Mastering Springboot Security

Authorization & Role-Based Access Control (RBAC)

Learning Outcome

Analyze scalability benefits of stateless authentication

Understand JWT structure and signature verification

Identify problems with traditional session authentication

Explain JWT authentication workflow in Spring Security

Understand stateful and stateless authentication differences

In the previous lecture, we understood how stateless authentication using JWT works....

JWT helps the application identify:

“Who is the user?”

But after identifying the user, another important question arises:

“What is this user allowed to access?”

After authentication:

Should every user access everything

Should a normal user delete data

Should admin features be public

No , right?

Now, this is where Authorization comes into play.

It is commonly handled using: RBAC (Role based access control)

It controls:

“What is the user allowed to access or perform?”

Which APIs can be accessed
Which operations are permitted
Which resources should remain restricted

What is RBAC?

Role-Based Access Control is a mechanism that restricts system access based on roles.

Users are assigned roles

Roles define allowed actions

Manage access through roles

Why Roles Alone Are Not Enough

Roles + Permissions

Granular control

Better scalability

Precise access management

Roles Only

Limited flexibility

Hard to customize access

All-or-nothing approach

Real systems often use Roles + Permissions together

ROLE_ Prefix in Spring Security

Convention

Roles must start with ROLE_

Example

ROLE_USER

ROLE_ADMIN

Internally

hasRole("ADMIN") checks for
ROLE_ADMIN


http.authorizeHttpRequests(auth ->
    auth.requestMatchers("/admin/**")
        .hasRole("ADMIN") // Checks ROLE_ADMIN
);


GrantedAuthority authority =
    new SimpleGrantedAuthority("ROLE_ADMIN");

Summary

JWT reduces dependency on centralized server sessions

Signature verification ensures token integrity and trust

Tokens securely carry identity and permission details

JWT enables scalable and stateless authentication systems

Sessions require continuous server-side user storage

Quiz

A. Requires server-side session storage

B. Supports only single-server applications

C. Enables stateless and scalable authentication

D. Stores passwords inside the token

What is the main advantage of JWT
authentication?

A. Requires server-side session storage

B. Supports only single-server applications

C. Enables stateless and scalable authentication

D. Stores passwords inside the token

Quiz-Answer

Mastering Springboot Security

Authorization & Role-Based Access Control (RBAC)

“Who is the user?”

“What is this user allowed to access?”

After authentication:

No , right?

Now, this is where Authorization comes into play.

It controls:

“What is the user allowed to access or perform?”

What is RBAC?

Role-Based Access Control is a mechanism that restricts system access based on roles.

Why Roles Alone Are Not Enough

Roles + Permissions

Roles Only

ROLE_ Prefix in Spring Security

SpringBoot - Authorization & Role-Based Access Control (RBAC)

SpringBoot - Authorization & Role-Based Access Control (RBAC)

Content ITV PRO

Mastering Springboot Security

Authorization & Role-Based Access Control (RBAC)

“Who is the user?”

“What is this user allowed to access?”

After authentication:

No , right?

Now, this is where Authorization comes into play.

It controls:

“What is the user allowed to access or perform?”

What is RBAC?

Role-Based Access Control is a mechanism that restricts system access based on roles.

Why Roles Alone Are Not Enough

Roles + Permissions

Roles Only

ROLE_ Prefix in Spring Security

SpringBoot - Authorization & Role-Based Access Control (RBAC)

More from Content ITV