https://devops-monk.com/tags/spring-security/Recent content in Spring-Security on Devops MonkHugoen-usSun, 03 May 2026 00:00:00 +0000https://devops-monk.com/tutorials/spring-boot/spring-security-jwt/Sun, 03 May 2026 00:00:00 +0000https://devops-monk.com/tutorials/spring-boot/spring-security-jwt/JWT (JSON Web Token) is the standard for stateless REST API authentication. This article builds a complete JWT authentication system — login, token generation, request validation, and token refresh. What is a JWT? A JWT has three base64url-encoded parts separated by dots: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 ← Header (algorithm + type) .eyJzdWIiOiJ1c2VyMTIzIiwicm9sZXMiOlsiVVNFUiJdLCJpYXQiOjE3MTQ3MjY0MDAsImV4cCI6MTcxNDczMDAwMH0 ← Payload .SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c ← Signature The payload contains claims: { "sub": "user123", // subject (user identifier) "roles": ["USER"], "iat": 1714726400, // issued at "exp": 1714730000 // expires at } The signature is a HMAC of the header+payload — tamper-proof.https://devops-monk.com/tutorials/spring-boot/spring-security-oauth2-authorization-server/Sun, 03 May 2026 00:00:00 +0000https://devops-monk.com/tutorials/spring-boot/spring-security-oauth2-authorization-server/Most teams use a managed auth provider (Keycloak, Auth0). But sometimes you need your own — multi-tenant SaaS, air-gapped environments, or full control over token contents. Spring Authorization Server provides a production-ready OAuth2 + OIDC implementation. When to Build Your Own vs Use a Provider Use a managed provider (Keycloak/Auth0): Most applications. Faster to set up, maintained externally, handles compliance. Build your own: Multi-tenant platforms issuing tokens on behalf of tenant auth providers, air-gapped or regulated environments, products that ARE the identity provider, or when you need full control over token structure and storage.https://devops-monk.com/tutorials/spring-boot/spring-security-oauth2-resource-server/Sun, 03 May 2026 00:00:00 +0000https://devops-monk.com/tutorials/spring-boot/spring-security-oauth2-resource-server/In production, you rarely build your own auth server. You use an external provider — Keycloak, Auth0, Okta, or AWS Cognito. This article shows how to configure Spring Boot as a Resource Server that validates JWTs issued by any OIDC-compliant provider. The OAuth2 Architecture ┌─────────────────┐ │ Auth Server │ │ (Keycloak/Auth0) │ │ │ │ Issues JWTs │ │ Publishes JWKS │ └────────┬────────┘ │ ┌────────────┐ │ JWT │ Client │──────────►│ │ (Browser/ │ │ │ Mobile) │ │ └────────────┘ ▼ ┌─────────────────┐ Bearer │ Resource Server │ Token ►│ (Spring Boot) │ │ │ │ Validates JWT │ │ via JWKS URI │ └─────────────────┘ Client authenticates with the Auth Server and receives a JWT Client sends the JWT as Authorization: Bearer <token> to the Resource Server Resource Server validates the JWT by fetching the public key from the Auth Server’s JWKS endpoint If valid, the Resource Server processes the request Setup <dependency> <groupId>org.https://devops-monk.com/2026/05/spring-boot-owasp-security/Sun, 03 May 2026 00:00:00 +0000https://devops-monk.com/2026/05/spring-boot-owasp-security/The OWASP Top 10 lists the most critical web application security risks. Spring Boot apps have their own common failure patterns: exposed Actuator endpoints, secrets in properties files, SQL built from string concatenation, and Spring Security misconfiguration. This guide covers the vulnerabilities that actually appear in Spring Boot applications and how to fix each one. 1. SQL Injection SQL injection remains one of the most critical vulnerabilities. It allows attackers to manipulate database queries.https://devops-monk.com/tutorials/spring-boot/spring-security-authentication/Sun, 03 May 2026 00:00:00 +0000https://devops-monk.com/tutorials/spring-boot/spring-security-authentication/Every application needs user registration and login. This article builds a complete authentication system — from storing passwords safely to handling failed login attempts. Never Store Passwords in Plain Text Store a one-way hash, not the password. BCrypt is the industry standard: @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(12); // cost factor 12 → ~250ms per hash on modern hardware // strong enough to slow down brute-force attacks } BCrypt properties:https://devops-monk.com/tutorials/spring-boot/spring-security-rbac/Sun, 03 May 2026 00:00:00 +0000https://devops-monk.com/tutorials/spring-boot/spring-security-rbac/Roles and permissions control what authenticated users can do. This article implements a complete RBAC system — from URL-level rules to method-level security and resource ownership checks. Roles vs Permissions Roles are coarse-grained groupings (USER, MANAGER, ADMIN). Permissions are fine-grained actions (READ_ORDERS, WRITE_PRODUCTS, DELETE_USERS). Assign permissions to roles: ADMIN → all permissions MANAGER → READ_ORDERS, WRITE_ORDERS, READ_PRODUCTS, WRITE_PRODUCTS USER → READ_OWN_ORDERS, WRITE_OWN_ORDERS, READ_PRODUCTS Model permissions as a typed enum: public enum Permission { // Order permissions READ_ORDERS, WRITE_ORDERS, DELETE_ORDERS, READ_OWN_ORDERS, WRITE_OWN_ORDERS, // Product permissions READ_PRODUCTS, WRITE_PRODUCTS, DELETE_PRODUCTS, // User management READ_USERS, WRITE_USERS, DELETE_USERS } public enum Role { USER(Set.https://devops-monk.com/tutorials/spring-boot/spring-security-fundamentals/Sun, 03 May 2026 00:00:00 +0000https://devops-monk.com/tutorials/spring-boot/spring-security-fundamentals/Spring Security is powerful but famously hard to understand. This article demystifies the core: the filter chain, how requests are processed, and how authentication and authorization work before writing a line of security config. Setup <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> The moment you add this dependency, Spring Boot’s auto-configuration secures all endpoints with HTTP Basic authentication. A random password is printed at startup. This is the starting point — you’ll replace the defaults.https://devops-monk.com/tutorials/spring-boot/spring-boot-security-testing/Sun, 03 May 2026 00:00:00 +0000https://devops-monk.com/tutorials/spring-boot/spring-boot-security-testing/Security tests verify that your endpoints behave correctly for different users, roles, and authentication states. This article covers the full toolkit — from simple annotations to custom security contexts. Setup <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-test</artifactId> <scope>test</scope> </dependency> spring-boot-starter-test includes this automatically. @WithMockUser — Simple Role-Based Tests The simplest way to run a test as an authenticated user: @WebMvcTest(OrderController.class) class OrderControllerSecurityTest { @Autowired MockMvc mockMvc; @MockBean OrderService orderService; // No authentication @Test void unauthenticatedUserIsRejected() throws Exception { mockMvc.