Table of Contents

1. What is RBAC?
2. Benefits of Using RBAC
3. Defining Roles in Spring Security
4. Role-Based Access with Annotations
5. Role Hierarchy in Spring Security
6. Fine-Grained Access Control Using Expressions
7. Best Practices for Implementing RBAC
8. Summary

1. What is RBAC?

Role-Based Access Control (RBAC) is a security mechanism that restricts access to resources based on the roles assigned to users. In Spring Security, roles determine what actions a user can perform or what endpoints they can access.

Example:

• Role ADMIN may access /admin/**
• Role USER may only access /user/**

2. Benefits of Using RBAC

• Centralized control: Easier management of access rules.
• Scalability: Adding new roles or users doesn’t require changing application logic.
• Improved security: Reduces chances of unauthorized access.
• Auditable: Easier to audit and enforce organizational security policies.

3. Defining Roles in Spring Security

Step 1: User Definition with Roles

@Bean
public InMemoryUserDetailsManager userDetailsService() {
    UserDetails user = User.withUsername("user")
        .password(passwordEncoder().encode("user123"))
        .roles("USER")
        .build();

    UserDetails admin = User.withUsername("admin")
        .password(passwordEncoder().encode("admin123"))
        .roles("ADMIN")
        .build();

    return new InMemoryUserDetailsManager(user, admin);
}

Spring automatically prefixes ROLE_ to each role. So roles("ADMIN") becomes ROLE_ADMIN.

4. Role-Based Access with Annotations

@PreAuthorize and @Secured

Using @Secured:

@Secured("ROLE_ADMIN")
@GetMapping("/admin/dashboard")
public String adminDashboard() {
    return "Welcome Admin!";
}

Using @PreAuthorize:

@PreAuthorize("hasRole('ADMIN')")
@GetMapping("/admin/dashboard")
public String adminDashboard() {
    return "Welcome Admin!";
}

To enable annotations:

@EnableMethodSecurity(securedEnabled = true, prePostEnabled = true)
@Configuration
public class SecurityConfig {
    // your security beans
}

5. Role Hierarchy in Spring Security

You can define role inheritance so that a higher role includes the authorities of lower roles.

@Bean
public RoleHierarchy roleHierarchy() {
    RoleHierarchyImpl hierarchy = new RoleHierarchyImpl();
    hierarchy.setHierarchy("ROLE_ADMIN > ROLE_USER");
    return hierarchy;
}

This means an ADMIN implicitly has all permissions of a USER.

6. Fine-Grained Access Control Using Expressions

Spring Security provides rich expression support with @PreAuthorize and @PostAuthorize.

Examples:

@PreAuthorize("hasRole('ADMIN') or hasRole('MODERATOR')")
public String accessControl() {
    return "Admin or Moderator Access";
}

@PreAuthorize("#user.username == authentication.name")
public String getUserData(User user) {
    return "Accessing own data";
}

You can access:

• authentication: the current authentication object
• principal: the current logged-in user
• #param: method parameters

7. Best Practices for Implementing RBAC

• Use meaningful role names (ROLE_VIEWER, ROLE_MANAGER) over generic ones.
• Externalize role definitions if possible (e.g., in DB or LDAP).
• Use role hierarchy to simplify rules.
• Apply the principle of least privilege—grant only necessary permissions.
• Regularly audit roles and access mappings.

8. Summary

RBAC is a powerful and scalable way to manage access control in Spring applications. It lets you separate who can access what, based on roles rather than hard-coded user IDs.

Key Concepts Covered:

• Defining users with roles
• Using @Secured, @PreAuthorize for enforcement
• Configuring role hierarchies
• Using security expressions for dynamic control

Next, we’ll explore more advanced topics like JWT-based authentication, OAuth2, and custom authorization filters for building highly secure RESTful applications.

Table of Contents

1. What is Basic Authentication?
2. How Basic Authentication Works in Spring Security
3. Setting Up Basic Authentication in a Spring Boot Application
4. Creating Custom User Details
5. Configuring a Custom Security Filter Chain
6. Testing Basic Authentication with Postman or curl
7. Summary

1. What is Basic Authentication?

Basic Authentication is a simple authentication scheme built into the HTTP protocol. It transmits credentials (username and password) encoded in Base64 in the Authorization header. Though easy to implement, it should always be used over HTTPS to protect credentials from interception.

