Skip to content

Spring Security Authentication, Authorization, JWT, and OAuth2

Spring Security is a powerful authentication and authorization framework used to secure Java applications, especially Spring Boot applications.

It provides protection for:

  • REST APIs
  • Web applications
  • Microservices
  • Method-level security
  • Authentication (Who are you?)
  • Authorization (What can you access?)
  • Protection against attacks:
    • CSRF
    • Session fixation
    • Clickjacking
  • Password encryption
  • Integration with JWT, OAuth2, and LDAP
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
)
.formLogin();
return http.build();
}
}
flowchart LR
    A[HTTP Request] --> B[Spring Security Filter Chain]
    B --> C[Authentication]
    C --> D[Authorization]
    D --> E[Controller]

Feature Authentication Authorization
Definition Verifies who the user is Determines what the user can access
Question Who are you? What are you allowed to do?
Happens First After authentication
Example Login with username/password Access admin APIs
Data Used Credentials Roles/Permissions
  1. User logs in.
Username: admin
Password: password
  1. System verifies the user and generates a token.

  2. User requests:

GET /admin/users
  1. Authorization checks:
ROLE_ADMIN -> Allowed
ROLE_USER -> Denied

Interview one-liner: Authentication verifies identity, while Authorization determines access permissions.


JWT (JSON Web Token) is a stateless authentication mechanism commonly used for REST APIs and microservices.

Instead of server-side sessions, the server issues a signed token.

Header.Payload.Signature

Example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.
eyJzdWIiOiJ1c2VyMSIsInJvbGUiOiJBRE1JTiJ9
.
signature
sequenceDiagram
    participant C as Client
    participant S as Server
    C->>S: POST /login (username/password)
    S->>S: Validate credentials
    S-->>C: JWT Token
    C->>S: Authorization: Bearer <token>
    S->>S: Validate JWT
    S-->>C: Protected Resource
POST /login
{
"username":"user",
"password":"123"
}
Authorization: Bearer <token>
flowchart TD
    A[Request] --> B[JWT Filter]
    B --> C[Validate Token]
    C --> D[Set Authentication in SecurityContext]
    D --> E[Controller]
  • Stateless authentication
  • Scalable for microservices
  • No server-side session storage
  • Ideal for REST APIs

OAuth2 is an authorization framework that enables secure API access using access tokens instead of sharing user credentials.

sequenceDiagram
    participant U as User
    participant C as Client App
    participant A as Authorization Server
    participant R as Resource Server

    U->>C: Login
    C->>A: Authorization Request
    A->>U: Authenticate
    U-->>A: Credentials
    A-->>C: Access Token
    C->>R: Bearer Token
    R-->>C: Protected Resource
Component Description
Resource Owner User
Client Application
Authorization Server Issues tokens
Resource Server Protected API
Terminal window
spring-boot-starter-oauth2-resource-server
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth -> oauth.jwt());
return http.build();
}
}
  1. User logs in with Google.
  2. Google authenticates the user.
  3. Google returns an access token.
  4. Client calls the API using:
Authorization: Bearer abc123
  1. Resource server validates the token.

  • Spring Security provides authentication, authorization, and protection against common web attacks.
  • Authentication verifies identity; authorization determines permissions.
  • JWT enables stateless authentication by sending a signed token with each request.
  • OAuth2 provides secure delegated authorization using access tokens.
  • Spring Boot integrates JWT and OAuth2 through Spring Security’s filter chain and resource server support.