Securing Specific API Endpoints Based on Roles and Permissions in Spring Security

Securing specific API endpoints based on roles and permissions is a crucial aspect of any application that deals with sensitive data or requires different levels of access for different users. With Spring Security, a powerful and highly customizable security framework for Java applications, achieving this level of granular control becomes relatively simple. In this article, we will explore how to secure specific API endpoints based on roles and permissions using Spring Security.

Understanding Roles and Permissions

Before diving into the implementation, it is important to understand the concepts of roles and permissions. In Spring Security, a role represents a higher-level user authority, such as "admin" or "user." On the other hand, a permission represents a specific action or operation that a user can perform, such as "read" or "write." By assigning roles and permissions to users, we can control their access to different parts of our application.

Configuring Role-Based Access Control

To secure specific API endpoints based on roles and permissions, we need to configure role-based access control in Spring Security. This involves creating a set of security rules that map URLs to roles and permissions. Let's take a look at how this can be done.

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {
            .antMatchers("/api/user/**").hasAnyRole("ADMIN", "USER")

In the above configuration, we have defined three sets of rules for different API endpoints: public, admin, and user. The antMatchers method is used to match the URL patterns of the endpoints, while the hasRole and hasAnyRole methods specify the required roles for accessing those endpoints.

By calling permitAll() on certain URL patterns, we allow unrestricted access to those endpoints. For example, the /api/public/** endpoints are accessible to everyone without any authentication.

On the other hand, the /api/admin/** endpoints can only be accessed by users with the "ADMIN" role. Similarly, the /api/user/** endpoints can be accessed by anyone with either the "ADMIN" or "USER" role.

Finally, the anyRequest().authenticated() ensures that all other API endpoints require authentication regardless of their URL pattern.

Granting Permissions with Pre- and Post-Annotations

In addition to role-based access control, Spring Security also provides fine-grained control over permissions using pre- and post-annotations. These annotations can be used to enforce specific conditions or checks before or after accessing an API endpoint.

public class UserController {

    @PreAuthorize("hasPermission('USER', 'read')")
    public ResponseEntity<User> getUser(@PathVariable String userId) {
        // Implement logic to retrieve user by ID

    @PreAuthorize("hasPermission('USER', 'write')")
    public ResponseEntity<User> updateUser(@PathVariable String userId, @RequestBody User user) {
        // Implement logic to update user by ID

In the above example, the @PreAuthorize annotation is used to specify that the getUser() method can only be accessed if the authenticated user has the permission to "read" a user. Similarly, the updateUser() method requires the "write" permission.

By using these annotations, we can ensure that not only roles but also specific permissions are checked before allowing access to an API endpoint.


Securing specific API endpoints based on roles and permissions is a fundamental requirement for building secure applications. With Spring Security, we have a powerful tool at our disposal to achieve this level of granular access control. By configuring role-based access control and leveraging pre- and post-annotations for checking permissions, we can ensure that the right users have the necessary access to the right endpoints in our application.

noob to master © copyleft