Example Authorization Header:

Authorization: Basic dXNlcjpwYXNzd29yZA==

The encoded string is just username:password in Base64.

2. How Basic Authentication Works in Spring Security

Spring Security supports HTTP Basic Authentication out of the box. Once enabled, Spring Security:

• Intercepts all HTTP requests
• Checks for an Authorization: Basic header
• Decodes the credentials
• Validates the user using a UserDetailsService
• Grants or denies access based on authentication and roles

3. Setting Up Basic Authentication in a Spring Boot Application

Step 1: Add Spring Security Dependency

For Maven:

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Step 2: Default Behavior

If you don’t configure anything, Spring Security auto-generates a default user (user) with a random password. You can test this immediately via browser or API tools.

To override this behavior and set custom credentials, configure the following in application.properties:

spring.security.user.name=admin
spring.security.user.password=admin123

4. Creating Custom User Details

You can define your own users and roles using the UserDetailsService interface and InMemoryUserDetailsManager.

@Configuration
public class SecurityConfig {

    @Bean
    public InMemoryUserDetailsManager userDetailsService() {
        UserDetails user = User.withUsername("john")
            .password(passwordEncoder().encode("john123"))
            .roles("USER")
            .build();
        
        UserDetails admin = User.withUsername("admin")
            .password(passwordEncoder().encode("admin123"))
            .roles("ADMIN")
            .build();

        return new InMemoryUserDetailsManager(user, admin);
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

5. Configuring a Custom Security Filter Chain

Next, create a filter chain to specify security rules:

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http
        .csrf().disable()
        .authorizeHttpRequests()
            .requestMatchers("/public/**").permitAll()
            .anyRequest().authenticated()
        .and()
        .httpBasic(); // Enables basic authentication

    return http.build();
}

This config:

• Disables CSRF (not recommended for web apps, okay for REST APIs)
• Allows open access to /public/**
• Secures all other endpoints with basic authentication

6. Testing Basic Authentication with Postman or curl

Using curl:

curl -u john:john123 http://localhost:8080/api/secure-data

Using Postman:

1. Open Postman and select your endpoint.
2. Go to Authorization tab.
3. Choose Basic Auth.
4. Enter your username and password.
5. Hit Send.

Spring Security will decode credentials and authorize based on roles and configuration.

7. Summary

Basic authentication is a fast and minimal way to protect your endpoints, ideal for internal tools or simple APIs. However, it sends credentials with every request, so it must be used with HTTPS to ensure security.

Key Points:

• Easy to set up with Spring Security and Spring Boot.
• Credentials are passed in Base64, not encrypted—SSL is essential.
• Works well with tools like Postman, curl, and simple API clients.
• Not recommended for public-facing applications without token-based enhancements.

In future modules, we’ll cover form-based login, JWT-based authentication, and integrating with external identity providers for more advanced and secure setups.

Table of Contents

1. What is Spring Security?
2. Core Features of Spring Security
3. How Spring Security Works
4. Spring Security Architecture
5. Adding Spring Security to a Spring Boot Application
6. Default Behavior and Auto-Configuration
7. Summary

1. What is Spring Security?

Spring Security is a powerful and customizable authentication and access control framework for Java applications, especially those built using the Spring framework. It is the de facto standard for securing Spring-based applications.

Spring Security offers comprehensive security services for:

• Authentication – verifying the identity of users.
• Authorization – controlling access to resources based on roles/permissions.

It supports a wide range of security features including form-based login, OAuth2, JWT, LDAP, method-level security, and much more.

2. Core Features of Spring Security

Spring Security comes with a rich set of security features:

• Authentication and Authorization: Built-in support for user login and role-based access control.
• Password Encoding: Uses secure hashing algorithms (like BCrypt) to store passwords.
• Security Headers: Helps protect against attacks such as XSS, clickjacking, etc.
• CSRF Protection: Cross-Site Request Forgery protection is enabled by default.
• Session Management: Controls concurrent sessions and session invalidation.
• Method-Level Security: Allows securing methods using annotations such as @PreAuthorize, @Secured.
• Integration: Easily integrates with OAuth2, LDAP, SAML, and custom authentication providers.

