Method-Level Security
Learn how to implement security on the method level by using some keywords.
Having put in a basic amount of security, it’s time to point out some of its issues. HTTP verb and URL rules like pathMatchers(POST, "/").hasRole(...)
grant us fine-grained control, but it has its limitations:
- Changes in the controller class could require changes in our security policy.
- As we add more controllers and, as a result, more lines to our
SecurityWebFilterChain
bean, this could get unwieldy. - What about chunks of code that need role-based security but aren’t directly linked to web endpoints?
This is where method-level security steps in.
By applying a Spring Security annotation directly on the method, we can secure things directly where our business logic is located. We can avoid having to manage security rules for the URLs of a dozen controllers and instead keep the domain of security right alongside the logic of business.
To explore method-level security, we need something a little more substantial than a couple of web methods. So for this section, we’ll add a REST API using Spring HATEOAS.
Get hands-on with 1400+ tech skills courses.