Custom Spring Security Authentication with Redis Session Management and Role‑Based Access Control

The tutorial begins by outlining the requirements for a custom authentication system: custom login, token generation managed by Redis, and interface‑level permission verification.

Dependencies such as spring-boot-starter-security, spring-session-data-redis, and spring-boot-starter-data-redis are added to the Maven pom.xml file.

A WebSecurityConfig class extending WebSecurityConfigurerAdapter is created to ignore static resources, configure form login, and register a custom LoginFilter. The filter processes login requests, delegates authentication to a custom UserVerifyAuthenticationProvider, and returns a JSON response.

Custom handlers are implemented: CustomAuthenticationSuccessHandler returns a JSON payload with the authenticated user details. CustomAuthenticationFailureHandler returns error information on authentication failure. CustomAuthenticationEntryPoint handles unauthenticated access attempts. CustomAccessDeniedHandler handles authorized users accessing forbidden resources.

The authentication provider validates credentials by decoding Base64 passwords, comparing them with MD5‑hashed passwords from the database, and builds a UsernamePasswordAuthenticationToken containing user roles.

Session management is configured to store sessions in Redis and to expose the session token via the x-auth-token response header using HeaderHttpSessionIdResolver.

Security headers such as content‑type options, XSS protection, cache control, HSTS, and frame options are enabled/disabled to harden the application.

For fine‑grained URL permission checks, a MyFilterInvocationSecurityMetadataSource loads URL‑role mappings from the database and matches requests using AntPathRequestMatcher. A corresponding MyAccessDecisionManager compares required roles with the authenticated user's authorities.

Anonymous and authenticated access exceptions are wired into the security configuration via .exceptionHandling() with the custom entry point and access‑denied handler.

Finally, the complete Java classes and configuration snippets are provided, demonstrating a fully functional custom authentication and authorization solution in a Spring Boot backend.