3. How Spring Security Works

Spring Security works by configuring a filter chain that intercepts incoming HTTP requests and processes them through various security filters.

Basic Flow:

1. A user sends a request to a secured resource.
2. The request hits the Security Filter Chain, which checks if the resource requires authentication.
3. If yes, Spring Security checks whether the user is authenticated and has the necessary authority.
4. If authenticated and authorized, access is granted. If not, a suitable error (like 401 or 403) is returned.

The filters in the chain can handle:

• Logging in/out
• Validating session or tokens
• CSRF validation
• Applying security headers

4. Spring Security Architecture

Key components in Spring Security:

• SecurityFilterChain: Central component for applying security filters to incoming requests.
• AuthenticationManager: Responsible for processing authentication requests.
• UserDetailsService: Interface to fetch user-specific data.
• GrantedAuthority: Represents the role or privilege assigned to a user.
• SecurityContext: Holds the currently authenticated user’s details in a thread-local storage.
• PasswordEncoder: Used to hash passwords before storing and comparing them.

5. Adding Spring Security to a Spring Boot Application

Step 1: Add Dependency

In pom.xml:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Or for Gradle:

implementation 'org.springframework.boot:spring-boot-starter-security'

Step 2: Default Behavior

Once the dependency is added, Spring Boot auto-configures basic security:

• All endpoints are secured by default.
• A login form is available at /login.
• A default in-memory user with a generated password is created.

On application startup, a password will be printed in the logs:

Using generated security password: 9d5b6142-XXXX-XXXX

You can use this to log in with the default user user.

6. Default Behavior and Auto-Configuration

When Spring Security is included:

• All HTTP endpoints require authentication.
• A login page is auto-generated at /login.
• HTTP Basic and Form-based authentication are enabled.
• CSRF protection is enabled.
• Static resources (like CSS, JS) are allowed by default.

You can customize this behavior using a configuration class:

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests()
            .requestMatchers("/public/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin();
        return http.build();
    }
}

7. Summary

Spring Security is a full-featured, highly customizable framework for securing Java applications. Its plug-and-play integration with Spring Boot makes it easy to set up authentication and authorization for your REST APIs or web applications.

Key Points:

• It provides robust security features including CSRF, headers, sessions, and method-level access control.
• Security is applied through a filter chain that intercepts and processes every request.
• Once integrated, all endpoints are protected by default until explicitly configured.

In upcoming modules, we will cover:

• Custom user details and authentication providers
• JWT-based security
• Role-based access control
• Method-level and endpoint-level security
• Integration with Spring Boot APIs

This foundational understanding is essential as we dive deeper into securing real-world applications using Spring Security.

Table of Contents

1. Introduction to API Documentation
2. What is Swagger and OpenAPI?
3. Setting Up Swagger in Spring Boot
4. Annotating Your API with Swagger Annotations
5. Configuring Swagger UI
6. Customizing Swagger Documentation
7. Using Swagger with Spring Security
8. Conclusion

1. Introduction to API Documentation

API documentation is an essential part of developing RESTful APIs. It provides a detailed description of the available endpoints, their parameters, request/response formats, and status codes, allowing other developers and consumers to interact with the API correctly.

While API documentation can be created manually, tools like Swagger and OpenAPI provide automatic documentation generation, ensuring consistency and saving time. These tools make your API more accessible, clear, and interactive for other developers and API consumers.

2. What is Swagger and OpenAPI?

• Swagger is a suite of tools for API development that includes a specification for describing REST APIs and tools for generating interactive documentation. Swagger is now part of the OpenAPI Specification (OAS), which is a standardized format for describing RESTful APIs. The OAS specification defines a set of rules and standards for describing APIs in a machine-readable format (usually JSON or YAML).
• OpenAPI (formerly known as Swagger) is a specification for defining APIs. It provides a standard, language-agnostic interface for describing REST APIs. Tools like Swagger UI, Swagger Codegen, and Swagger Editor allow developers to work with OpenAPI specifications and interact with APIs.

