Spring Security Java API: Authorization

Gravatar for luciano.balmaceda@auth0.com
By Luciano Balmaceda
Auth0

Sample Project

Download a sample project specific to this tutorial configured with your Auth0 API Keys.

System Requirements
  • Java 8 or above
  • Maven 3.0.x or above
Show requirements

This tutorial shows you how to protect your Spring Security API endpoints and limit access to resources in your API.

Create an API

Create a new API in the APIs section of the Auth0 dashboard.

Enter a name and an identifier for the API. These values represent the auth0.apiAudience value in the configuration file.

Select the signing algorithm. In the Settings tab, you can change the token expiration time and allow to refresh a token for that API. In the Scopes tab, add scopes you will use later to limit access to resources in your API.

Scopes let you define which resources can be accessed by the user with a given Access Token. For example, you might choose to give the read access to the messages resource if a user has the manager access level, and a write access to that resource if they have the administrator access level.

To configure scopes, in your Auth0 dashboard, in the APIs section, click the Scopes tab. Configure the scopes you need.

Configure Scopes

This example uses the read:messages scope.

Install the Dependencies

Add the auth0-spring-security-api dependency.

If you are using Maven, add the dependency to your pom.xml file:

<dependency>
  <groupId>com.auth0</groupId>
  <artifactId>auth0-spring-security-api</artifactId>
  <version>1.0.0-rc.3</version>
</dependency>

If you are using Gradle, add the dependency to the dependencies block:

compile 'com.auth0:auth0-spring-security-api:1.0.0-rc.3'

Configure Your Spring Security API

Your Spring Security API needs some information to authenticate against your Auth0 account.

The sample project you can download from the top of this page comes with a configuration file. You may need to update some of the entries with the values for your API. The filename is /src/main/resources/auth0.properties and it contains the following:

auth0.issuer:https://YOUR_AUTH0_DOMAIN/
auth0.apiAudience:{YOUR_API_IDENTIFIER}
Attribute Description
auth0.issuer The issuer of the JWT Token. Typically, this is your Auth0 domain with a https:// prefix and a / suffix. For example, if your Auth0 domain is example.auth0.com, the auth0.issuer must be set to https://example.auth0.com/ (the trailing slash is important).
auth0.apiAudience The unique identifier for your API. You can find the correct value in the APIs section in your Auth0 dashboard.

If you download the sample project, the issuer attribute is filled out for you. You must manually set the apiAudience attribute.

Configure JSON Web Token Signature Algorithm

Configure your API to use the RS256 signing algorithm.

If you download the sample project, the signing algorithm is set to RS256 by default.

// src/main/java/com/auth0/example/AppConfig.java

@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Value(value = "${auth0.apiAudience}")
    private String apiAudience;
    @Value(value = "${auth0.issuer}")
    private String issuer;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        JwtWebSecurityConfigurer
                .forRS256(apiAudience, issuer)
                .configure(http);
    }
}

Configure the Protected Endpoints

The example below shows how to implement secure API methods.

In the AppConfig class, add route matchers to the snippet. The hasAuthority() method provides a way to specify the required scope for the resource.

The routes shown below are available for the following requests:

  • GET /api/public: available for non-authenticated requests
  • GET /api/private: available for authenticated requests containing an access token with no additional scopes
  • GET /api/private-scoped: available for authenticated requests containing an access token with the read:messages scope granted
// src/main/java/com/auth0/example/AppConfig.java

@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Value(value = "${auth0.apiAudience}")
    private String apiAudience;
    @Value(value = "${auth0.issuer}")
    private String issuer;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        JwtWebSecurityConfigurer
                .forRS256(apiAudience, issuer)
                .configure(http)
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/api/public").permitAll()
                .antMatchers(HttpMethod.GET, "/api/private").authenticated()
                .antMatchers(HttpMethod.GET, "/api/private-scoped").hasAuthority("read:messages");
    }
}

Create the API Controller

Create a new class called APIController to handle each request to the endpoints.

Next, in the AppConfig.java file, configure which endpoints are secure and which are not.

// src/main/java/com/auth0/example/APIController.java

import org.springframework.stereotype.Component;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import org.json.JSONObject;

@Controller
@Component
public class APIController {

    @RequestMapping(value = "/api/public", method = RequestMethod.GET, produces = "application/json")
    @ResponseBody
    public String publicEndpoint() {
        return new JSONObject()
                .put("message", "Hello from a public endpoint! You don\'t need to be authenticated to see this.")
                .toString();
    }

    @RequestMapping(value = "/api/private", method = RequestMethod.GET, produces = "application/json")
    @ResponseBody
    public String privateEndpoint() {
        return new JSONObject()
                .put("message", "Hello from a private endpoint! You need to be authenticated to see this.")
                .toString();
    }

    @RequestMapping(value = "/api/private-scoped", method = RequestMethod.GET, produces = "application/json")
    @ResponseBody
    public String privateScopedEndpoint() {
        return new JSONObject()
                .put("message", "Hello from a private endpoint! You need to be authenticated and have a scope of read:messages to see this.")
                .toString();
    }

}

To build and run the seed project, use the command: mvn spring-boot:run.

Next Tutorial
2. Using your API
Was this article helpful?
Use Auth0 for FREECreate free Account