This repository contains a collection of Spring Security examples, demonstrating various authentication and authorization techniques, from basic authentication to JWT tokens, OAuth2, and more. Each project builds upon the knowledge of the previous one, making this repository an excellent learning path for Spring Security.
- Overview
- Projects
- Prerequisites
- Getting Started
- Spring Security Core Concepts
- Best Practices
- Contributing
- License
Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications. This repository aims to provide clear examples of how to implement various security patterns with Spring Security, covering everything from basic setup to advanced features.
Key Features:
- Basic form-based authentication
- In-memory user management
- Basic authorization rules
- Custom login page
- Remember-me functionality
- CSRF protection
This project demonstrates the fundamental concepts of Spring Security with a simple web application. It's the perfect starting point for understanding how Spring Security works.
Key Features:
- Database-based user authentication
- User registration with email verification
- Password encoding with BCrypt
- Role-based authorization
- Custom authentication success/failure handlers
- Password reset functionality
- Session management
This project builds upon the basic demo by adding user registration, database persistence, and more advanced authentication features.
Go to Login-Register Demo README
Key Features:
- Stateless authentication with JWT (JSON Web Tokens)
- Token-based authentication flow
- JWT creation, validation, and parsing
- Securing REST endpoints with JWT
- Exception handling for token errors
- Custom security configurations
- User registration and authentication
This project demonstrates how to implement stateless authentication using JWT tokens, ideal for securing RESTful APIs and single-page applications.
Go to JWT Authentication Demo README
Key Features:
- OAuth2 authentication flow
- Social login (Google, GitHub, Facebook)
- OAuth2 client registration
- Custom OAuth2 user service
- Handling OAuth2 authentication success/failure
- Integration with JWT for API security
- Role mapping from OAuth providers
This project will demonstrate how to implement authentication using OAuth2, allowing users to log in using their accounts from various providers.
Key Features:
- Refresh token mechanism with JWT
- Token revocation
- Token rotation
- Enhanced security measures
- Sliding session expiration
- Handling concurrent token usage
- Token blacklisting
This project will show how to implement a secure refresh token mechanism to enhance the security and user experience of JWT authentication.
To run these projects, you'll need:
- Java Development Kit (JDK) 17 or newer
- Maven 3.6+ or Gradle 7.0+
- Your preferred IDE (IntelliJ IDEA, Eclipse, VS Code, etc.)
- Postman or similar tool for API testing
- Git for cloning the repository
-
Clone this repository:
git clone https://github.com/yourusername/spring-security.git cd spring-security -
Navigate to the project you want to explore:
cd 01-Spring-Security-Basic-Demo -
Run the application:
./mvnw spring-boot:run
or with Gradle:
./gradlew bootRun
-
Access the application:
- For web applications: http://localhost:8080
- For API documentation: http://localhost:8080/swagger-ui.html (if available)
Refer to each project's individual README for specific setup instructions and details.
- Authentication: Verifying who a user is (login, token validation)
- Authorization: Determining what a user can do (permissions, roles)
The core component that processes HTTP requests through a series of filters to apply security rules.
Components that validate credentials and create authenticated users:
- DaoAuthenticationProvider
- JwtAuthenticationProvider
- OAuth2LoginAuthenticationProvider
- etc.
Interface for loading user-specific data. Implementations:
- InMemoryUserDetailsManager
- JdbcUserDetailsManager
- Custom implementations
Interface for encoding passwords securely:
- BCryptPasswordEncoder
- Argon2PasswordEncoder
- Pbkdf2PasswordEncoder
- Never store passwords in plain text - Always use strong password encoders
- Use HTTPS in production - Encrypt all traffic to prevent MITM attacks
- Apply principle of least privilege - Grant only the permissions needed
- Implement proper token validation - Validate JWT signatures, expiration, etc.
- Set appropriate token expiration - Balance security and user experience
- Use refresh tokens wisely - Implement proper rotation and revocation
- Protect against common vulnerabilities - CSRF, XSS, CORS, etc.
- Implement rate limiting - Protect against brute force and DoS attacks
- Log security events - Track authentication failures, access denials, etc.
- Keep dependencies updated - Regularly update libraries to fix security vulnerabilities
Contributions are welcome! If you'd like to contribute:
- Fork the repository
- Create a new branch (
git checkout -b feature/your-feature) - Make your changes
- Commit your changes (
git commit -m 'Add some feature') - Push to the branch (
git push origin feature/your-feature) - Open a Pull Request
Please ensure your code follows the existing style and includes proper documentation.
This project is licensed under the MIT License - see the LICENSE file for details.
Created and maintained by [Your Name]
Last updated: October 2025