How to Implement Single Sign‑On with Spring Security and JWT in 30 Minutes
This tutorial walks through the concepts of Single Sign‑On (SSO) and JSON Web Tokens (JWT), then provides a complete Spring Security integration with JWT—including project structure, RSA key handling, utility classes, custom authentication and verification filters, and step‑by‑step testing using Postman.
What is Single Sign‑On (SSO)
SSO allows a user to log in once and access multiple trusted applications without re‑authenticating.
Simple operation mechanism
An analogy: a park with many independent attractions can be visited with a single universal ticket instead of buying a ticket at each gate.
JWT introduction
JWT (JSON Web Token) is a compact token format that can be generated and verified for distributed authentication.
Structure of a JWT
Header – defines token type and signing algorithm.
Payload – contains claims such as username, roles, expiration.
Signature – signs the header and payload with a secret or private key.
Security analysis
The signature protects the token; using asymmetric RSA keys prevents the secret from being exposed.
RSA asymmetric encryption
RSA uses a public key for verification and a private key for signing. It provides strong security at the cost of performance.
Integrating Spring Security with JWT
Authentication flow analysis
Spring Security uses filters. The UsernamePasswordAuthenticationFilter handles login, while BasicAuthenticationFilter validates the token on subsequent requests.
Project structure
A multi‑module Maven project with a parent pom, a common module for utilities, an authentication service, and resource services.
Common module dependencies
<dependencies>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.10.7</version>
</dependency>
... (other dependencies) ...
</dependencies>Utility classes
Payload, JsonUtils, JwtUtils, and RsaUtils are provided to handle token creation, parsing, and RSA key management.
RSA key generation test
public class JwtTest {
private String privateKey = "c:/tools/auth_key/id_key_rsa";
private String publicKey = "c:/tools/auth_key/id_key_rsa.pub";
@Test
public void test1() throws Exception {
RsaUtils.generateKey(publicKey, privateKey, "dpb", 1024);
}
}Authentication service
Configuration properties load the RSA key files, a Spring Boot main class starts the application, and POJOs for User and Role implement UserDetails and GrantedAuthority. MyBatis mapper and service retrieve user data.
Custom filters:
public class TokenLoginFilter extends UsernamePasswordAuthenticationFilter { ... }public class TokenVerifyFilter extends BasicAuthenticationFilter { ... }Security configuration disables CSRF, requires authentication for all requests, registers the custom filters, and sets session management to stateless.
Running the authentication service
Start the Spring Boot application and use Postman to send a login request. The service returns a JWT in the Authorization: Bearer header. Subsequent requests include this token to access protected endpoints.
Resource service
The resource service only needs the public RSA key. It reuses the user and role classes, adds a TokenVerifyFilter to validate incoming tokens, and defines simple controllers for testing.
Testing the resource service
Send a request with the JWT obtained from the authentication service in the Authorization: Bearer header. The service validates the token and returns a successful response.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.