Last updated: 2022-05-04
Security tab - backgrounds
The Security tab is available for projects in the Professional plan. This allows to configure a project with Spring Security with JWT, so only requests with a valid JSON Web Token are accepted.
The Security Tab with a selected user table
Basic configuration
After Spring Security with JWT has been activated, the necessary libraries, configurations and classes are included in the generated code. A deeper explanation of the technical backgrounds is available in this article.
For the code style you can choose between Annotations and Configuration. If Annotations is selected, the protection of the endpoints is stored directly at the controllers: @PreAuthorize("hasRole('" + ROLE_USER + "')"). Otherwise, the JwtSecurityConfig class is extended to require all endpoints except defined exclusions to have the "USER" role.
The connection to a user table is optional. If this is not specified at all or incompletely, the JwtUserDetailsService will support one static user with the username "bootify" and the password "B00tify!".
In addition to the AuthenticationController for generating a token, a RegistrationController is added if the respective option has been checked. This allows to add new users via an explicit endpoint without authentication. During the further development after the download this can be adapted to individual needs. If the user table has relations that are required, the endpoint will initially throw an error in the generated version.
The tokens are created in JwtTokenService using the SHA512 algorithm. The secret used for signing is stored in application.properties / application.yml. Although this is created individually for each project by Bootify, it should be changed after the download. Using the similar algorithm, payload and secret the site jwt.io will return the same token as the Spring Boot application creates later on.
Reconstruct a token on jwt.io
Interdependencies
If integration testing has been activated for the project, the BaseIT class is also extended. If the setup with a user table was chosen, an additional SQL script is used to first create the test user before each test. Furthermore, the method headers() is extended for the individual tests, so that the token is automatically included in the header of the requests. The test user has the same username and password as mentioned above - however the JWT is directly stored in the code for the tests.
If Swagger UI has been enabled for the project, a SwaggerConfig is also included in the project to add authorization to the OpenAPI Specification. This will enable to authorize with a JWT in the Swagger UI client. The endpoints for Swagger itself together with the mentioned Controllers are excluded from authorization.
See Pricing or read quickstart
