Really simple spring security demo. JWT value tokens are used for client session tracking. This demo application has following REST end-points:
- security - login / logout - provides JWT for clients, force invalidate client's JWT.
- protected data - accessible only after login for clients with valid JWT.
- public data - accessible to any client, no login (no JWT) required.
Public data is open, accessible without login. Protected data is accessible only after login.
After login, each request must include Authorization: Bearer <token>
field in http header.
This field contains JWT token issued by login action.
- Authentication is handled by internal service
itx.examples.springboot.security.springsecurity.jwt.services.UserAccessService
- Authorization is handled by Spring's Method Security, RBAC model is used.
Following user / password and roles are available in this demo.
- joe / secret, ROLE_USER
- jane / secret, ROLE_USER, ROLE_ADMIN
- alice / secret, ROLE_PUBLIC
JWT for Java is used for JSON Web Token operations.
Client presents itself with username / password credentials. After credentials match, server produces unique key-pair for the client. This keypair is stored in internal server cache and is used to issue JWT for the client as well as verify each JWT from same client.
- POST http://localhost:8888/services/security/login
In case login is successful, user data is returned in response.
{ "userName": "jane", "password": "secret" }
jwToken string must be used in http header for each subsequent request.{ "userId": { "id": "jane" }, "roles": [ { "id": "ROLE_USER" }, { "id": "ROLE_ADMIN" } ], "jwToken": { "token": <token> } }
Authorization: Bearer <token>
This action revokes client's certificate from internal server cache, so further verification of client's JWT is not possible even if client's JWT is technically valid.
GET protected data for different user roles:
- GET http://localhost:8888/services/data/users/all (ROLE_USER, ROLE_ADMIN)
- GET http://localhost:8888/services/data/admins/all (ROLE_ADMIN)
- GET http://localhost:8888/services/public/data/all (all roles, ROLE_PUBLIC, or no login required)
gradle clean build test
java -jar build/libs/spring-security-jwt-0.0.1-SNAPSHOT.jar