Springboot Security annotations

Hi everyoneI I can’t really understand how the @RollesAllowed works on method level. I am just making some examples to see if it works. I use something like @RolesAllowed(“nonsense”) and I am expecting to not be able to use a method that for example creates a grid in a view. Are there any more configurations, imports or settings needed? Is there something wrong with the syntax? I am definitely missing something. Any help?

It doesn’t really make sense to do that on the UI side

What you can and should do is protect access to views

with the @RolesAllowed annotation

If you need more fine-tuned control, you can use the security context to access the current user

The framework isn’t able to know what you would want the UI to do when access to a specific method is prevented. So you just code it yourself.

So if there are parts of the view that should not be visible for certain users, you need to access the rights of the user and make the appropriate checks with code, right?

right

The annotation will throw an exception if you don’t have the access so that’s not a good UX :).
You need to add a condition like if (SecurityUtils.isAdmin()) {doAdminStuff()}

I have a personal opinion that you should minimize the amount of rights checks in UI code. Aim to protect the views and the calls you make to external services. If you need to display content conditionally, make the security check at least in a Presenter class and modify the data accordingly.

I get your point guys, I will follow your advices thank you. However, just to “broaden my knowledge”, if I did want to use the @RolesAllowed on a method level, that does not necessarily affect the UI but data modifications or something like that, how would I write it? In the example I provided in the description, should I not get an exception like “nonsense is not an existing role” or “this user is not allowed to perform this action” or something like that? It seems like the program did not even “see” the annotation on the method.

Did you configure it? https://www.baeldung.com/spring-security-method-security
You can find the property jsr250Enabled.

(Note: By doing this Spring will create a proxy class for every Spring bean so it’s quite heavy)

And there is an opened issue when you enable it: Proxied Vaadin routes are rebuilt instead of reused · Issue #16062 · vaadin/flow · GitHub
But normally the annotation with a role you don’t have should throw an exception.

Well, I am using RollesAlloed on a class level, that works as expected, so I thought that there isnothing more needed for the methods.

I will study the content of the links you provided and see if there is something missing.