Spring Security Java API Introduction

This quickstart will guide you through the various tasks related to using Auth0-issued JSON Web Tokens to secure your Java Spring Security API.

System Requirements

These tutorials and seed projects have been tested with the following:

  • Java 7 or above
  • Maven 3.0.x or above

Seed & Samples

If you prefer to follow along with this quickstart you can download the seed project. The seed project is just a basic Spring Security API.

The final project after each of the steps is also available in the Sample repository. You can find the final result for each step in the relevant folder inside the repository.

Create a Client

Create an Auth0 account (or login) and add an authentication client instance from the dashboard. Once you create your client, you will be provided with credentials (domain, client ID, and client secret) which should be stored somewhere safe (do not commit this information to your git repo!). After you login, the sample projects available for download will be pre-configured with your Default App credentials.

App Dashboard

Setup dependencies

You need to add the auth0-spring-security-api dependency.

If you are using maven, add the dependency to your pom.xml:


If you are using Gradle, add it to the dependencies block:

dependencies {
   * Existing dependencies
  compile 'com.auth0:auth0-spring-security-api:0.3.2'

Configure your Spring Security API

Your Spring Security API needs some information in order to authenticate against your Auth0 account. We have created a file for you but you may need to update some of the entries with the valid values for your Client. The file is /src/main/resources/auth0.properties and it contains the following:

auth0.securedRoute: NOT_USED
auth0.base64EncodedSecret: true
auth0.authorityStrategy: ROLES
auth0.defaultAuth0ApiSecurityEnabled: false
auth0.signingAlgorithm: HS256
#auth0.signingAlgorithm: RS256
#auth0.publicKeyPath: certificate/cert.pem

Let's see what each attribute means.

Attribute Description
auth0.domain Your auth0 domain. You can find the correct value on the Settings tab of your client on the dashboard. *
auth0.issuer The issuer of the JWT Token. This is typically your auth0 domain with a https:// prefix and a / suffix. For example, if your auth0.domain is example.auth0.com then the auth0.issuer should be set to https://example.auth0.com/ (the trailing slash is important).
auth0.clientId The unique identifier for your client. You can find the correct value on the Settings tab of your client on the dashboard. *
auth0.clientSecret The secret used to sign and validate the tokens that will be used in the different authentication flows. You can find the correct value on the Settings tab of your client on the dashboard. *
auth0.securedRoute The URL pattern that should map to the URL endpoint you wish to secure. You should replace its value with the correct value for your implementation. It should start with /. *
auth0.base64EncodedSecret A boolean value indicating whether the Secret used to verify the JWT is base64 encoded. Default is true.
auth0.authorityStrategy Indicates whether authorization claims against the Principal shall be GROUPS, ROLES or SCOPE based. Default is ROLES.
auth0.defaultAuth0ApiSecurityEnabled A boolean value that switches having the default config enabled. It should be set to false.
auth0.signingAlgorithm: HS256 Used when you want to use HS256 as a signing algorithm. We will see more on this on the next steps.
#auth0.signingAlgorithm: RS256 Used when you want to use RS256 as a signing algorithm. We will see more on this on the next steps.
#auth0.publicKeyPath: certificate/cert.pem Indicates the certification in case you use RS256. We will see more on this on the next steps.

NOTE: If you download the seed using our Download Sample button then the domain, clientId and clientSecret attributes will be populated for you, unless you are not logged in or you do not have at least one registered client. In any case you should verify that the values are correct if you have multiple clients in your account and you might want to use another than the one we set the information for. Do not forget to manually set the issuer attribute!

That's all you need to start working with Auth0 in your Spring Security API!

Next Tutorial
2. Authentication
Try Auth0 for FREECreate free Account