Last updated: 2022-07-01
Security tab - backgrounds
The Security tab is available for projects in the Professional plan. This allows to configure a project with Spring Security, selecting between JWT or form-based authorization.
The Security Tab with a selected user table
Common configuration
If one of the security options has been selected, the necessary libraries, configurations and classes are included in the generated code. For the code style you can choose between Annotations and Configuration. If Annotations is selected, the protection of the endpoints is stored directly at the controllers: @PreAuthorize("hasRole('" + ROLE_USER + "')"). Otherwise, the JwtSecurityConfig / HttpSecurityConfig class is extended so that all defined endpoints require the "USER" role.
The connection to a user table is optional. If this is not specified at all or incompletely, the JwtUserDetailsService / HttpUserDetailsService will support one static user with the username "bootify" and the password "Bootify!".
If the registration option has been enabled, a RegistrationResource / RegistrationController is added to the generated code. This allows to add new users without authentication, either via the REST API or in the browser. During the further development after downloading the code this can be adapted to individual needs. If the user table has relations that are required, the endpoint will initially throw an error in the generated version.
If integration testing has been activated for the project, the BaseIT class is also extended providing the required authorization. If the setup with a user table was chosen, an additional SQL script is used to first create the test user before each test.
Backgrounds on JWT
With JWT, only requests with a valid JSON Web Token are accepted. They can be retrieved via calls to the AuthenticationResource. A deeper explanation of the technical backgrounds is available here.
The tokens are created in JwtTokenService using the SHA512 algorithm. The secret used for signing is stored in application.properties / application.yml. Although this is created individually for each project by Bootify, it should be changed after the download. Using the similar algorithm, payload and secret the site jwt.io will return the same token as the Spring Boot application creates later on.
Reconstruct a token on jwt.io
The BaseIT class will provide a method bearerToken(), which is included as a header in the individual tests. The test user has the same username and password as mentioned above - however the JWT is directly stored in the code for the tests.
If Swagger UI has been enabled for the project, a SwaggerConfig is also included in the project to add authorization to the OpenAPI Specification. This will enable to authorize with a JWT in the Swagger UI client. The endpoints for Swagger itself together with the mentioned Controllers are excluded from authorization.
Backgrounds on form login
With the form-based authorization, an AuthenticationController is added to the code in order to show the authentication/login.html Thymeleaf template and provide required messages to the user. A RegistrationController is added if the respective option has been checked.
Generated controller when selecting form-based security type
The REST controllers are included in the protection by default, so browser-based login is required first before accessing the API. The BaseIT class will provide a method authenticatedSession(), performing a login transparently, so the tests can use a session with an authenticated user.
See Pricing
or read quickstart
