Implement authorization for REST endpoints

[MarinTrpenovski]

When user's permissions are loaded in Spring security context need to apply authorization logic in order to check if a user is authorized to access on REST endpoint (service).

Authorization checks can be applied using different approaches like https request protection(via configuration class , step 1) , method protection (via annotation on controller step 2)

1. Via configuration class where we disabled csrf security check and permit all request to come to the filter. There can be defined authorization access for each of the REST endpoints, by defining which permission the user must have in order to access to endpoint. Use this link to understand how to protect HTTP requests in application https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html
2. We use this approach, to allow each request to come the server (filter) , load user permission in spring security context and protect each of the endpoints (REST controllers) by using annotation.

Use this link to implement Authorization check on method(as we need in our application) https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html

If user doesn't have appropriate permission Access denied error should be returned. This is exception that will be thrown by spring if user doesn't have appropriate permission to access on REST endpoint https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/access/AccessDeniedException.html You need to add this exception in General Exception handler in the application and to return a custom message for the user as we have for other exceptions defined in General Exception handler.

[AngelaM123]

I have implemented authorization login in two different ways : Via configuration class and using annotation on the rest endpoint