Configured Role Based Access control for API End points.

Author: alwinsimon

src/main/java/com/alwinsimon/UserManagementJavaSpringBoot/Config/SecurityConfig.java

@@ -7,6 +7,7 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -16,6 +17,7 @@
 @Configuration
 @EnableWebSecurity
 @RequiredArgsConstructor
+@EnableMethodSecurity(securedEnabled = true, prePostEnabled = true)
 public class SecurityConfig {
 
     private final JwtAuthenticationFilter jwtAuthenticationFilter;

src/main/java/com/alwinsimon/UserManagementJavaSpringBoot/Controller/AdminController.java

@@ -5,6 +5,7 @@
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.List;
@@ -18,6 +19,7 @@ public class AdminController {
     private final AdminService adminService;
 
     @GetMapping("/get-users")
+    @Secured("ADMIN")
     public ResponseEntity<List<User>> getAllUsers() {
 
         // API Endpoint to get the LoggedIn User Details using Token received in the Request Header.
@@ -27,6 +29,7 @@ public ResponseEntity<List<User>> getAllUsers() {
     }
 
     @DeleteMapping("/delete-user/{email}")
+    @Secured("ADMIN")
     public ResponseEntity<String> deleteUser(@PathVariable("email") String email) {
         try {
             adminService.deleteUserByEmail(email);