This guide documents the security implementation in the Spring Web application, which uses JWT (JSON Web Tokens) for stateless authentication and Spring Security for authorization.
- Stateless authentication using JSON Web Tokens
- Secure token generation and validation
- Configurable token expiration
- Bearer token authentication
- BCrypt password hashing
- Secure password storage
- Automatic password encoding
- Admin and User roles
- Fine-grained endpoint authorization
- Role-based access to resources
- CSRF protection (disabled for API, enabled for web forms)
- Stateless sessions
- Secure HTTP headers
Add the following to application.properties:
# JWT configuration
app.jwt.secret=yourSecureSecretKeyHere12345678901234567890123456789012
app.jwt.expiration=86400000 # 24 hours in millisecondsImportant: The JWT secret should be:
- At least 32 characters long
- Random and unpredictable
- Stored securely (consider using environment variables in production)
# Public endpoints (no authentication required)
/api/auth/**
# Admin-only endpoints
/api/users/**
# All other endpoints require authentication
/**graph TD
A[Client] -->|POST /api/auth/login| B[AuthController]
B -->|Authenticate| C[AuthenticationManager]
C -->|Validate Credentials| D[UserDetailsService]
D -->|Load User| E[UserRepository]
E -->|Return User| D
D -->|Return UserDetails| C
C -->|Authentication Success| B
B -->|Generate JWT| F[JwtUtil]
F -->|Return Token| B
B -->|Return AuthResponseDTO| A
graph TD
A[Client] -->|Request with Authorization Header| B[JwtAuthenticationFilter]
B -->|Extract JWT Token| C[JwtUtil]
C -->|Validate Token| D[JwtUtil]
D -->|Extract Username| E[JwtUtil]
E -->|Load UserDetails| F[UserDetailsService]
F -->|Return UserDetails| B
B -->|Set Security Context| G[SecurityContextHolder]
G -->|Continue Request| H[Controller]
H -->|Return Response| A
POST /api/auth/login
Content-Type: application/json
{
"email": "[email protected]",
"password": "admin123"
}Response:
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}