-
Configure DB authentication instead of In memory authentication
-
Add Role entity, Dao and Service layer for it.
public interface RoleService { void add(Role role); Role getRoleByName(String roleName); }
-
Configure role access to specific resources for
ADMIN
and forUSER
. You should configure access to all endpoints in your application. Example:
POST: /register - all
GET: /cinema-halls - user/admin
POST: /cinema-halls - admin
GET: /movies - user/admin
POST: /movies - admin
GET: /movie-sessions/available - user/admin
GET: /movie-sessions/{id} - user/admin
POST: /movie-sessions - admin
PUT: /movie-sessions/{id} - admin
DELETE: /movie-sessions/{id} - admin
GET: /orders - user
POST: /orders/complete - user
POST: /shopping-carts/movie-sessions - user
GET: /shopping-carts/by-user - user
GET: /users/by-email - admin
...
HINT:
- It's up to you what type for RoleName field to choose(String/Enum) but enum would be preferable in most cases.
- Roles and first Admin user can be injected inside DataInitializer class using annotation @PostConstruct.
@PostConstruct
public void inject() {
Role adminRole = new Role();
adminRole.setName("ADMIN");
roleService.add(adminRole);
Role userRole = new Role();
userRole.setName("USER");
roleService.add(userRole);
User user = new User();
user.setEmail("[email protected]");
user.setPassword("admin123");
user.setRoles(Set.of(adminRole));
userService.add(user);
}
- You can specify the different HTTP method access for the same endpoint. For example:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.POST,"/movies/**").hasRole("ADMIN")
.antMatchers(HttpMethod.GET,"/movies/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.permitAll()
.and()
.httpBasic()
.and()
.csrf().disable();
}
You can check yourself using this checklist