RBAC and Spring Security Tutorial: From Basic Role-Based Access Control to JWT Integration and JSON Login

This tutorial walks through the fundamentals of RBAC (including RBAC0‑RBAC3 models) and demonstrates how to implement role‑based access control using Spring Security in a Java Spring Boot application.

It starts with basic in‑memory authentication, showing Maven dependencies, configuration of WebSecurityConfigurerAdapter, and simple endpoint protection.

The guide then introduces password encryption using BCryptPasswordEncoder, and shows how to store encrypted passwords in the database.

Next, it explains how to integrate JWT for stateless authentication: adding JWT and Spring Security dependencies, creating a JwtUser class implementing UserDetails, a JwtTokenUtil utility for token generation and validation, a JwtAuthenticationTokenFilter to process JWTs, and a custom UserDetailsService implementation.

It also covers a complete login flow that returns a JWT token, and provides a security configuration that secures all endpoints while permitting the authentication URLs.

Finally, the article shows how to replace the default UsernamePasswordAuthenticationFilter with a custom filter to support JSON‑based login requests, including the custom filter implementation and its registration in the security config.

package com.example.demo;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.Collection;

public class JwtUser implements UserDetails {
    private String username;
    private String password;
    private Integer state;
    private Collection<? extends GrantedAuthority> authorities;
    // constructors, getters, and overridden methods omitted for brevity
}

package com.example.demo;

import io.jsonwebtoken.*;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.*;

public class JwtTokenUtil implements Serializable {
    private String secret;
    private Long expiration;
    private String header;
    // token generation, parsing, validation methods omitted for brevity
}

package com.example.demo;

import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.*;
import javax.servlet.http.*;

@Component
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
    // filter logic to extract JWT from header and set authentication
}

package com.example.demo;

import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import com.fasterxml.jackson.databind.ObjectMapper;

public class CustomAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        if (request.getContentType().equals(MediaType.APPLICATION_JSON_VALUE)) {
            // parse JSON login request
        }
        return super.attemptAuthentication(request, response);
    }
}

By following these steps, developers can secure their applications with robust RBAC policies, encrypted credentials, and modern JWT‑based stateless authentication.