If you're looking to enhance the security of your services REST and integrate with various modules such as OAuth, Facebook, Twitter, and more, consider adding the Spring Security dependency. With Spring Security, you can have complete control over permissions by configuring them through a Java class or XML.
Here's an example for you:
@Configuration
@EnableWebSecurity
@Import({ConfigDAO.class, ConfigService.class})
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource datasource;
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.jdbcAuthentication()
.dataSource(datasource)
.passwordEncoder(passwordEncoder)
.usersByUsernameQuery("select usuario, senha as password, habilitado as enabled from cds_usuario where usuario = ?")
.authoritiesByUsernameQuery("select usuario, perfil as authority from cds_usuario where usuario = ?")
.getUserDetailsService();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
.antMatchers("/painel**").access("hasRole('ROLE_ALUNO')")
.antMatchers("/").access("permitAll")
.antMatchers("/cadastro**").access("permitAll")
.antMatchers("/error/**").access("permitAll")
.and().formLogin().usernameParameter("username").passwordParameter("senha")
.loginPage("/").loginProcessingUrl("/autenticar")
.failureUrl("/")
.defaultSuccessUrl("/painel")
.and().logout().deleteCookies("remove")
.invalidateHttpSession(false)
.logoutUrl("/logout").logoutSuccessUrl("/")
.and().csrf().disable()
.exceptionHandling().accessDeniedPage("/403");
http.sessionManagement().maximumSessions(1).expiredUrl("/logout");
}
}