Token authentication for Spring Security applications.
Add the Spring Boot starter project to your classpath:
repositories {
mavenCentral()
}
dependencies {
compile 'org.visola.spring.security:spring-security-token-filter-spring-boot-starter:1.1'
}
Add TokenAuthenticationFilter
filter to your filter chain, like the following:
// Imports omitted
@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
/**
* The starter bundle will provide a TokenAuthenticationFilter for you.
*/
@Autowired
private TokenAuthenticationFilter tokenAuthenticationFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
// This will make your app completely stateless
http.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// Add the TokenAuthenticationFilter to your filter chain
http.addFilterBefore(tokenAuthenticationFilter, BasicAuthenticationFilter.class);
// More HttpSecurity configuration here
}
}
Add the starter project as a dependency, then you just need to load the JWTFilterConfiguration
configuration.
If you don't know what JWT is, you should read about it first at http://jwt.io/.
If you're using Spring Boot and have the starter in your classpath, this will be taken care for you automatically.
To make your life easier, this library has a TokenService
implementation that works out of the box with the JWT specification using the Nimbus JOSE + JWT implementation. To use it you just need to register the JwtTokenService
which uses an interface (AuthenticationJwtClaimsSetTransformer
) to map between JWT claims set to Spring Security Authentication. The following sample code is using the default (out-of-the-box) implementation:
@Bean
public TokenService tokenService() throws JOSEException {
return new JwtTokenService(claimsSetTransformer(), secret);
}
@Bean
public AuthenticationJwtClaimsSetTransformer claimsSetTransformer() {
// How long will your token last and the prefix for roles
return new UsernamePasswordAuthenticationTokenJwtClaimsSetTransformer(TimeUnit.HOURS.toMillis(8), Optional.of("ROLE_"));
}
You need to create a token and give it back to the user somehow.