Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

vishalgiri-git/Authify--Spring-JWT

Folders and files

NameName
Last commit message
Last commit date

Latest commit

History

7 Commits

Repository files navigation

πŸ” Authify – Spring Security with JWT

Authify is a Spring Boot application that demonstrates JWT-based authentication and role-based authorization using Spring Security.
The application follows a stateless security architecture suitable for RESTful backend services.


🧠 Security Architecture Overview

This project uses JWT-only authentication:

  • No HTTP sessions
  • No Basic Authentication
  • Fully stateless request handling

Security is implemented in three clear layers:

1. Authentication

  • User logs in using email and password
  • Passwords are securely stored using BCrypt hashing

2. JWT Validation

  • A signed JWT token is generated after successful login
  • A custom JWT filter validates the token on every request
  • SecurityContext is populated using token claims

3. Authorization

  • Access control is enforced using roles (USER, ADMIN)
  • Rules are centralized using Spring Security configuration and annotations

πŸ”‘ Authentication Flow

  1. User registers using the public register API
  2. User logs in using email and password
  3. Credentials are authenticated using AuthenticationManager
  4. A JWT token is generated and returned
  5. Client sends the JWT in Authorization: Bearer header
  6. JWT filter validates the token and grants access

Credentials are used only once during login.
All subsequent requests rely on JWT authentication.


πŸ‘₯ Roles & Access Control

  • ROLE_USER – Default role for all registered users
  • ROLE_ADMIN – System-controlled role

Admin users are not created via public APIs.
They are bootstrapped internally to prevent privilege escalation.


πŸ›‘οΈ Authorization Strategy

  • Public APIs β†’ permitAll()
  • Protected APIs β†’ authentication required
  • Admin-only APIs β†’ role-based access control

Authorization is enforced using URL-based security rules and method-level security.

@EnableMethodSecurity
@PreAuthorize("hasRole('ADMIN')")

πŸ”Œ API Endpoints

πŸ”“ Public Endpoints

Register User POST /api/v1/profile/register

{
 "name": "John Doe",
 "email": "john@example.com",
 "password": "password123"
}

Login (Generate JWT) POST /api/v1/auth/login

{
 "email": "john@example.com",
 "password": "password123"
}
{
 "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

πŸ” Protected Endpoints

Welcome (Any Authenticated User) GET /api/v1/profile/welcome

Authorization: Bearer <JWT_TOKEN>


πŸ”’ Admin-Only Endpoints

Get All Profiles GET /api/v1/profile/all

  • ROLE_ADMIN β†’ Allowed
  • ROLE_USER β†’ 403 Forbidden

Delete Profile DELETE /api/v1/profile/delete/{email}

Authorization: Bearer <JWT_TOKEN>


βš™οΈ Key Security Components

  • SecurityFilterChain – Defines public and protected APIs
  • CustomUserDetailsService – Loads user details from database
  • DaoAuthenticationProvider – Handles authentication logic
  • BCryptPasswordEncoder – Secure password hashing
  • JwtAuthenticationFilter – Validates JWT on every request
  • JwtUtil – Token generation and validation
  • EnableMethodSecurity – Enables method-level authorization

βœ… Summary

This project demonstrates a clean, secure, and production-ready implementation of Spring Security using JWT, following modern best practices and avoiding common security mistakes.

About

Spring Boot application with JWT-based authentication and role-based authorization.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

Contributors

Languages

AltStyle γ«γ‚ˆγ£γ¦ε€‰ζ›γ•γ‚ŒγŸγƒšγƒΌγ‚Έ (->γ‚ͺγƒͺγ‚ΈγƒŠγƒ«) /