- This project encompasses two security concepts, Authentication and Authorization.
- Authentication is verifying who the user is, do we know them? Do they exist in the database? Are their credentials correct? If they are known to you then allow them into the application and give them a token which they will use to access resources (API endpoints) in the application.
- Authorization is giving and not giving access to users to certain resources on the application based on the specific roles assigned to them. They are already logged in but are they authorized to access certain priviledges? Are they an admin? Are they a super admin? Are they a normal user? Based on they are, you give and limit access to certain resources.
- Dependencies
- Spring Data JPA - Persists data in SQL stores with Java persistence API using spring data and Hibernate.
- MySQL Driver - MySQL JDBC and R2DBC driver.
- Spring Web - Build web, including RESTFUL applications using Spring MVC. Uses Apache Tomcat as the default embedded container.
- Spring Security - Highly customizable authentication and access-control framework for spring applications.
- Spring Dev tools - Provides fast application restarts, Live reload and configurations for enhanced development experience.
- Lombok - Java annotation library which helps reduce boilerplate code.
mvn clean spring-boot:run
- Point your browser to http://localhost:8080/
-
Login to get the access and refresh token.
-
When you login using bad credentials.
-
Unauthorized access to an endpoint.
-
Using the Refresh token to get another access token.
-
Getting all the users in the database.
-
Adding users to the database, You need to have the admin role.
http.authorizeRequests().antMatchers("/api/user/save").hasAnyAuthority("ROLE_ADMIN")
-
User already exists in the database.