diff --git a/pom.xml b/pom.xml
index b97d35f..b51a43e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -246,6 +246,10 @@
 			<version>0.12.6</version>
 			<scope>runtime</scope>
 		</dependency>
+		<dependency>
+    		<groupId>org.springframework.boot</groupId>
+    		<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
 	</dependencies>
 
 
diff --git a/src/main/java/com/iemr/ecd/controller/dataupload/DataTemplateController.java b/src/main/java/com/iemr/ecd/controller/dataupload/DataTemplateController.java
index 3503d77..6be8401 100644
--- a/src/main/java/com/iemr/ecd/controller/dataupload/DataTemplateController.java
+++ b/src/main/java/com/iemr/ecd/controller/dataupload/DataTemplateController.java
@@ -30,6 +30,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -48,6 +49,7 @@
 
 @RestController
 @RequestMapping(value = "/dataTemplate", headers = "Authorization")
+@PreAuthorize("hasRole('SUPERVISOR')")
 public class DataTemplateController {
 
 	@Autowired
diff --git a/src/main/java/com/iemr/ecd/controller/dataupload/DataUploadController.java b/src/main/java/com/iemr/ecd/controller/dataupload/DataUploadController.java
index c345cfd..904662d 100644
--- a/src/main/java/com/iemr/ecd/controller/dataupload/DataUploadController.java
+++ b/src/main/java/com/iemr/ecd/controller/dataupload/DataUploadController.java
@@ -26,6 +26,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestHeader;
@@ -41,6 +42,7 @@
 import io.swagger.v3.oas.annotations.responses.ApiResponses;
 
 @RestController
+@PreAuthorize("hasRole('SUPERVISOR')")
 public class DataUploadController {
 
 	@Autowired
diff --git a/src/main/java/com/iemr/ecd/controller/outboundworklist/CallStatisticsController.java b/src/main/java/com/iemr/ecd/controller/outboundworklist/CallStatisticsController.java
index 05c71eb..5e7fac1 100644
--- a/src/main/java/com/iemr/ecd/controller/outboundworklist/CallStatisticsController.java
+++ b/src/main/java/com/iemr/ecd/controller/outboundworklist/CallStatisticsController.java
@@ -26,6 +26,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -41,7 +42,7 @@
 import io.swagger.v3.oas.annotations.responses.ApiResponses;
 
 @RestController
-@RequestMapping(value = "/agent", headers = "Authorization")
+@PreAuthorize("hasRole('SUPERVISOR') || hasRole('QUALITY_SUPERVISOR') || hasRole('QUALITY_AUDITOR')")
 public class CallStatisticsController {
 
 	@Autowired
diff --git a/src/main/java/com/iemr/ecd/controller/outboundworklist/OutBoundWorklistController.java b/src/main/java/com/iemr/ecd/controller/outboundworklist/OutBoundWorklistController.java
index dba679b..2ee24c6 100644
--- a/src/main/java/com/iemr/ecd/controller/outboundworklist/OutBoundWorklistController.java
+++ b/src/main/java/com/iemr/ecd/controller/outboundworklist/OutBoundWorklistController.java
@@ -29,6 +29,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -48,6 +49,7 @@
 
 @RestController
 @RequestMapping(value = "/outbound-worklist", headers = "Authorization")
+@PreAuthorize("hasRole('ANM') || hasRole('MO') || hasRole('ASSOCIATE')")
 public class OutBoundWorklistController {
 
 	@Autowired
diff --git a/src/main/java/com/iemr/ecd/controller/quality/ChartsController.java b/src/main/java/com/iemr/ecd/controller/quality/ChartsController.java
index 169e5c5..ea2d7ac 100644
--- a/src/main/java/com/iemr/ecd/controller/quality/ChartsController.java
+++ b/src/main/java/com/iemr/ecd/controller/quality/ChartsController.java
@@ -28,6 +28,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -44,6 +45,7 @@
 
 @RestController
 @RequestMapping(value = "/charts", headers = "Authorization")
+@PreAuthorize("hasRole('SUPERVISOR') || hasRole('QUALITY_SUPERVISOR') || hasRole('QUALITY_AUDITOR')")
 public class ChartsController {
 
 	@Autowired
diff --git a/src/main/java/com/iemr/ecd/controller/quality/GradeConfigurationController.java b/src/main/java/com/iemr/ecd/controller/quality/GradeConfigurationController.java
index da8a3ec..80fb34f 100644
--- a/src/main/java/com/iemr/ecd/controller/quality/GradeConfigurationController.java
+++ b/src/main/java/com/iemr/ecd/controller/quality/GradeConfigurationController.java
@@ -28,6 +28,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -47,6 +48,7 @@
 
