Skip to content

Latest commit

 

History

History
48 lines (39 loc) · 1.9 KB

README.md

File metadata and controls

48 lines (39 loc) · 1.9 KB

Simple SpringBoot security demo

Really simple spring security demo. Reference tokens (cookie JSESSIONID) are used for client session tracking. This demo application has following REST end-points:

  • security - login / logout - provides JSESSIONID cookie, force invalidate client's session.
  • protected data - accessible only after login for clients with valid JSESSIONID cookie.
  • public data - accessible to any client, no login (no JSESSIONID cookie) required.

Public data is accessible without login. Protected data is accessible only after login. Session timeout is set to 5 minutes. After login, each request must use same cookie JSESSIONID, because server is tracking http sessions by this cookie.

  • Authentication is handled by internal service itx.examples.springboot.security.springsecurity.services.UserAccessService
  • Authorization is handled by Spring's Method Security, RBAC model is used.

Users, Passwords and Roles

  • joe / secret, ROLE_USER
  • jane / secret, ROLE_USER, ROLE_ADMIN
  • alice / secret, ROLE_PUBLIC

Security - Login

Client presents itself with username / password credentials. After credentials match, server produces JSESSIONID for session tracking.

Security - Logout

This action revokes client's http session and related JSESSIONID cookie.

Get protected data

GET protected data for different user roles:

Get public data

Build and run

gradle clean build test
java -jar build/libs/spring-security-0.0.1-SNAPSHOT.jar