RBAC Permission Analysis and Spring Security Integration with JWT and JSON Login

RBAC Permission Analysis

RBAC (Role‑Based Access Control) is introduced, covering its definition, model classifications (RBAC0‑RBAC3), role hierarchy, permission concepts, and the use of user groups to simplify permission management.

Model Classification

Four RBAC models are described: RBAC0 (basic), RBAC1 (adds role inheritance), RBAC2 (adds constraints such as role mutual exclusion, cardinality, and prerequisites), and RBAC3 (unified model combining RBAC1 and RBAC2).

Permission Definition

Permissions are defined as collections of resources, including page access, CRUD operations, and menu visibility.

User Group Usage

User groups allow batch assignment of roles to many users, reducing administrative effort.

Spring Security Simple Usage

Add the spring-boot-starter-security dependency, create a test controller, and configure in‑memory authentication with a username and password.

dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
    <version>2.3.1.RELEASE</version>
</dependency>

Define a security configuration class extending WebSecurityConfigurerAdapter to permit all requests or protect specific endpoints.

Spring Security Integration with JWT

Steps include adding JWT and Spring Security dependencies, creating a JwtUser class implementing UserDetails, a JwtTokenUtil utility for token generation, validation, and refresh, and a JwtAuthenticationTokenFilter to validate tokens on each request.

public class JwtTokenUtil implements Serializable {
    private String secret;
    private Long expiration;
    // generateToken, getClaimsFromToken, validateToken, etc.
}

Implement a custom UserDetailsService that loads users from a database and returns a JwtUser instance.

Spring Security JSON Login

Override UsernamePasswordAuthenticationFilter with a custom filter that reads JSON payloads (username and password) using Jackson, then delegates to the authentication manager.

public class CustomAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) {
        if (request.getContentType().equals(MediaType.APPLICATION_JSON_VALUE)) {
            // parse JSON and create UsernamePasswordAuthenticationToken
        } else {
            return super.attemptAuthentication(request, response);
        }
    }
}

Register the custom filter in the security configuration and set its processing URL (e.g., /login/self).

Password Encryption

Configure a BCryptPasswordEncoder bean and use it to hash passwords before storing them in the database, as well as to verify credentials during login.

@Bean
public BCryptPasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

Database‑Based Authentication

Design user and role tables, implement a UserDetailsService that queries the database, and configure Spring Security to use this service for authentication and authorization.

Summary

The article provides a comprehensive guide to RBAC permission configuration, basic Spring Security setup, JWT‑based stateless authentication, JSON login handling, password encryption with BCrypt, and database‑backed user authentication, offering practical code examples for each step.