3. Setting Up Swagger in Spring Boot

To integrate Swagger with a Spring Boot application, you need to include the required dependencies.

Step 1: Add Swagger Dependencies

If you’re using Maven, add the following dependencies in your pom.xml:

<dependency>
    <groupId>io.springfox</groupId>
    <artifactId>springfox-boot-starter</artifactId>
    <version>3.0.0</version>
</dependency>

For Gradle:

implementation 'io.springfox:springfox-boot-starter:3.0.0'

Step 2: Enable Swagger in Spring Boot

Create a configuration class to enable Swagger:

@Configuration
@EnableSwagger2
public class SwaggerConfig {
}

For Spring Boot 2.x and later, you may need to use springfox-boot-starter instead of @EnableSwagger2, as it is automatically enabled via the starter.

4. Annotating Your API with Swagger Annotations

Swagger uses annotations to generate API documentation for each of your endpoints. Below are the key annotations to use:

@Api: Describes the entire controller class.

@Api(value = "Employee Management System", tags = {"Employee"})
@RestController
@RequestMapping("/api/employees")
public class EmployeeController {
}

@ApiOperation: Describes an individual API operation.

@ApiOperation(value = "Get an employee by ID", response = EmployeeDTO.class)
@GetMapping("/{id}")
public ResponseEntity<EmployeeDTO> getEmployeeById(@PathVariable Long id) {
    EmployeeDTO employeeDTO = employeeService.getEmployeeDTO(id);
    return ResponseEntity.ok(employeeDTO);
}

@ApiParam: Describes a parameter in an API operation.

@ApiOperation(value = "Update an employee's details")
@PutMapping("/{id}")
public ResponseEntity<EmployeeDTO> updateEmployee(
    @ApiParam(value = "Employee ID", required = true) @PathVariable Long id,
    @RequestBody EmployeeDTO employeeDTO
) {
    employeeService.updateEmployee(id, employeeDTO);
    return ResponseEntity.ok(employeeDTO);
}

@ApiResponse: Describes a possible response for an API operation.

@ApiOperation(value = "Get all employees")
@ApiResponse(code = 200, message = "Successfully retrieved the list of employees")
@GetMapping("/")
public List<EmployeeDTO> getAllEmployees() {
    return employeeService.getAllEmployees();
}

5. Configuring Swagger UI

Swagger UI is a web-based interface for interacting with your API documentation. To enable Swagger UI in your Spring Boot application, ensure that the following configuration is set:

Step 1: Accessing Swagger UI

By default, Swagger UI is accessible at the following URL:

http://localhost:8080/swagger-ui/

Step 2: Customize Swagger UI

You can customize the look and feel of Swagger UI by modifying its configuration. For example:

@Configuration
public class SwaggerConfig {

    @Bean
    public Docket api() {
        return new Docket(DocumentationType.SWAGGER_2)
                .select()
                .apis(RequestHandlerSelectors.basePackage("com.example.api"))
                .paths(PathSelectors.any())
                .build()
                .apiInfo(apiInfo());
    }

    private ApiInfo apiInfo() {
        return new ApiInfo(
                "Employee API",
                "API for managing employees in the system",
                "1.0",
                "Terms of service URL",
                new Contact("John Doe", "www.example.com", "[email protected]"),
                "License of API",
                "API License URL",
                Collections.emptyList());
    }
}

6. Customizing Swagger Documentation

Swagger allows you to customize the documentation to suit your needs. You can specify custom descriptions, API versioning, and additional metadata.

Customizing Model Descriptions

You can customize descriptions for your models using annotations like @ApiModel and @ApiModelProperty:

@ApiModel(description = "Employee details")
public class EmployeeDTO {

    @ApiModelProperty(notes = "Unique identifier of the employee")
    private Long id;

    @ApiModelProperty(notes = "Name of the employee")
    private String name;

    @ApiModelProperty(notes = "Department of the employee")
    private String department;

    // Getters and setters
}

API Versioning

You can use Swagger’s @ApiVersion annotation to document different versions of your API.

