The latest articles on DEV Community by Yen Colon (@yencolon). https://dev.to/yencolon https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F525833%2F59e17d77-7553-4388-b0fa-274a0603fed9.jpeg https://dev.to/yencolon en Yen Colon Sat, 04 Jan 2025 18:56:54 +0000 https://dev.to/yencolon/understanding-spring-security-building-an-authentication-flow-in-less-than-a-day-bm https://dev.to/yencolon/understanding-spring-security-building-an-authentication-flow-in-less-than-a-day-bm <p>Recently, while experimenting with Spring Boot, I decided to implement an authentication flow. I started by reading documentation and watching tutorials. While these resources were helpful, I often encountered "blind spots" when it came to understanding how Spring Security works under the hood.</p> <p>In this brief article, I’ll explain how Spring Security works and guide you through the steps to set up an authentication flow in less than a day.</p> <h2> Step 1: Choose the Right Libraries </h2> <p>First, you need to add the necessary dependencies. In our case, we’ll use <strong>Spring Boot Security Starter</strong> and <strong>Java JWT</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <p>For handling JSON Web Tokens (JWTs), we’ll later add dependencies for <strong>JJWT</strong>.</p> <h2> Step 2: Configure Spring Security </h2> <p>With the dependencies installed, we can configure Spring Security. Here’s a diagram of the key components involved:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi8siztjlt9prz32ph25w.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi8siztjlt9prz32ph25w.png" alt="Spring security" width="800" height="720"></a></p> <p>To get started, create a new class annotated with <code>@Configuration</code>. In this class, we’ll define a few essential <code>@Bean</code> methods, including:</p> <ul> <li> <strong>PasswordEncoder</strong>: For securely storing passwords.</li> <li> <strong>SecurityFilterChain</strong>: To define the security filter logic.</li> <li> <strong>AuthenticationManager</strong>: To handle authentication processes.</li> </ul> <h3> PasswordEncoder </h3> <p>This <code>@Bean</code> ensures that passwords are securely hashed before being stored in the database.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">PasswordEncoder</span> <span class="nf">passwordEncoder</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">BCryptPasswordEncoder</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <h3> SecurityFilterChain </h3> <p>This <code>@Bean</code> allows you to define security rules for incoming HTTP requests, such as authorization checks and filter chains.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">filterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">csrf</span><span class="o">().</span><span class="na">disable</span><span class="o">()</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">(</span><span class="n">auth</span> <span class="o">-&gt;</span> <span class="n">auth</span> <span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/login"</span><span class="o">,</span> <span class="s">"/register"</span><span class="o">).</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">())</span> <span class="o">.</span><span class="na">httpBasic</span><span class="o">().</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <h3> AuthenticationManager </h3> <p>The <code>AuthenticationManager</code> coordinates authentication by delegating the process to configured <code>AuthenticationProvider</code> instances.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">AuthenticationManager</span> <span class="nf">authenticationManager</span><span class="o">(</span><span class="nc">AuthenticationConfiguration</span> <span class="n">config</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="k">return</span> <span class="n">config</span><span class="o">.</span><span class="na">getAuthenticationManager</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <h2> Step 3: Implement <code>UserDetailsService</code> </h2> <p>Now that the security configuration is set up, the next step is to implement the <code>UserDetailsService</code>. But why is this necessary?</p> <p>The <code>UserDetailsService</code> is responsible for retrieving user details from the database, allowing us to verify credentials during authentication.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Service</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">CustomUserDetailsService</span> <span class="kd">implements</span> <span class="nc">UserDetailsService</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">UserRepository</span> <span class="n">userRepository</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">UserDetails</span> <span class="nf">loadUserByUsername</span><span class="o">(</span><span class="nc">String</span> <span class="n">username</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">UsernameNotFoundException</span> <span class="o">{</span> <span class="nc">User</span> <span class="n">user</span> <span class="o">=</span> <span class="n">userRepository</span><span class="o">.</span><span class="na">findByUsername</span><span class="o">(</span><span class="n">username</span><span class="o">)</span> <span class="o">.</span><span class="na">orElseThrow</span><span class="o">(()</span> <span class="o">-&gt;</span> <span class="k">new</span> <span class="nc">UsernameNotFoundException</span><span class="o">(</span><span class="s">"User not found"</span><span class="o">));</span> <span class="k">return</span> <span class="k">new</span> <span class="n">org</span><span class="o">.