Design and Implementation of an Open API Token Authentication System with Spring Boot
This article explains how to design an open API authentication mechanism by creating app credentials, storing them in a MySQL table, generating short‑lived access tokens with a utility class, exposing a token endpoint, and securing all /openApi/* routes with a Spring interceptor, complete with code examples.
The author, a senior architect, introduces a complete token‑based authentication solution for open APIs, describing the required app credentials, token lifecycle, and security checks.
1. Open Interface Design
Each partner receives a unique appid and app_secret ; an access_token is generated from these values and is valid for two hours. All external API calls must include the token.
2. Database Table Design
The m_app table stores the core fields needed for authentication:
CREATE TABLE `m_app` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`app_name` varchar(255) DEFAULT NULL,
`app_id` varchar(255) DEFAULT NULL,
`app_secret` varchar(255) DEFAULT NULL,
`is_flag` varchar(255) DEFAULT NULL,
`access_token` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;3. Token Generation Utility (TokenUtils)
public class TokenUtils {
@RequestMapping("/getToken")
public static String getAccessToken() {
return UUID.randomUUID().toString().replace("-", "");
}
}4. getAccessToken Endpoint
The endpoint validates appid and app_secret , checks merchant permissions, removes any previous token from Redis, generates a new token via TokenUtils , stores it in Redis and updates the database, then returns the token as JSON.
5. AccessTokenInterceptor
The interceptor checks the request for an accessToken parameter, verifies its existence in Redis, and rejects the request with an error message if the token is missing or invalid.
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
String accessToken = request.getParameter("accessToken");
if (StringUtils.isEmpty(accessToken)) {
resultError(" this is parameter accessToken null ", response);
return false;
}
String appId = (String) baseRedisService.getString(accessToken);
if (StringUtils.isEmpty(appId)) {
resultError(" this is accessToken Invalid ", response);
return false;
}
return true;
}6. Registering the Interceptor
The interceptor is added to the Spring MVC configuration so that all URLs under /openApi/* are protected.
@Configuration
public class WebAppConfig {
@Autowired
private AccessTokenInterceptor accessTokenInterceptor;
@Bean
public WebMvcConfigurer webMvcConfigurer() {
return new WebMvcConfigurer() {
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(accessTokenInterceptor).addPathPatterns("/openApi/*");
}
};
}
}The article concludes with a call for discussion and provides links to additional resources.
Top Architect
Top Architect focuses on sharing practical architecture knowledge, covering enterprise, system, website, large‑scale distributed, and high‑availability architectures, plus architecture adjustments using internet technologies. We welcome idea‑driven, sharing‑oriented architects to exchange and learn together.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.