Skip to content

theodo-group/spring-access-inspector

BranchesTags

Repository files navigation

Spring Access Inspector

This tool generates a table report to verify access control on your Spring Boot routes. It scans for the @PreAuthorize, @Secured, or @RolesAllowed annotations from spring-security-config to create a access_control.html file with an easy-to-read list of all your routes and their access control annotations.

List of your routes with preauthorize annotation

Quickstart

Follow these three steps to quickly use the Spring Access Inspector:

  1. Add the plugin: Add the following plugin to the <plugins> section of your project's pom.xml:

    Java 21 
    <build>
  <pluginManagement>
    <plugins>
      <!-- ...existing plugins... -->
      <plugin>
        <groupId>com.theodo</groupId>
        <artifactId>spring-access-inspector-plugin</artifactId>
        <version>2.3.0</version>
      </plugin>
      <!-- ...existing plugins... -->
    </plugins>
  </pluginManagement>
</build>
    Java 17 
    <build>
  <pluginManagement>
    <plugins>
      <!-- ...existing plugins... -->
      <plugin>
        <groupId>com.theodo</groupId>
        <artifactId>spring-access-inspector-plugin</artifactId>
        <version>1.3.0</version>
      </plugin>
      <!-- ...existing plugins... -->
    </plugins>
  </pluginManagement>
</build>

  2. Compile the project: Run the following command to compile your project and ensure the plugin is installed:

    mvn clean install -U -DskipTests

  3. Run the inspector: Execute the inspector using the following command:

    mvn inspector:inspect

    The result will be generated in a acess_control.html file at the root of your project.

The Project

This project is composed of two parts:

  1. The Inspector: The core tool that performs the analysis.
  2. The Maven Plugin: A wrapper plugin that simplifies using the inspector in any project.

Inspector

The inspector uses Java 21. A Java 17 version is available on the branch v1-java-17.

To use the inspector locally without the plugin, follow these steps:

  1. Clone the repository:

    git clone [email protected]:theodo-group/spring-access-inspector.git

  2. Navigate to the inspector folder:

    cd spring-access-inspector/inspector

  3. Compile the code:

    mvn compile exec:java -Dexec.mainClass=com.theodo.inspector.SpringAccessInspector

  4. Run the code (using the Maven exec plugin) and provide the path to the pom.xml files you want to analyze:

    mvn exec:java -Dexec.mainClass=com.theodo.inspector.SpringAccessInspector -Dexec.args="/path/to/poms"

    Note: You may need to compile your code beforehand:

    mvn clean install -DskipTests

Maven Plugin

The Maven plugin simplifies launching the inspector by adding it to the pom.xml of the project you want to inspect. It is available on Maven Central, but you can also use it locally.

  1. Navigate to the plugin folder:

    cd spring-access-inspector/inspector-maven-plugin

  2. Compile the plugin:

    mvn clean install

  3. Add the plugin to the build/pluginManagement section of your project's pom.xml:

    <build>
  <!-- ...existing build configuration... -->
  <pluginManagement>
    <plugins>
      <plugin>
        <groupId>com.theodo</groupId>
        <artifactId>spring-access-inspector-plugin</artifactId>
        <version>2.3.0</version>
      </plugin>
    </plugins>
  </pluginManagement>
</build>

    Configuration Options:

Configuration Options

You can customize the plugin behavior by adding the following configuration options:

  • projectBaseDir: Specifies the base directory of the project to analyze. Defaults to the current working directory.

  • outputFileName: Specifies the name and path of the output HTML file. Defaults to ./access_control.

  • editor: Specifies the editor to open the generated HTML file. Supported values are:

    • vscode: Opens the file in Visual Studio Code.

    • intellij: Opens the file in IntelliJ IDEA.

    • none: Simply opens in a new tab af your current browser. Defaults to none.

    Configuration example 
     <plugin>
   <groupId>com.theodo</groupId>
   <artifactId>spring-access-inspector-plugin</artifactId>
   <version>2.3.0</version>
   <configuration>
     <projectBaseDir>${project.basedir}</projectBaseDir>
     <outputFileName>~/my/output_file</outputFileName>
     <editor>vscode</editor>
   </configuration>
 </plugin>

  1. Run the analysis in your shell or CI:

    mvn inspector:inspect

    Note: You may need to compile the inspector code beforehand (see above).

How to Contribute

Upgrade the Version

When upgrading the version, update the following:

  • The version in the three pom.xml files (inspector, plugin, and aggregate).
  • This README file.
  • The version of the plugin in the sample project.

Deployment

To deploy the project:

  1. Add the username and password for the "public" server to your root .m2/settings.xml:

    <server>
  <id>public</id>
  <username>thesonatypetokenusername</username>
  <password>thesonatypetokenpassword</password>
</server>

  2. Add your GPG key passphrase to your root .m2/settings.xml:

    <server>
  <id>gpg</id>
  <passphrase>yourgpgkeypassphrase</passphrase>
</server>

  3. Run the following command to deploy only the plugin and the inspector:

    mvn clean deploy --projects inspector,inspector-maven-plugin

About

CLI tool and maven plugin tool to list access control on your SpringBoot application

Resources

Readme
Activity
Custom properties

Stars

61 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases 14

v2.3.0 for java 21 Latest
Aug 27, 2025
+ 13 releases

Packages

No packages published

Contributors 3

Languages