There are multiple annotations supported by Spring Security. But, in this article, we will discuss about these annotations can be used in a Spring Boot project as well. These annotations play a crucial role in creating a web application in Spring Boot. The Spring Security annotations are a powerful way to secure Spring applications. By using these annotations, you can control who has access to your application's resources and how they can interact with them.

Annotations

1. @Secured

• The @Secured annotation is used to specify a list of roles that are allowed to access a method or class. The roles are specified as a comma-separated list. [(ROLE_VIEWER) ,(ROLE_ADMIN),(ROLE_EDITOR) ]
• The @Secured annotation doesn’t support Spring Expression Language (SpEL).

@Secured({ "ROLE_ADMIN", "ROLE_SUPER_ADMIN" })
public void createUser(User user)
{
    // ... logic for create User
}

2. @PreAuthorize

• The @PreAuthorize annotation is used to specify an expression that must be evaluated to be true in order for a method or class to be accessible. The expression is written in Spring Expression Language (SpEL).
• The @PreAuthorize annotation can be used to control access to methods, classes, and even entire applications.

@PreAuthorize("hasRole('ROLE_ADMIN')")
public void deleteAdminUser(Long userId)
{
    // ... logic for delete User
}

3. @PostAuthorize

• The @PostAuthorize annotation is used to specify an expression that must be evaluated to true after a method or class has been executed. The expression is written in SpEL.
• The @PostAuthorize annotation can be used to control the results of a method or class.

@PostAuthorize(
    "hasRole('ROLE_ADMIN') and hasPermission(returnObject, 'read:courses')")
public List<Course>
findAllCourses()
{
    // ... logic for find all courses
}

4. @PreFilter

• The @PreFilter annotation is used to specify an expression that must be evaluated to true in order for a method or class to be included in a security filter chain. The expression is written in SpEL.

@PreFilter(
    "hasRole('ROLE_ADMIN') and hasPermission(filterObject, 'read:courses')")
public void
deleteCourses(List<Course> courses)
{
    // ... logic for delete Courses
}

5. @PostFilter

• The @PostFilter annotation is used to specify an expression that must evaluate to true after a method or class has been executed in order for it to be included in a security filter chain.

@PostFilter(
    "hasRole('ROLE_ADMIN') and hasPermission(filterObject, 'read:classes')")
public List<Class>
findAllClasses()
{
    // ...logic for find all classes
}

6. @RolesAllowed

• The @RolesAllowed annotation is more flexible than the @Secured annotation because it allows you to specify an expression that evaluates to a list of roles. This expression can be written in Spring Expression Language (SpEL).
• The @RolesAllowed annotation is a JSR-250 annotation, which means that it is also supported by other security frameworks, such as Apache Shiro.

@RolesAllowed("ROLE_ADMIN")
public void deleteCourse(Long courseId)
{
    // ... logic for delete course
}

7. @AuthenticationPrincipal

• The @AuthenticationPrincipal annotation is a Spring Security annotation that is used to inject the current authenticated user into a method or class. The user is injected as a Spring Security Authentication object.
• The @AuthenticationPrincipal annotation can be used in any Spring Security context, including web applications, RESTful APIs, and microservices.

@GetMapping("/username")
public String getUsername(@AuthenticationPrincipal String username) {
  // ...
}

8. @RoleHierarchy

• The @RoleHierarchy annotation can be used to simplify the security configuration of your Spring application. By defining a role hierarchy, you can reduce the number of @RolesAllowed or @PreAuthorize annotations that you need to write.

@RoleHierarchy(value = { "ROLE_ADMIN > ROLE_USER",
                         "ROLE_SUPER_ADMIN > ROLE_ADMIN" })

Conclusion

Spring Security provides a rich set of annotations to secure Spring MVC controllers, REST endpoints, and domain model methods. So in summary, annotations provide an elegant and declarative way to implement authorization and access control in Spring Security applications.