Role-Based Access Control (RBAC) is a fundamental and widely used security model in Spring Security. It allows you to define and enforce access control based on roles assigned to users. Here's how to implement RBAC in Spring Security:

Step 1: Define Roles and Permissions:

Define roles and permissions that reflect the access control requirements of your application. Roles are typically assigned to users, while permissions specify what actions or resources users with specific roles can access.

                
    // Example roles
    enum Role {
        ADMIN, USER, GUEST
    }

    // Example permissions
    enum Permission {
        READ, WRITE, DELETE
    }
                
            

Step 2: Configure Spring Security:

In your Spring Security configuration, specify access control rules based on roles and permissions. You can do this using the HttpSecurity object. For example:

                
    @Configuration
    @EnableWebSecurity
    public class SecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests()
                    .antMatchers("/admin/**").hasRole("ADMIN")
                    .antMatchers("/user/**").hasRole("USER")
                    .antMatchers("/public/**").permitAll()
                    .and()
                .formLogin()
                    .loginPage("/login")
                    .permitAll()
                    .and()
                .logout()
                    .permitAll();
        }
    }
                
            

In this example, users with the "ADMIN" role can access URLs under "/admin/," users with the "USER" role can access URLs under "/user/," and everyone has access to URLs under "/public/**."

Step 3: Assign Roles to Users:

In your user details service, assign roles to users when you load their details. This can be done in a custom UserDetailsService implementation, a database, or another user store.

                
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        // Load user details from your data source
        // Assign roles to the user based on your application's logic
        Set<GrantedAuthority> authorities = new HashSet<>();
        authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
        return new User(username, "password", authorities);
    }
                
            

Step 4: Secure Your Controller Methods:

Annotate your controller methods with @PreAuthorize or @Secured annotations to specify which roles or permissions are required to access them. For example:

                
    @PreAuthorize("hasRole('ADMIN')")
    @GetMapping("/admin/some-resource")
    public String adminResource() {
        // Controller logic
    }
                
            

Step 5: Error Handling:

Handle access denied errors and customize error messages or behavior for unauthorized users.

Step 6: Testing:

Thoroughly test your RBAC implementation to ensure that access control is working as expected.

Role-Based Access Control in Spring Security is a powerful way to manage access to different parts of your application based on user roles and permissions. It offers a flexible and fine-grained approach to access management, making it a crucial component for building secure applications.