Published on

Spring Boot Authentication and Authorization

Authors

Spring Boot is an open source Java-based framework that is widely used to create enterprise level microservices. Implementing secure authentication and authorization in such microservices brings up a new set of challenges to developers. Spring Security comes in handy by providing a powerful, secure and customizable authentication and authorization framework.

spring-security

Spring Security makes use of a Role Based Access Control (RBAC) model to help mitigate some of the inherent Authentication and Authorization security threats such as violation of least privilege principle, insecure direct object references and unauthorized privilege escalation.

Authentication and Authorization

Authentication is the process of ascertaining the identity of user that wants to access a certain resource. Spring Security supports a wide range of authentication methods including:-

  • HTTP BASIC authentication through username and password
  • LDAP (Lighweight Directory Access Protocol)
  • Form-based authentication
  • OpenID authentication

Authorization on the other hand refers to the process of verifying what specific applications, files, and data the authenticated user has access to. Spring Security supports authorization through JSON Web Token (JWT) and OAuth2.

Implementation

To illustrate implementation of Spring Security is a Spring Boot application, we are going to create a simple service that supports user registration, login, generation of access and refresh token and posting and viewing of articles based on granted privileges. This will be supported by a MySQL database.

Spring Security is added into Spring Boot by including the following maven configuration in the pom.xml file. The latest version can be found on Maven Central.

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

The application flow is as illustrated below for authentication, authorization and generation of refresh token.

spring-security-combined-flow

On signin, access and refresh tokens are generated. The access token is then used to access or manage resources e.g. add articles and manage users until its expiry where the refresh token can be used to generate a new access token.

The APIs provided are as below.

MethodURLRole RequiredAction
POST/api/user/signupNONEUser register
POST/api/user/signinNONEUser login
POST/api/user/refreshtokenALL ROLESUser get refresh token
POST/api/user/signoutALL ROLESUser sign out
POST/api/res/article/addROLE_USER, ROLE_MODERATORPost article
GET/api/res/articlesNONEView all articles
GET/api/res/article/[id]NONEView article by Id
POST/api/res/user/addROLE_ADMINAdd user
GET/api/res/usersROLE_ADMINView all users
GET/api/res/user/profileALL ROLESView own profile

Download the full source code and postman collection to test the API endpoints.