Social Media

Category Archives for spring-security

Spring Security and Spring Data REST

Spring Security and Spring Data REST are discussed in this post. It builds on the previous post “Introduction to Spring Data REST” and my series of posts on Spring Security –

Spring Security and Spring Data REST

Spring Security is split into two components –

  • Authentication – Defined by AuthenticationManager, or the source of the authentication credentials
  • Authorisation – what we want to protect – URL’s, Roles, method

This tutorial is only considering BasicAuthentication with an memory realm. I will probably return to this subject to show how to properly harden a RESTful API.

Source Code

Code available on github –

Run the code by typing –


You can secure spring boot by simply including this dependency –

You can then get the password when you startup spring boot, but that is not very practical for most usages.


Ive moved the Spring Data REST API URL to /rest in –

SecurityConfig has –

  • Two users – user(Role – USER), admin(Role – admin)
  • Restrictions –
    • Only “ADMIN” or “USER” roles can access “/rest”,
    • Only “ADMIN” users can POST to the web service –

Putting It Together

Ive switched to curl for calling the API’s as its clearer for tutorials –

No credentials – Doesnt Authenticate

user/user credentials – Authenticates

POST methods – Access Forbidden

POST methods – Access Allowed


This post shows how Spring Security and Spring Data REST can be combined to secure REST API URL’s and HTTP methods. It used a basic form of Spring authentication, combining a MemoryRealm with the security configuration. We have also demonstrated how to restrict access to REST methods based on user group.