Implementing Single Sign-On with Spring Security and JWT – A Comprehensive Guide

This article explains how to implement Single Sign‑On (SSO) using Spring Security and JWT, offering a complete 20,000‑character guide with code skeletons for quick reference.

1. What is Single Sign‑On

SSO allows a user to log in once and access multiple trusted applications without re‑authenticating.

2. Simple Operation Mechanism

The article uses an analogy of a park with a universal ticket to illustrate the SSO flow, showing user authentication and token validation steps.

3. JWT Introduction

Concept

JWT (JSON Web Token) is a widely used distributed identity verification solution that can generate and verify tokens.

Token Structure

Header – defines token type and signing algorithm.

Payload – stores claims such as username, roles, and expiration (never store passwords).

Signature – base64‑encoded header and payload signed with a secret or private key.

Security Analysis

The signature’s security relies on the secret or private key; using asymmetric RSA encryption prevents the secret from being exposed.

RSA Asymmetric Encryption

RSA generates a public/private key pair; the private key encrypts the token, and the public key verifies it. Advantages: high security; disadvantages: computationally intensive.

4. Authentication Design Analysis

Spring Security uses filters for authentication. The default UsernamePasswordAuthenticationFilter handles username/password verification, while BasicAuthenticationFilter validates tokens.

Modifications for Distributed Authentication

Allow attemptAuthentication to read JSON request bodies.

Replace session storage with JWT generation in successfulAuthentication.

In token verification, extract the token from the Authorization header, parse it with the public key, and set the authentication in the security context.

5. Implementation Steps

5.1 Create Parent Maven Project

Use spring-boot-starter-parent version 2.1.3.RELEASE as the parent.

5.2 Create Common Module

Add JWT dependencies ( jjwt-api, jjwt-impl, jjwt-jackson) and utility classes ( JsonUtils, JwtUtils, RsaUtils).

5.3 Write Test Class to Generate RSA Keys

public class JwtTest { private String privateKey = "c:/tools/auth_key/id_key_rsa"; private String publicKey = "c:/tools/auth_key/id_key_rsa.pub"; @Test public void test1() throws Exception { RsaUtils.generateKey(publicKey, privateKey, "dpb", 1024); } }

5.4 Build Authentication Service

Create Spring Boot application class.

Add RsaKeyProperties to load public/private keys.

Define domain classes UserPojo and RolePojo implementing Spring Security interfaces.

Create MyBatis mapper and XML for user queries.

Implement UserService extending UserDetailsService.

Write custom filters TokenLoginFilter (login) and TokenVerifyFilter (token validation).

Configure Spring Security to disable CSRF, add the custom filters, and enforce stateless sessions.

5.5 Test Authentication Service

Run the service, use Postman to POST credentials, receive a JWT in the Authorization header, and access protected endpoints with the token.

6. Build Resource Service

Set up a second Spring Boot project that only contains the public key (no private key) and reuses the domain and utility classes from the authentication service.

Configure RsaKeyProperties to load only the public key, and use TokenVerifyFilter for token validation. No token‑issuing filter is added.

Implement simple REST controllers (e.g., /user/query, /user/update) and protect them with Spring Security.

7. End‑to‑End Verification

Obtain a JWT from the authentication service, then call the resource service endpoints with the token to confirm successful SSO across services.