Role-Based Access Control with Firebird and Spring Boot

January 22, 2026

#1

Role-Based Access Control (RBAC) ensures users can only perform actions allowed for their role. Let’s build simple RBAC using Firebird and Spring Boot.

1. Add Dependencies

Add the required dependencies to your pom.xml:

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
  <groupId>org.firebirdsql.jdbc</groupId>
  <artifactId>jaybird</artifactId>
  <version>5.0.3</version>
</dependency>

2. Configure Firebird Database

Add configuration to application.properties:

spring.datasource.url=jdbc:firebirdsql://localhost:3050/D:/data/mydb.fdb
spring.datasource.username=sysdba
spring.datasource.password=masterkey
spring.jpa.hibernate.ddl-auto=update

3. Create User and Role Entities

@Entity
public class Role {
    @Id @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;
    private String name;
}

@Entity
public class User {
    @Id @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;
    private String username;
    private String password;
    @ManyToMany(fetch = FetchType.EAGER)
    private Set<Role> roles;
}

4. Create Repositories

public interface UserRepository extends JpaRepository<User, Long> {
    Optional<User> findByUsername(String username);
}

public interface RoleRepository extends JpaRepository<Role, Long> {}

5. Implement UserDetailsService

@Service
public class CustomUserDetailsService implements UserDetailsService {
    @Autowired private UserRepository repo;

    @Override
    public UserDetails loadUserByUsername(String username) {
        User user = repo.findByUsername(username)
            .orElseThrow(() -> new UsernameNotFoundException("User not found"));
        List<GrantedAuthority> authorities = user.getRoles()
            .stream()
            .map(r -> new SimpleGrantedAuthority("ROLE_" + r.getName()))
            .toList();
        return new org.springframework.security.core.userdetails.User(
            user.getUsername(), user.getPassword(), authorities);
    }
}

6. Security Configuration

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http
            .csrf().disable()
            .authorizeHttpRequests()
            .requestMatchers("/admin/**").hasRole("ADMIN")
            .requestMatchers("/user/**").hasAnyRole("USER", "ADMIN")
            .anyRequest().permitAll()
            .and()
            .httpBasic()
            .and().build();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

7. Create Example Endpoints

@RestController
@RequestMapping("/api")
public class RoleController {

    @GetMapping("/admin/dashboard")
    public String adminOnly() {
        return "Welcome Admin!";
    }

    @GetMapping("/user/profile")
    public String userAccess() {
        return "Welcome User!";
    }

    @GetMapping("/public/info")
    public String publicInfo() {
        return "Public Info Accessed";
    }
}

8. Test RBAC

• /api/public/info → open to everyone
• /api/user/profile → accessible by USER or ADMIN
• /api/admin/dashboard → ADMIN only

Spring Security uses roles from Firebird to enforce access control.