</span><span class="na">springframework</span><span class="o">.</span><span class="na">security</span><span class="o">.</span><span class="na">core</span><span class="o">.</span><span class="na">userdetails</span><span class="o">.</span><span class="na">User</span><span class="o">(</span> <span class="n">user</span><span class="o">.</span><span class="na">getUsername</span><span class="o">(),</span> <span class="n">user</span><span class="o">.</span><span class="na">getPassword</span><span class="o">(),</span> <span class="k">new</span> <span class="nc">ArrayList</span><span class="o">&lt;&gt;());</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Step 4: Add JWT Utilities </h2> <p>With the basics in place, it’s time to configure JWT handling. For this, we’ll use the <strong>JJWT</strong> library. Add the following dependencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.jsonwebtoken<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>jjwt-api<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.12.6<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.jsonwebtoken<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>jjwt-impl<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.12.6<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;scope&gt;</span>runtime<span class="nt">&lt;/scope&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.jsonwebtoken<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>jjwt-jackson<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.12.6<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;scope&gt;</span>runtime<span class="nt">&lt;/scope&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h3> Example: JWT Utility Class </h3> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Component</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">JwtUtils</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">jwtSecret</span> <span class="o">=</span> <span class="s">"yourSecretKey"</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">jwtExpirationMs</span> <span class="o">=</span> <span class="mi">86400000</span><span class="o">;</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">generateJwtToken</span><span class="o">(</span><span class="nc">String</span> <span class="n">username</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">Jwts</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">setSubject</span><span class="o">(</span><span class="n">username</span><span class="o">)</span> <span class="o">.</span><span class="na">setIssuedAt</span><span class="o">(</span><span class="k">new</span> <span class="nc">Date</span><span class="o">())</span> <span class="o">.</span><span class="na">setExpiration</span><span class="o">(</span><span class="k">new</span> <span class="nc">Date</span><span class="o">((</span><span class="k">new</span> <span class="nc">Date</span><span class="o">()).</span><span class="na">getTime</span><span class="o">()</span> <span class="o">+</span> <span class="n">jwtExpirationMs</span><span class="o">))</span> <span class="o">.</span><span class="na">signWith</span><span class="o">(</span><span class="nc">SignatureAlgorithm</span><span class="o">.</span><span class="na">HS512</span><span class="o">,</span> <span class="n">jwtSecret</span><span class="o">)</span> <span class="o">.</span><span class="na">compact</span><span class="o">();</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">validateJwtToken</span><span class="o">(</span><span class="nc">String</span> <span class="n">token</span><span class="o">)</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">Jwts</span><span class="o">.</span><span class="na">parser</span><span class="o">().</span><span class="na">setSigningKey</span><span class="o">(</span><span class="n">jwtSecret</span><span class="o">).</span><span class="na">parseClaimsJws</span><span class="o">(</span><span class="n">token</span><span class="o">);</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Best Practices </h2> <ul> <li> <strong>Secure sensitive keys:</strong> Use environment variables or a secrets manager for your <code>jwtSecret</code>.</li> <li> <strong>Hash passwords securely:</strong> Always use a strong hashing algorithm like BCrypt.</li> <li> <strong>Test your configuration:</strong> Use tools like Postman or cURL to ensure everything works as expected.</li> <li> <strong>Implement role-based access control:</strong> Customize access based on user roles.</li> </ul> <h2> Common Pitfalls </h2> <ul> <li> <strong>Disabling CSRF inappropriately:</strong> Make sure to disable CSRF only for stateless APIs.</li> <li> <strong>Using plaintext passwords:</strong> Never store plaintext passwords; always use a <code>PasswordEncoder</code>.</li> <li> <strong>Hardcoding sensitive values:</strong> Avoid hardcoding secrets like the JWT key.</li> </ul> <h2> Conclusion and Next Steps </h2> <p>By following these steps, you can set up a complete authentication flow in a day. Spring Security’s powerful features might seem overwhelming at first, but with a structured approach, you can harness its capabilities effectively.</p> <p>For further learning, consider:</p> <ul> <li>Adding refresh tokens to your flow.</li> <li>Exploring role-based access control with Spring Security.</li> <li>Integrating OAuth2 for more advanced authentication flows.</li> </ul>