Really simple spring security demo. Reference tokens (cookie JSESSIONID) are used for client session tracking. This demo application has following REST end-points:
- security - login / logout - provides JSESSIONID cookie, force invalidate client's session.
- protected data - accessible only after login for clients with valid JSESSIONID cookie.
- public data - accessible to any client, no login (no JSESSIONID cookie) required.
Public data is accessible without login. Protected data is accessible only after login. Session timeout is set to 5 minutes. After login, each request must use same cookie JSESSIONID, because server is tracking http sessions by this cookie.
- Authentication is handled by internal service
itx.examples.springboot.security.springsecurity.services.UserAccessService - Authorization is handled by Spring's Method Security, RBAC model is used.
- joe / secret, ROLE_USER
- jane / secret, ROLE_USER, ROLE_ADMIN
- alice / secret, ROLE_PUBLIC
Client presents itself with username / password credentials. After credentials match, server produces JSESSIONID for session tracking.
- POST http://localhost:8888/services/security/login
{ "userName": "joe", "password": "secret" }
This action revokes client's http session and related JSESSIONID cookie.
GET protected data for different user roles:
- GET http://localhost:8888/services/data/users/all (ROLE_USER, ROLE_ADMIN)
- GET http://localhost:8888/services/data/admins/all (ROLE_ADMIN)
- GET http://localhost:8888/services/public/data/all (all roles, ROLE_PUBLIC, or no login required)
gradle clean build test
java -jar build/libs/spring-security-0.0.1-SNAPSHOT.jar