RBAC Permission Analysis and Spring Security Integration with JWT

RBAC (Role‑Based Access Control) is introduced as a method of assigning permissions to users through roles, improving management efficiency and reducing permission leaks.

The article describes the four RBAC model variants—RBAC0, RBAC1, RBAC2, and RBAC3—highlighting their features such as role inheritance, mutually exclusive roles, cardinality constraints, and prerequisite roles.

User groups are explained as a way to batch‑assign roles to many users, simplifying permission administration for large teams.

Spring Security is first set up with a Maven dependency:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
    <version>2.3.1.RELEASE</version>
</dependency>

A simple REST controller is added to test the security configuration.

In‑memory authentication is demonstrated with the following configuration:

@Configuration
public class MyWebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Bean
    PasswordEncoder passwordEncoder(){
        return NoOpPasswordEncoder.getInstance();
    }
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("admin").password("123").roles("admin");
    }
}

For stateless token‑based authentication, JWT is integrated. The required dependencies are added:

<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt</artifactId>
    <version>0.9.1</version>
</dependency>

The core JWT classes are provided, such as JwtUser implementing UserDetails , JwtTokenUtil for token creation, validation, and refresh, and JwtAuthenticationTokenFilter that extracts the token from the request header and sets the security context.

The security configuration is extended to register the JWT filter and enable CORS:

@Configuration
@EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {
    @Autowired
    private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and().authorizeRequests()
            .antMatchers("/auth/**").permitAll()
            .anyRequest().authenticated();
        http.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
    }
}

To support JSON‑based login, a custom filter CustomAuthenticationFilter overrides attemptAuthentication to read username and password from a JSON payload, and the security config replaces the default UsernamePasswordAuthenticationFilter with this custom filter.

Password encryption is handled with BCryptPasswordEncoder :

@Bean
public BCryptPasswordEncoder passwordEncoder(){
    return new BCryptPasswordEncoder();
}

When creating or validating users, passwords are encoded with bCryptPasswordEncoder.encode(rawPassword) and verified with bCryptPasswordEncoder.matches(rawPassword, encoded) , ensuring secure storage in the database.

Overall, the article provides a comprehensive guide from RBAC theory to practical Spring Security implementations, covering in‑memory authentication, JWT token handling, JSON login customization, and BCrypt password encryption.