This annotation provides a way to add security configuration to business methods.<\/p>\n\n\n\n
It will use roles to check if a user has permission to call this method. The annotation is part of spring security. So to enable its usage you need the spring security dependency.<\/p>\n\n\n\n
You have an application that has a product CRUD. In this CRUD you want to control the operations using two specific roles.<\/p>\n\n\n\n
You can use @Secured to manage the access of those roles on each operation.<\/p>\n\n\n\n
We can define the following roles in our example scenario.<\/p>\n\n\n\n
To read:<\/p>\n\n\n\n
To update:<\/p>\n\n\n\n
To delete:<\/p>\n\n\n\n
Let’s look at a code example and observe the application behavior.<\/p>\n\n\n\n
To work with the We annotate the methods with @Secured defining which roles can access the method behavior.<\/p>\n\n\n You need to add the @EnableGlobalMethodSecurity(securedEnabled = true) to configure your Spring application to use enable method security using @Secured.<\/p>\n\n\n In our example we are going to test the behavior using tests, so we add the spring boot test dependency.<\/p>\n\n\n Then we create tests to validate if using a mock user and assign specific roles to him, we can test users in each role and how our application behaves. By doing that we can ensure that only the right roles can perform the allowed actions.<\/p>\n\n\n That\u2019s it, now you can manage user access to the application using roles with the @Secured annotation.<\/p>\n\n\n\n If you like this topic, make sure to follow me. In the following days, I\u2019ll be explaining more about Spring annotations! Stay tuned!<\/p>\n\n\n\n Willian Moya (@WillianFMoya) \/ X (twitter.com)<\/a><\/p>\n\n\n\n@Secured<\/code> annotation, add the Maven dependency for Spring Security:<\/p>\n\n\n\n<dependency>\n <groupId>org.springframework.boot<\/groupId>\n <artifactId>spring-boot-starter-security<\/artifactId>\n<\/dependency>\n\n<\/pre><\/div>\n\n\n
Annotating Methods with @Secured<\/h3>\n\n\n\n
\npublic class Product {\n \n private Long id;\n private String name;\n private BigDecimal value;\n \n \/\/getters and setters\n}\n\n@Service\npublic class ProductService {\n\n @Secured({"ROLE_USER", "ROLE_ADMIN"})\n public Product createProduct(Product product) {\n \/\/ Logic for creating a product\n return product;\n }\n\n @Secured({"ROLE_USER", "ROLE_ADMIN"})\n public Product getProductById(Long id) {\n \/\/ Logic for fetching a product\n return null;\n }\n\n @Secured("ROLE_ADMIN")\n public Product updateProduct(Product product) {\n \/\/ Logic for updating a product\n return product;\n }\n\n @Secured("ROLE_ADMIN")\n public void deleteProduct(Long id) {\n \/\/ Logic for deleting a product\n }\n}\n\n<\/pre><\/div>\n\n\nApplication configuration<\/h3>\n\n\n\n
\n@SpringBootApplication\n@EnableTransactionManagement\n@EnableGlobalMethodSecurity(securedEnabled = true)\npublic class MasteryApplication {\n\n\tpublic static void main(String[] args) {\n\t\tSpringApplication.run(MasteryApplication.class, args);\n\t}\n\n}\n\n<\/pre><\/div>\n\n\nTesting the Behavior<\/h3>\n\n\n\n
\n<dependency>\n <groupId>org.springframework.security<\/groupId>\n <artifactId>spring-security-test<\/artifactId>\n <scope>test<\/scope>\n<\/dependency>\n\n\n<\/pre><\/div>\n\n\n
\n@SpringBootTest\nclass ProductServiceTests {\n\n @Autowired\n private ProductService productService;\n\n @Test\n @WithMockUser(roles = "USER")\n void testCreateProductAsUser() {\n Product product = new Product();\n assertDoesNotThrow(() -> productService.createProduct(product));\n }\n\n @Test\n @WithMockUser(roles = "ADMIN")\n void testCreateProductAsAdmin() {\n Product product = new Product();\n assertDoesNotThrow(() -> productService.createProduct(product));\n }\n\n @Test\n @WithAnonymousUser\n void testCreateProductAsAnonymous() {\n Product product = new Product();\n assertThrows(AccessDeniedException.class, () -> productService.createProduct(product));\n }\n\n @Test\n @WithMockUser(roles = "USER")\n void testGetProductByIdAsUser() {\n assertDoesNotThrow(() -> productService.getProductById(1L)); \/\/ Assuming product with ID 1 exists\n }\n\n @Test\n @WithMockUser(roles = "ADMIN")\n void testGetProductByIdAsAdmin() {\n assertDoesNotThrow(() -> productService.getProductById(1L));\n }\n\n @Test\n @WithAnonymousUser\n void testGetProductByIdAsAnonymous() {\n assertThrows(AccessDeniedException.class, () -> productService.getProductById(1L));\n }\n\n @Test\n @WithMockUser(roles = "USER")\n void testUpdateProductAsUser() {\n Product product = new Product();\n assertThrows(AccessDeniedException.class, () -> productService.updateProduct(product));\n }\n\n @Test\n @WithMockUser(roles = "ADMIN")\n void testUpdateProductAsAdmin() {\n Product product = new Product();\n assertDoesNotThrow(() -> productService.updateProduct(product));\n }\n\n @Test\n @WithAnonymousUser\n void testUpdateProductAsAnonymous() {\n Product product = new Product();\n assertThrows(AccessDeniedException.class, () -> productService.updateProduct(product));\n }\n\n @Test\n @WithMockUser(roles = "USER")\n void testDeleteProductAsUser() {\n assertThrows(AccessDeniedException.class, () -> productService.deleteProduct(1L));\n }\n\n @Test\n @WithMockUser(roles = "ADMIN")\n void testDeleteProductAsAdmin() {\n assertDoesNotThrow(() -> productService.deleteProduct(1L));\n }\n\n @Test\n @WithAnonymousUser\n void testDeleteProductAsAnonymous() {\n assertThrows(AccessDeniedException.class, () -> productService.deleteProduct(1L));\n }\n}\n\n<\/pre><\/div>\n\n\n