 @RestController
 @RequestMapping(value = "/gradeConfiguration", headers = "Authorization")
+@PreAuthorize("hasRole('QUALITY_SUPERVISOR')")
 public class GradeConfigurationController {
 
 	@Autowired
diff --git a/src/main/java/com/iemr/ecd/controller/quality/QualityAuditController.java b/src/main/java/com/iemr/ecd/controller/quality/QualityAuditController.java
index ff7178c..9d7ec98 100644
--- a/src/main/java/com/iemr/ecd/controller/quality/QualityAuditController.java
+++ b/src/main/java/com/iemr/ecd/controller/quality/QualityAuditController.java
@@ -27,7 +27,7 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
-
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -55,6 +55,7 @@
 
 @RestController
 @RequestMapping(value = "/qualityAudit", headers = "Authorization")
+@PreAuthorize("hasRole('QUALITY_AUDITOR')")
 public class QualityAuditController {
 	@Autowired
 	private QualityAuditImpl qualityAuditImpl;
diff --git a/src/main/java/com/iemr/ecd/controller/quality/QualityAuditQuestionConfigurationController.java b/src/main/java/com/iemr/ecd/controller/quality/QualityAuditQuestionConfigurationController.java
index a0bee1d..fdbe52d 100644
--- a/src/main/java/com/iemr/ecd/controller/quality/QualityAuditQuestionConfigurationController.java
+++ b/src/main/java/com/iemr/ecd/controller/quality/QualityAuditQuestionConfigurationController.java
@@ -28,6 +28,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -48,6 +49,7 @@
 
 @RestController
 @RequestMapping(value = "/questionnaireConfiguration", headers = "Authorization")
+@PreAuthorize("hasRole('QUALITY_SUPERVISOR') || hasRole('QUALITY_AUDITOR')")
 public class QualityAuditQuestionConfigurationController {
 	@Autowired
 	private QualityAuditQuestionConfigurationImpl qualityAuditQuestionConfigurationImpl;
diff --git a/src/main/java/com/iemr/ecd/controller/quality/QualityAuditSectionConfigurationController.java b/src/main/java/com/iemr/ecd/controller/quality/QualityAuditSectionConfigurationController.java
index 29e3060..a5f88d4 100644
--- a/src/main/java/com/iemr/ecd/controller/quality/QualityAuditSectionConfigurationController.java
+++ b/src/main/java/com/iemr/ecd/controller/quality/QualityAuditSectionConfigurationController.java
@@ -28,6 +28,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -47,6 +48,7 @@
 
 @RestController
 @RequestMapping(value = "/sectionConfiguration", headers = "Authorization")
+@PreAuthorize("hasRole('QUALITY_SUPERVISOR') || hasRole('QUALITY_AUDITOR')")
 public class QualityAuditSectionConfigurationController {
 	@Autowired
 	private QualityAuditSectionConfigurationImpl qualityAuditSectionConfigurationImpl;
diff --git a/src/main/java/com/iemr/ecd/controller/quality/SampleSelectionConfigurationController.java b/src/main/java/com/iemr/ecd/controller/quality/SampleSelectionConfigurationController.java
index 11734b1..020faea 100644
--- a/src/main/java/com/iemr/ecd/controller/quality/SampleSelectionConfigurationController.java
+++ b/src/main/java/com/iemr/ecd/controller/quality/SampleSelectionConfigurationController.java
@@ -28,6 +28,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -47,6 +48,7 @@
 
 @RestController
 @RequestMapping(value = "/sampleSelectionConfiguration", headers = "Authorization")
+@PreAuthorize("hasRole('QUALITY_SUPERVISOR') || hasRole('QUALITY_AUDITOR')")
 public class SampleSelectionConfigurationController {
 	@Autowired
 	private SampleSelectionConfigurationImpl sampleSelectionConfigurationImpl;
diff --git a/src/main/java/com/iemr/ecd/controller/questionare/EcdQuestionareController.java b/src/main/java/com/iemr/ecd/controller/questionare/EcdQuestionareController.java
index 1a7d675..e1307d6 100644
--- a/src/main/java/com/iemr/ecd/controller/questionare/EcdQuestionareController.java
+++ b/src/main/java/com/iemr/ecd/controller/questionare/EcdQuestionareController.java
@@ -28,6 +28,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -56,6 +57,7 @@
 
