Spring Boot applications often handle sensitive data through various API endpoints. Proper authorization is crucial to ensure only authorized users can access specific functionalities. This blog post will guide you through implementing endpoint authorization in Spring Boot using Aspect-Oriented Programming (AOP) and custom annotations.

Understanding the Problem

Imagine your application offers different user roles with varying access levels. Basic users might only see basic information, while admins have access to everything. Without proper authorization, anyone could potentially access any endpoint, exposing sensitive data.

AOP and Custom Annotations

AOP allows us to intercept method calls and perform actions before or after the actual execution. We can leverage this to check user permissions before processing a request. Custom annotations provide a clean way to define the required access level for each endpoint.

Let’s Build Our Solution

1. Defining Access Levels: We start with an AccessLevel enum to represent different user roles (ADMIN, BASIC, etc.).

public enum AccessLevel {
  ADMIN, ALL, BASIC, PREMIUM, ANONYMOUS
}

2. Creating the @SecureEndpoint Annotation: This annotation marks methods or entire controllers that require authorization. It optionally takes an array of allowed AccessLevel values.

@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.METHOD, ElementType.TYPE})
public @interface SecureEndpoint {
  AccessLevel[] allowedAccessLevels() default AccessLevel.ANONYMOUS;
}

3. Implementing the SecurityAspect: This is the AOP magic. The @Before advice ensures it runs before any method annotated with @SecureEndpoint or within a controller annotated with @SecureEndpoint.
   • The aspect retrieves the authorization header from the request (implementation details omitted for brevity).
   • It then extracts the user’s type from the authorization token (replace "BASIC" with your token parsing logic).
   • The aspect retrieves the @SecureEndpoint annotation and its allowed access levels.
   • Finally, it checks if the user’s type matches any of the allowed access levels. If not, an UnauthorizedException is thrown, preventing further processing.

@Component
@Slf4j
public class SecurityAspect {

  @Before(value = "@annotation(com.example.service.config.SecureEndpoint) || @within(com.example.service.config.SecureEndpoint) ")
  public void beforeSecureEndpoint(JoinPoint joinPoint) {
    String authorizationHeader = Utilities.getAuthorizationHeaderFromRequest();
    if (authorizationHeader == null) {
      throw new UnauthorizedException();
    }
    // TODO: Extract userType from jwt authentication token here
    String userType = "BASIC";
    SecureEndpoint annotation = getAnnotation(joinPoint);
    AccessLevel[] allowedAccessLevels = annotation != null ? annotation.allowedAccessLevels() : new AccessLevel[]{AccessLevel.ANONYMOUS};
    if (Arrays.stream(allowedAccessLevels).noneMatch(accessLevel -> accessLevel.name().equals(userType))) {
      log.info("Insufficient permissions to access method {} by user type {} ",joinPoint.getSignature().getName(),userType);
      throw new UnauthorizedException();
    }
  }

  private SecureEndpoint getAnnotation(JoinPoint joinPoint) {
    MethodSignature signature = (MethodSignature) joinPoint.getSignature();
    Method method = signature.getMethod();
    SecureEndpoint methodAnnotation = method.getAnnotation(SecureEndpoint.class);
    if (methodAnnotation != null) {
      return methodAnnotation;
    }
    Class<?> declaringType = joinPoint.getSignature().getDeclaringType();
    return declaringType.getAnnotation(SecureEndpoint.class);
  }
}

4. Creating the Test Controller: This demonstrates the usage of our annotations. The /getAll endpoint requires admin access, while the base /test route allows everyone.

@RestController
@RequestMapping("/test")
@SecureEndpoint(allowedAccessLevels = {AccessLevel.ALL})
public class TestController {

  @GetMapping("/getAll")
  @SecureEndpoint(allowedAccessLevels = {AccessLevel.ADMIN})
  public List<String> getAll() {
    return List.of("https://example.com");
  }
}

Benefits of this Approach

• Clean Separation of Concerns: Security logic is encapsulated within the aspect, keeping controllers focused on business logic.
• Modular and Reusable: The @SecureEndpoint annotation simplifies authorization configuration for endpoints.
• Extensible: The AccessLevel enum can be easily expanded to accommodate new user roles.

Remember: This example provides a basic structure. Real-world implementations would involve integrating with a token-based authentication system for user type extraction and potentially using libraries for easier token parsing.

Here’s how to enhance this solution for a more robust implementation:

1. Token Parsing Integration:

• Replace the placeholder String userType = “BASIC”; in SecurityAspect with logic to extract the user type from your chosen token-based authentication system. This might involve libraries like Spring Security or custom token parsing utilities based on your JWT format.

2. Exception Handling:

• Consider improving exception handling. Instead of a generic UnauthorizedException, create specific exceptions for different authorization failures (e.g., InvalidTokenException, InsufficientPermissionsException).

3. Advanced Authorization Logic:

• The current approach checks for an exact user type match. You can extend this to handle more complex scenarios. For instance, define a permission hierarchy where specific roles inherit access levels from broader ones.

4. Testing:

• Write unit tests for the SecurityAspect to ensure it behaves as expected with different access levels and user types. Integration tests can verify the overall authorization flow within your application.

By incorporating these refinements, you can create a more secure and scalable authorization system for your Spring Boot application using AOP and custom annotations.