RBAC Permission Analysis and Spring Security Implementation with JWT and JSON Login

RBAC (Role‑Based Access Control) is introduced, explaining its definition, model classifications (RBAC0‑RBAC3), the notion of permissions as resource collections, and the use of user groups for batch role assignment.

Basic usage of Spring Security in a Spring Boot project is shown, including adding the

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

dependency and a simple REST controller example.

Configuration of in‑memory authentication and HttpSecurity to permit all requests is demonstrated with code:

spring:
  security:
    user:
      name: ming
      password: 123456
      roles: admin

and the Java config extending WebSecurityConfigurerAdapter that disables CSRF and sets up request authorization.

Integration of JWT with Spring Security is detailed: Maven dependencies for jjwt and Spring Security, a JwtUser class implementing UserDetails, a JwtTokenUtil utility for token creation, parsing and validation, a JwtAuthenticationTokenFilter that extracts the token from the request header, and a JwtUserDetailsServiceImpl that loads users from the database.

The login service returns a JWT after successful authentication:

public RetResult login(String username, String password) throws AuthenticationException {
    UsernamePasswordAuthenticationToken upToken = new UsernamePasswordAuthenticationToken(username, password);
    Authentication authentication = authenticationManager.authenticate(upToken);
    SecurityContextHolder.getContext().setAuthentication(authentication);
    UserDetails userDetails = userDetailsService.loadUserByUsername(username);
    return new RetResult(RetCode.SUCCESS.getCode(), jwtTokenUtil.generateToken(userDetails));
}

Security configuration enables stateless JWT authentication and registers the filter before UsernamePasswordAuthenticationFilter.

JSON‑based login is implemented by extending UsernamePasswordAuthenticationFilter (named CustomAuthenticationFilter) to read username and password from a JSON request body, and the custom filter is registered in the security configuration.

Password encryption using BCryptPasswordEncoder is described, with a bean definition and example of encoding passwords before persisting them:

@Bean
public BCryptPasswordEncoder passwordEncoder(){
    return new BCryptPasswordEncoder();
}

user.setPassword(bCryptPasswordEncoder.encode(user.getPassword()));

Finally, database‑backed authentication is outlined, showing table design, a UserDetailsService implementation that queries the user table, and a security configuration that restricts /admin/** to the admin role while requiring authentication for other endpoints.