 @RestController
 @RequestMapping(value = "/Questionnaire", headers = "Authorization")
+@PreAuthorize("hasRole('SUPERVISOR')")
 public class EcdQuestionareController {
 
 	@Autowired
diff --git a/src/main/java/com/iemr/ecd/repository/masters/RoleRepo.java b/src/main/java/com/iemr/ecd/repository/masters/RoleRepo.java
index d6e3d64..9351d4a 100644
--- a/src/main/java/com/iemr/ecd/repository/masters/RoleRepo.java
+++ b/src/main/java/com/iemr/ecd/repository/masters/RoleRepo.java
@@ -23,7 +23,9 @@
 
 import java.util.List;
 
+import org.springframework.data.jpa.repository.Query;
 import org.springframework.data.repository.CrudRepository;
+import org.springframework.data.repository.query.Param;
 import org.springframework.stereotype.Repository;
 
 import com.iemr.ecd.dao.masters.Role;
@@ -32,5 +34,6 @@
 public interface RoleRepo extends CrudRepository<Role, Integer> {
 	
 	List<Role> findByPsmIdAndDeleted(Integer psmId, Boolean deleted);
-
+	@Query(nativeQuery = true,value = "select rolename from m_role where roleid in (select roleid from m_userservicerolemapping where userid=:userID)")
+	List<String> getRoleNamebyUserId(@Param("userID") Long userID);
 }
diff --git a/src/main/java/com/iemr/ecd/service/masters/MasterServiceImpl.java b/src/main/java/com/iemr/ecd/service/masters/MasterServiceImpl.java
index 54042fe..2206dd5 100644
--- a/src/main/java/com/iemr/ecd/service/masters/MasterServiceImpl.java
+++ b/src/main/java/com/iemr/ecd/service/masters/MasterServiceImpl.java
@@ -228,6 +228,21 @@ public List<Frequency> getFrequency() {
 	public List<V_GetUserlangmapping> getLanguageByUserId(Integer userId) throws ECDException {
 		return v_GetUserlangmappingRepo.findByUserId(userId);
 	}
+
+	public List<String> getUserRoles(Long userId) {
+		if (null == userId || userId <= 0) {
+			throw new IllegalArgumentException("Invalid User ID : " + userId);
+		}
+		try {
+			List<String> role = roleRepo.getRoleNamebyUserId(userId);
+			if (null == role || role.isEmpty()) {
+				throw new ECDException("No role found for userId : " + userId);
+			}
+			return role;
+		} catch (Exception e) {
+			throw new ECDException("Failed to retrieverole for usedId : " + userId + " error : " + e.getMessage());
+		}
+	}
 	
 	
 	//gender master
diff --git a/src/main/java/com/iemr/ecd/utils/advice/exception_handler/CustomAccessDeniedHandler.java b/src/main/java/com/iemr/ecd/utils/advice/exception_handler/CustomAccessDeniedHandler.java
new file mode 100644
index 0000000..c3fde93
--- /dev/null
+++ b/src/main/java/com/iemr/ecd/utils/advice/exception_handler/CustomAccessDeniedHandler.java
@@ -0,0 +1,28 @@
+package com.iemr.ecd.utils.advice.exception_handler;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.stereotype.Component;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import java.io.IOException;
+import java.util.Map;
+
+@Component
+public class CustomAccessDeniedHandler implements AccessDeniedHandler {
+
+	private static final ObjectMapper mapper = new ObjectMapper();
+    @Override
+    public void handle(HttpServletRequest request,
+                       HttpServletResponse response,
+                       AccessDeniedException accessDeniedException) throws IOException {
+        response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403
+        response.setContentType("application/json");
+        Map<String, String> errorResponse = Map.of("error" , "Forbidden",
+        		"message","Access denied");
+        response.getWriter().write(mapper.writeValueAsString(errorResponse));
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/com/iemr/ecd/utils/advice/exception_handler/CustomAuthenticationEntryPoint.java b/src/main/java/com/iemr/ecd/utils/advice/exception_handler/CustomAuthenticationEntryPoint.java
new file mode 100644
index 0000000..85488ae
--- /dev/null
+++ b/src/main/java/com/iemr/ecd/utils/advice/exception_handler/CustomAuthenticationEntryPoint.java
@@ -0,0 +1,23 @@
+package com.iemr.ecd.utils.advice.exception_handler;
+
+import java.io.IOException;
+
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.stereotype.Component;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+@Component
+public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {
+
+    @Override
+    public void commence(HttpServletRequest request,
+                         HttpServletResponse response,
+                         AuthenticationException authException) throws IOException {
+        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); // 401
+        response.setContentType("application/json");
+        response.getWriter().write("{\"error\": \"Unauthorized\", \"message\": \"" + authException.getMessage() + "\"}");
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/com/iemr/ecd/utils/mapper/JwtUtil.java b/src/main/java/com/iemr/ecd/utils/mapper/JwtUtil.java
index 719e259..e0b9738 100644
--- a/src/main/java/com/iemr/ecd/utils/mapper/JwtUtil.java
+++ b/src/main/java/com/iemr/ecd/utils/mapper/JwtUtil.java
@@ -59,7 +59,7 @@ public <T> T extractClaim(String token, Function<Claims, T> claimsResolver) {
 		return claims != null ? claimsResolver.apply(claims) : null;
 	}
 
