Scaler
Academy
Data Science
Neovarsity
New
Skill Test
Free Masterclass
Search for Articles, Topics
Secure Employee Management System

Secure Employee Management System

By Arpan
8 mins read
Last updated: 4 May 2023
160 views
Topics Covered

Overview

The employee management system we have is running with all the functional features; however, it needs one important aspect; Security.

Dependency

The only dependency we need is starter-security.

Secure It

Step 1 - Create User and Roles Entities and Tables.

To work with spring security, we need two entities, User and Roles, and corresponding tables. We need many to many relationships between users and roles. Create user and roles entities and tables

User Entity

Role Entity

To represent many to many relationships, we need three tables in the database.

Step 2 - Repository

We need UserRepository to interact with the User entity.

Step 3 - UserDetailService

We need a concrete class that implements UserDetailsService

Step 4 - Controller to Register and Login User

AuthenticationController

Step 5 - Security Configuration

We need to configure spring security to tie up different classes to make it work for us.

With this configuration done, all our endpoints are secured by spring security except /register and /login.

We are using JWT-based authentication in our code.

Verification

  • Let's try to invoke any employee API.

The response is 403 - Forbidden because we haven't authenticated yet.

  • Register a new user Let's try registering a new user with the required details.
  • Login with the registered user

A successful login returns a jwt token in the response, which should be carried with subsequent requests.

Let's try to create a new employee using the acquired token.

Likewise, all the other employee-related APIs can be invoked by providing the acquired JWT token.

Secure Admin Endpoints

Everything to this point is fine, but our application has one serious security issue. An employee can also invoke admin endpoints, but not the behavior we want. Only the admin users are allowed to access admin-related endpoints.

We will use method-level security to fix the problem. Simply put, spring security supports authorization at the method level. Putting the role on the method with the annotation @Secured will secure our method from unauthorized access.

Let's secure our admin endpoints.

1. Enable method-level security.

2. Secure methods

Verification

1. Let's create another user in the system with the role of admin

Now we have two users in the database.

Let's try to delete an employee using t.stark@gmail.com

As the expected user is not allowed to act.

Let's try with user s.rogers@gmail.com

Full source code is available at GitHub location.

Conclusion

In this article, we have

  • Secured employee management system using spring security.
  • Used JWT token for authentication.
  • Implemented spring security method level security based on user role.