Understanding RBAC and Implementing Spring Security with JWT

The article begins with an overview of Role‑Based Access Control (RBAC), defining RBAC and describing its purpose in managing permissions through roles assigned to users.

It then details the four RBAC model variants (RBAC0, RBAC1, RBAC2, RBAC3), explaining the differences between single‑role and multi‑role relationships, role inheritance, mutually exclusive roles, cardinality constraints, prerequisites, and runtime exclusivity.

Permission concepts are clarified, showing how permissions represent collections of resources such as page access, data CRUD operations, and menu visibility.

User groups are introduced as a way to batch‑assign roles to many users, reducing administrative effort and improving manageability.

Next, the article provides a step‑by‑step guide to integrating RBAC with Spring Security. It starts with adding the <dependency>org.springframework.boot:spring-boot-starter-security</dependency> Maven dependency.

It shows how to configure in‑memory authentication using a simple controller:

package com.example.demo;

import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/test")
public class Test {
    @RequestMapping("/test")
    public String test(){
        return "test";
    }
}

It then demonstrates a more advanced security configuration with a custom WebSecurityConfigurerAdapter that defines a password encoder, disables CSRF, and sets session policy to stateless.

JWT integration is covered by adding the io.jsonwebtoken:jjwt:0.9.1 dependency and implementing a JwtTokenUtil utility class for token generation, validation, and refresh.

public class JwtTokenUtil implements Serializable {
    private String secret;
    private Long expiration;
    private String header;
    // token generation and validation methods ...
}

A JWT authentication filter ( JwtAuthenticationTokenFilter ) is provided to extract the token from request headers, validate it, and set the security context.

public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
    @Autowired
    private UserDetailsService userDetailsService;
    @Autowired
    private JwtTokenUtil jwtTokenUtil;
    // filter logic ...
}

The guide also includes a custom JSON login filter that parses username and password from a JSON payload, replacing the default UsernamePasswordAuthenticationFilter .

public class CustomAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) {
        // parse JSON and authenticate ...
    }
}

Finally, password encryption is addressed by configuring a BCryptPasswordEncoder bean and using it to hash passwords before storing them, as well as to verify login attempts.

In conclusion, the article provides a comprehensive walkthrough of RBAC theory, its practical application in Spring Security, and advanced features such as JWT‑based stateless authentication and JSON login, equipping developers with the knowledge to build secure, role‑aware Java applications.