-	private Claims extractAllClaims(String token) {
+	public Claims extractAllClaims(String token) {
 		return Jwts.parser()
 			.verifyWith(getSigningKey())
 			.build()
diff --git a/src/main/java/com/iemr/ecd/utils/mapper/RoleAuthenticationFilter.java b/src/main/java/com/iemr/ecd/utils/mapper/RoleAuthenticationFilter.java
new file mode 100644
index 0000000..8fadd88
--- /dev/null
+++ b/src/main/java/com/iemr/ecd/utils/mapper/RoleAuthenticationFilter.java
@@ -0,0 +1,98 @@
+package com.iemr.ecd.utils.mapper;
+
+import java.util.List;
+import java.util.Objects;
+import java.util.stream.Collectors;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import com.iemr.ecd.service.masters.MasterServiceImpl;
+import com.iemr.ecd.utils.constants.Constants;
+import com.iemr.ecd.utils.redis.RedisStorage;
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.io.IOException;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+@Component
+public class RoleAuthenticationFilter extends OncePerRequestFilter {
+	Logger logger = LoggerFactory.getLogger(this.getClass().getSimpleName());
+	
+	@Autowired
+    private JwtUtil jwtUtil;
+
+    @Autowired
+    private RedisStorage redisService;
+
+    @Autowired
+    private MasterServiceImpl userService;
+
+	@Override
+	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+			throws ServletException, IOException, java.io.IOException {
+		List<String> authRoles = null;
+		try {
+			String jwtFromCookie = CookieUtil.getJwtTokenFromCookie(request);
+			String jwtFromHeader = request.getHeader(Constants.JWT_TOKEN);
+
+			String jwtToken = jwtFromCookie != null ? jwtFromCookie : jwtFromHeader;
+			if(null == jwtToken || jwtToken.trim().isEmpty()) {
+				filterChain.doFilter(request, response);
+				return;
+			}
+			Claims extractAllClaims = jwtUtil.extractAllClaims(jwtToken);
+			if(null == extractAllClaims) {
+				filterChain.doFilter(request, response);
+				return;
+			}
+			Object userIdObj = extractAllClaims.get("userId");
+			String userId = userIdObj != null ? userIdObj.toString() : null;
+			if (null == userId || userId.trim().isEmpty()) {
+				filterChain.doFilter(request, response);
+				return;
+			}
+			Long userIdLong;
+			try {
+				userIdLong=Long.valueOf(userId);
+			}catch (NumberFormatException ex) {
+				logger.warn("Invalid userId format: {}",userId);
+				filterChain.doFilter(request, response);
+				return;
+			}
+			authRoles = redisService.getUserRoleFromCache(userIdLong);
+			if (authRoles == null || authRoles.isEmpty()) {
+			    List<String> roles = userService.getUserRoles(Long.valueOf(userId)); // assuming this returns multiple roles
+			    authRoles = roles.stream()
+			    	    .filter(Objects::nonNull)
+			    	    .map(String::trim)
+			    	    .map(role -> "ROLE_" + role.toUpperCase().replace(" ", "_"))
+			    	    .collect(Collectors.toList());
+			    redisService.cacheUserRoles(Long.valueOf(userId), authRoles);
+			}
+
+			List<GrantedAuthority> authorities = authRoles.stream()
+			        .map(SimpleGrantedAuthority::new)
+			        .collect(Collectors.toList());
+
+			UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(userId, null, authorities);
+			SecurityContextHolder.getContext().setAuthentication(auth);
+		} catch (Exception e) {
+			logger.error("Authentication filter error for request {}: {}", request.getRequestURI(), e.getMessage());
+			SecurityContextHolder.clearContext();
+		} finally {
+			filterChain.doFilter(request, response);
+		}
+
+	}
+}
\ No newline at end of file
diff --git a/src/main/java/com/iemr/ecd/utils/mapper/SecurityConfig.java b/src/main/java/com/iemr/ecd/utils/mapper/SecurityConfig.java
new file mode 100644
index 0000000..31409fa
--- /dev/null
+++ b/src/main/java/com/iemr/ecd/utils/mapper/SecurityConfig.java
@@ -0,0 +1,52 @@
+package com.iemr.ecd.utils.mapper;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+
+import com.iemr.ecd.utils.advice.exception_handler.CustomAccessDeniedHandler;
+import com.iemr.ecd.utils.advice.exception_handler.CustomAuthenticationEntryPoint;
+
+@Configuration
+@EnableMethodSecurity
+@EnableWebSecurity
+public class SecurityConfig {
+	private final RoleAuthenticationFilter roleAuthenticationFilter;
+	private final CustomAuthenticationEntryPoint customAuthenticationEntryPoint;
+	private final CustomAccessDeniedHandler customAccessDeniedHandler;
+
+	public SecurityConfig(RoleAuthenticationFilter roleAuthenticationFilter,
+	                      CustomAuthenticationEntryPoint customAuthenticationEntryPoint,
+	                      CustomAccessDeniedHandler customAccessDeniedHandler) {
+	    this.roleAuthenticationFilter = roleAuthenticationFilter;
+	    this.customAuthenticationEntryPoint = customAuthenticationEntryPoint;
+	    this.customAccessDeniedHandler = customAccessDeniedHandler;
+	}
+
+@Bean
+public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+    CookieCsrfTokenRepository csrfTokenRepository = new CookieCsrfTokenRepository();
+    csrfTokenRepository.setCookieHttpOnly(true);
+    csrfTokenRepository.setCookiePath("/");
+    http
+        .csrf(csrf -> csrf.csrfTokenRepository(csrfTokenRepository))
+        .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+        .authorizeHttpRequests(auth -> auth
+            .requestMatchers("/user/*").permitAll()
+            .anyRequest().authenticated()
+        )
+        .exceptionHandling(ex -> ex
+            .authenticationEntryPoint(customAuthenticationEntryPoint)
+            .accessDeniedHandler(customAccessDeniedHandler)
+        )
+        .addFilterBefore(roleAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
+
+    return http.build();
+}
+}
diff --git a/src/main/java/com/iemr/ecd/utils/redis/RedisStorage.java b/src/main/java/com/iemr/ecd/utils/redis/RedisStorage.java
index d795ad7..99370de 100644
--- a/src/main/java/com/iemr/ecd/utils/redis/RedisStorage.java
+++ b/src/main/java/com/iemr/ecd/utils/redis/RedisStorage.java
@@ -21,6 +21,9 @@
 */
 package com.iemr.ecd.utils.redis;
 