@ApiVersion(1)
@GetMapping("/v1/employees")
public List<EmployeeDTO> getEmployeesV1() {
    return employeeService.getAllEmployeesV1();
}

@ApiVersion(2)
@GetMapping("/v2/employees")
public List<EmployeeDTO> getEmployeesV2() {
    return employeeService.getAllEmployeesV2();
}

7. Using Swagger with Spring Security

When your API is secured with Spring Security, Swagger documentation may be blocked by the security filters. You can configure Spring Security to allow access to Swagger UI and API documentation by permitting specific endpoints:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .antMatchers("/swagger-ui/**", "/v2/api-docs").permitAll()
            .anyRequest().authenticated()
            .and()
            .httpBasic();
    }
}

This configuration allows unrestricted access to Swagger UI and API documentation while securing the other endpoints.

8. Conclusion

Using Swagger/OpenAPI for API documentation provides several advantages for developers and consumers, including easy-to-navigate interactive documentation and the ability to auto-generate API documentation. With Swagger integrated into your Spring Boot application, you can enhance the developer experience and improve the clarity of your API.

Key Takeaways:

• Swagger/OpenAPI offers a powerful, standardized way to describe REST APIs.
• Integrating Swagger into Spring Boot allows automatic documentation generation and customization.
• The Swagger UI provides an interactive interface for API testing and visualization.
• Spring Security can be configured to allow access to Swagger even in secured applications.

By following this guide, you’ll be able to set up and customize Swagger in your Spring Boot applications, providing rich, accurate API documentation for easier integration and development.

Table of Contents

1. Introduction to DTO Pattern
2. Benefits of Using DTO
3. Introduction to ModelMapper
4. Using ModelMapper to Convert Entities to DTOs
5. Example: Using DTOs and ModelMapper in Spring Boot
6. Conclusion

1. Introduction to DTO Pattern

The DTO (Data Transfer Object) pattern is a design pattern used to transfer data between different layers of an application, typically between the persistence layer (database) and the presentation layer (UI). A DTO is a plain object that holds data but does not contain any business logic or behavior. It is primarily used to reduce the number of method calls in a distributed application and optimize the process of data transmission.

Why Use DTOs?

• Performance: DTOs are used to transfer only the required data, thus reducing the overhead of unnecessary information being transferred.
• Separation of Concerns: They help separate the domain model (or entity) from the structure required for user interface interactions or external services.
• Decoupling: DTOs allow decoupling between internal representations and external representations, enabling easier modifications to the internal model without affecting external APIs or clients.

DTO vs Entity

While an entity represents a database table, a DTO is often a subset of that entity and is tailored to the needs of the client (UI, API, etc.). The main difference is that entities usually contain business logic and persistence annotations, whereas DTOs only carry data.

2. Benefits of Using DTO

Here are some key reasons to use DTOs in your applications:

• Efficient Data Transfer: By transferring only the required fields and leaving out unnecessary data, DTOs help reduce the amount of data being sent over the network.
• Control Over API Representation: DTOs can be structured differently from the internal database model. This gives the flexibility to present data in a way that is best suited for the client or API consumer.
• Security: Sensitive fields (e.g., passwords, personal information) that are not necessary for the consumer of the data can be excluded in the DTO to enhance security.
• Decoupling: It decouples the internal database model from the exposed model, making it easier to change the internal model without impacting external systems or services.

Example DTO

Here is an example of a typical DTO class:

public class EmployeeDTO {
    private Long id;
    private String name;
    private String department;

    // Getters and Setters
}

In this case, EmployeeDTO might not include all the fields present in the Employee entity, such as sensitive data or internal business logic.

3. Introduction to ModelMapper

ModelMapper is a Java library that helps you automate the mapping between Java beans (like entities and DTOs). It is used to reduce the boilerplate code associated with object mapping.

Instead of manually copying values from one object to another, ModelMapper allows you to define mappings between different object types (like Employee entity to EmployeeDTO) in a concise and reusable manner.

Why Use ModelMapper?

