SPRING SECURITY with JDBC AUTHENTICATION and AUTHORIZATION using custom login page and BCRYPT algorithm
In this project I used Spring Security for JDBC authentication and authorization with custom login page.
User can have 3 roles:employee, manager and admin and he also have appropriate endpoint for every role.With appropriate role, only that user can access some additional information and pages on the web app.For example user “john” have only role EMPLOYEE, and he can only access this page.
Some users can have more roles, for example user “mary” have two roles EMPLOYEE and MANAGER and only user with role MANAGER can access this additional information and page Leadership Meeting on the web app.
User susan also have 2 roles EMPLOYEE and ADMIN and only user with role ADMIN can access this additional information and page IT Systems Meeting on the web app.
If some other user which is not authorized trys to access some additional information and pages, he will get access denied page with message.
In this project I used bcrypt algorithm for password encryption, this is one-way encrypted hashing, so the password in the database can never be decrypted.
To protect against CSRF attacks I used additional authentication data/token into all HTML forms.On this way we can prevent evil website to tricks us into executing an action on a web application that you are currently logged in.For each request we have randomly generated token and Spring Security verifies token before processing.I also added logout button, because we want to logout the user from the system, on that way we also removing http session, cookies, etc…