Feature flags let you decouple deployment from release. But what if you want to roll out a feature only for a specific user role—say, ADMIN or BETA_TESTER? In this article, we’ll explore how to implement role-based feature flags in Spring Boot using two popular tools: Unleash and FF4J.
What You’ll Need
- Spring Boot (v2.x or 3.x)
- Either Unleash or FF4J
- Basic authentication or role system in place (e.g. Spring Security)
Why Role-Based Feature Flags?
- Test features with internal teams before full release
- Minimize risk by gradually rolling out
- Enable/disable features dynamically without deployments
Option 1: Using Unleash
Unleash supports context-aware feature toggles. Here’s how to make it role-aware.
1. Add Unleash Dependency
<dependency>
<groupId>no.finn.unleash</groupId>
<artifactId>unleash-client-java</artifactId>
<version>7.0.0</version>
</dependency>
2. Initialize Unleash with Context Provider
UnleashContext context = UnleashContext.builder()
.userId("john_doe")
.addProperty("role", "ADMIN")
.build();
boolean isEnabled = unleash.isEnabled("new-dashboard", context);
3. Configure Strategy on Unleash UI
Create a strategy using the “UserWithPropertyStrategy” and set role=ADMIN for the toggle.
Option 2: Using FF4J
FF4J is another powerful feature toggle framework with support for custom authorization managers.
1. Add FF4J Starter
<dependency>
<groupId>org.ff4j</groupId>
<artifactId>ff4j-spring-boot-starter</artifactId>
<version>1.8</version>
</dependency>
2. Create a Custom Authorization Manager
public class RoleBasedAuthorisationManager implements AuthorisationManager {
@Override
public Set<String> getCurrentUserPermissions() {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
return auth.getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.collect(Collectors.toSet());
}
}
3. Register and Use It
@Bean
public FF4j ff4j() {
FF4j ff4j = new FF4j();
ff4j.setAuthorizationsManager(new RoleBasedAuthorisationManager());
ff4j.createFeature("new-dashboard");
return ff4j;
}
// Then check the flag
if (ff4j.check("new-dashboard")) {
// show feature
}
Best Practices
Implementing feature flags is a powerful technique, but managing them effectively—especially with role-based access—requires some discipline. Following best practices helps maintain clarity, security, and scalability in your application. Here’s a quick reference table to keep your feature flag strategy on track:
| Best Practice | Description | Benefit |
|---|---|---|
| Consistent Role Naming | Use the same role names in your codebase and in your feature flag configuration (e.g., ADMIN). | Avoids confusion and errors |
| Document Feature Access | Clearly document which roles have access to each feature flag and why. | Easier audits and onboarding |
| Limit Flag Lifetime | Remove feature flags when they are no longer needed to reduce clutter. | Keeps the codebase clean |
| Secure Access Checks | Always validate role-based flags server-side, never rely solely on client-side checks. | Prevents unauthorized access |
| Test Flag Behavior Thoroughly | Write integration and unit tests to verify role-specific flag behavior. | Ensures reliability and stability |
| Use Centralized Context Building | Build and pass user role context consistently using a centralized mechanism (e.g., UnleashContext or FF4J AuthorizationManager). | Simplifies maintenance and debugging |
| Audit and Monitor Flag Usage | Track flag usage and evaluate their impact on users to make informed decisions. | Improves feature rollout control |
Resources
