- • Quickstart
- › Documentation
- • Documentation DevOps
- • Spring Data
- • MongoDB
- • Spring REST
- • IntelliJ Integration
Last updated: 2022-07-01
Security tab - backgrounds
The Security tab is available for projects in the Professional plan. This allows to configure a project with Spring Security, selecting between JWT or form-based authorization.
The Security Tab with a selected user table
If one of the security options has been selected, the necessary libraries, configurations and classes are included in the generated code. For the code style you can choose between Annotations and Configuration. If Annotations is selected, the protection of the endpoints is stored directly at the controllers:
@PreAuthorize("hasRole('" + ROLE_USER + "')"). Otherwise, the
HttpSecurityConfig class is extended so that all defined endpoints require the
The connection to a user table is optional. If this is not specified at all or incompletely, the
HttpUserDetailsService will support one static user with the username
"bootify" and the password
If the registration option has been enabled, a
RegistrationController is added to the generated code. This allows to add new users without authentication, either via the REST API or in the browser. During the further development after downloading the code this can be adapted to individual needs. If the user table has relations that are required, the endpoint will initially throw an error in the generated version.
If integration testing has been activated for the project, the
BaseIT class is also extended providing the required authorization. If the setup with a user table was chosen, an additional SQL script is used to first create the test user before each test.
Backgrounds on JWT
With JWT, only requests with a valid JSON Web Token are accepted. They can be retrieved via calls to the
AuthenticationResource. A deeper explanation of the technical backgrounds is available here.
The tokens are created in
JwtTokenService using the
SHA512 algorithm. The secret used for signing is stored in
application.yml. Although this is created individually for each project by Bootify, it should be changed after the download. Using the similar algorithm, payload and secret the site jwt.io will return the same token as the Spring Boot application creates later on.
Reconstruct a token on jwt.io
BaseIT class will provide a method
bearerToken(), which is included as a header in the individual tests. The test user has the same username and password as mentioned above - however the JWT is directly stored in the code for the tests.
If Swagger UI has been enabled for the project, a
SwaggerConfig is also included in the project to add authorization to the OpenAPI Specification. This will enable to authorize with a JWT in the Swagger UI client. The endpoints for Swagger itself together with the mentioned Controllers are excluded from authorization.
Backgrounds on form login
With the form-based authorization, an
AuthenticationController is added to the code in order to show the
authentication/login.html Thymeleaf template and provide required messages to the user. A
RegistrationController is added if the respective option has been checked.
Generated controller when selecting form-based security type
The REST controllers are included in the protection by default, so browser-based login is required first before accessing the API. The
BaseIT class will provide a method
authenticatedSession(), performing a login transparently, so the tests can use a session with an authenticated user.