+import java.time.Duration;
+import java.util.List;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -28,6 +31,7 @@
 import org.springframework.data.redis.connection.RedisConnection;
 import org.springframework.data.redis.connection.RedisStringCommands.SetOption;
 import org.springframework.data.redis.connection.lettuce.LettuceConnectionFactory;
+import org.springframework.data.redis.core.RedisTemplate;
 import org.springframework.data.redis.core.types.Expiration;
 import org.springframework.stereotype.Component;
 
@@ -94,4 +98,26 @@ public void updateConcurrentSessionObject(String value) {
 
 		}
 	}
+	@Autowired
+    private RedisTemplate<String, String> redisTemplate;
+
+	public void cacheUserRoles(Long userId, List<String> roles) {
+		try {
+			 String key = "roles:" + userId;
+		        redisTemplate.delete(key); // Clear previous cache
+		        redisTemplate.opsForList().rightPushAll(key, roles);
+		} catch (Exception e) {
+			logger.warn("Failed to cache role for user {} : {} ", userId, e.getMessage());
+		}
+
+	}
+
+	public List<String> getUserRoleFromCache(Long userId) {
+		try {
+			return redisTemplate.opsForList().range("roles:" + userId, 0, -1);
+		} catch (Exception e) {
+			logger.warn("Failed to retrieve cached role for user {} : {} ", userId, e.getMessage());
+			return null;
+		}
+	}
 }