Lesson 1 of 28

Learn Spring Security


01. Bootstrap The Application
1. Introduction
2. Install Spring Security
3. Enable Basic Auth
4. Authentication with AppUser
5. Password Encoder
02. Web Layer Security - RBAC
6. Permit Public APIs
7. Role Based Authorization
8. Disable CSRF
9. Current Authenticated User
03. Web Layer Security - PBAC
10. Permission Based Authorization
11. Define Permissions
12. Assign Permissions
13. Remove Role Based Access
04. Service Layer Security
14. PreAuthorize
15. PostAuthorize
16. Authorize Using Spring Beans
05. Domain Object Instance Security
17. Domain Object Instance Security
18. PermissionEvaluator Interface
19. PermissionEvaluator Strategy
20. DB Backed UserDetailsService
06. Token Based Authentication
21. Basic Authentication Revisited
22. Generate Token
23. Persist Token
24. Verify Token
25. Invalidate Token
07. Token Based Authentication and Authorization
26. JSON Web Token
27. Generate JWT
28. Verify JWT


Application security boils down to two more or less independent problems: Authentication (Who are you?) and Authorization (What are you allowed to do?). Spring Security is a framework that provides authentication, authorization and protection against common attacks, and it is the de-facto standard for securing Spring-based applications.

About Course

This course offers a step-by-step guide in securing the REST APIs by introducing some of the most commonly used concepts in Spring Security. This course assumes you have basic knowledge of Spring Boot and REST APIs.

Course Management System

The course management system is a Spring Boot application having a collection of REST APIs to manage courses, students and instructors. The actors who can interact with these APIs are

  • Student
  • Instructor
  • Admin

It uses Spring Data JPA to persist data in MySQL database. Below is the simple Entity-Relationship diagram of the application.

Entity-Relationship Diagram
Entity-Relationship Diagram


At the moment, all the REST APIs are accessible to everyone. Our objective is to secure each of them from unauthorized users, as expected below.

List CoursesAny user can browse through the list of available courses
Get CourseAny user can view the details of a course
Create CourseInstructors can only create a new course
Update CourseInstructor who created the course can only update it
Play CourseInstructor who created the course can only play it.
Students who are enrolled on the course can only play it.
List StudentsAdmin can only view the list of students
List InstructorsAdmin can only view the list of instructors
View User ProfileUsers can only view their profile.
Any user can view an Instructor's profile.


  1. Checkout the code from GitHub.
  2. Edit your database details in application.properties.
  3. Build and Run the application in IDE of your choice.
  4. Running the application will automatically create (or update) the database entities. It will also add few sample records using AppDataInitialiser.
  5. Understanding the business logic of each REST API is not required.
  6. Make yourself familiar with the below users and their roles created by default in order to test the security implementation.
StudentBob, Kevin, Stuart
InstructorGru, Lucy