• Ease of Use: It simplifies the mapping process by automatically matching fields with the same name and type between the source and destination objects.
• Customization: ModelMapper allows you to customize mappings if fields in source and destination objects differ.
• Performance: It provides an optimized way of copying data between objects, which can reduce development time.

4. Using ModelMapper to Convert Entities to DTOs

Let’s see how to use ModelMapper in a real-world example by mapping an entity to a DTO.

Step 1: Add ModelMapper to Dependencies

To use ModelMapper, you need to include it in your pom.xml if you’re using Maven:

<dependency>
    <groupId>org.modelmapper</groupId>
    <artifactId>modelmapper</artifactId>
    <version>2.4.4</version>
</dependency>

For Gradle:

implementation 'org.modelmapper:modelmapper:2.4.4'

Step 2: Define Entity and DTO

Assume we have an Employee entity and an EmployeeDTO:

Employee Entity:

@Entity
public class Employee {
    @Id
    private Long id;
    private String name;
    private String department;
    private double salary;

    // Getters and Setters
}

EmployeeDTO:

public class EmployeeDTO {
    private Long id;
    private String name;
    private String department;

    // Getters and Setters
}

Step 3: Create ModelMapper Bean

In Spring Boot, you can configure ModelMapper as a Bean:

@Configuration
public class ModelMapperConfig {

    @Bean
    public ModelMapper modelMapper() {
        return new ModelMapper();
    }
}

Step 4: Mapping Entities to DTOs

Now, you can use ModelMapper to convert an Employee entity to an EmployeeDTO:

@Service
public class EmployeeService {

    @Autowired
    private ModelMapper modelMapper;

    @Autowired
    private EmployeeRepository employeeRepository;

    public EmployeeDTO getEmployeeDTO(Long id) {
        Employee employee = employeeRepository.findById(id).orElseThrow(() -> new RuntimeException("Employee not found"));
        return modelMapper.map(employee, EmployeeDTO.class);
    }
}

In this example:

• The modelMapper.map() method automatically maps the fields from the Employee entity to the EmployeeDTO.
• The ModelMapper will match fields by name and type. If the field names and types in both classes are different, you can configure custom mappings (explained in the next section).

5. Example: Using DTOs and ModelMapper in Spring Boot

Step 1: Define the Controller to Fetch Employee DTOs

@RestController
@RequestMapping("/api/employees")
public class EmployeeController {

    @Autowired
    private EmployeeService employeeService;

    @GetMapping("/{id}")
    public ResponseEntity<EmployeeDTO> getEmployeeById(@PathVariable Long id) {
        EmployeeDTO employeeDTO = employeeService.getEmployeeDTO(id);
        return ResponseEntity.ok(employeeDTO);
    }
}

Step 2: Define the Response

When a client requests /api/employees/{id}, the system will return a response with the mapped EmployeeDTO in the response body:

{
  "id": 1,
  "name": "John Doe",
  "department": "Engineering"
}

Step 3: Handle Mapping Complex Scenarios

Sometimes, the entity and DTO might have different field names or require special logic for conversion. ModelMapper allows you to customize these mappings.

ModelMapper modelMapper = new ModelMapper();
modelMapper.typeMap(Employee.class, EmployeeDTO.class).addMappings(mapper -> {
    mapper.map(Employee::getDepartment, EmployeeDTO::setDepartment); // Custom mapping
});

In this case, if the field names differ or if there’s a need for transformation, you can explicitly map one field to another.

6. Conclusion

The DTO Pattern is an essential design pattern in Java for transferring data efficiently across layers and systems, improving performance, security, and maintainability. ModelMapper simplifies the process of converting between entities and DTOs, reducing boilerplate code and ensuring maintainability. Together, these tools can enhance the scalability and flexibility of your Spring Boot applications by ensuring that data transfer is both efficient and easily managed.

Key Takeaways:

• DTOs help decouple the internal domain model from external representations and improve performance by transferring only necessary data.
• ModelMapper automates the mapping of entities to DTOs, saving time and reducing errors in data transformation.
• You can use ModelMapper in Spring Boot to easily handle entity-to-DTO mapping, with options for customization when needed.

By following the DTO pattern and leveraging ModelMapper, you can make your applications more efficient and maintainable.