {
+        LOG.info("getData: authentication={}", authentication.getName());
+        authentication.getAuthorities().forEach(a->{
+            LOG.info("  authority={}", a.getAuthority());
+        });
+        return ResponseEntity.ok().body(dataService.getSecuredData("Secured for ADMIN " + authentication.getName()));
     }
 
 }

spring/spring-security/src/main/java/itx/examples/springboot/security/springsecurity/rest/PublicRestController.java

@@ -11,15 +11,15 @@
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
-@RequestMapping("/services/public/")
+@RequestMapping("/services/public")
 public class PublicRestController {
 
     private static final Logger LOG = LoggerFactory.getLogger(PublicRestController.class);
 
     @Autowired
     private DataService dataService;
 
-    @GetMapping("/all")
+    @GetMapping("/data/all")
     public ResponseEntity<ServerData> getData() {
         LOG.info("getData: ");
         return ResponseEntity.ok().body(dataService.getSecuredData("Public"));

spring/spring-security/src/main/java/itx/examples/springboot/security/springsecurity/services/UserAccessServiceImpl.java

@@ -24,6 +24,7 @@ public UserAccessServiceImpl() {
         this.users = new HashMap<>();
         this.users.put("joe", new UserData("joe", "secret", "ROLE_USER"));
         this.users.put("jane", new UserData("jane", "secret", "ROLE_ADMIN", "ROLE_USER"));
+        this.users.put("alice", new UserData("joe", "secret", "ROLE_PUBLIC"));
     }
 
     @Override