Example of integrating Spring Boot & Apache Shiro & JWT together to do the authentication/authorization stuff.
mvn spring-boot:runcurl -i -H "Content-Type: application/json" -X POST -d '{"username":"alice","password":"alice-password"}' http://localhost:8080/loginYou will see the token in response header for user alice. Note that the status code 401 will be returned
if you provide incorrect username or password.
See all predefined users in section Users, Roles and Permissions.
The general command to verify if the auth works is as follows:
curl -i -H "Authorization: Bearer token-you-got-in-step-2" http://localhost:8080/admin-onlyor without token:
curl -i http://localhost:8080/admin-onlyYou can change the token and the URL as need. See all predefined URLs in section APIs. The response status code varies in different situations:
| public api | protected api | |
|---|---|---|
| token valid and with enough authorities | 200 | 200 |
| token valid and without enough authorities | 200 | 403 |
| token missing or invalid | 200 | 401 |
The following users are defined in the demo. For details, see schema.sql and data.sql.
| username | password | roles | permissions |
|---|---|---|---|
| alice | alice-password | admin | * |
| bob | bob-password | user | files:read,write |
| chris | chris-password | file-operator | files:* |
| david | david-password | log-archiver | files:read,archive:log |
Note: the in-memory database called
H2is used by default. It's very easy to switch toMySQLas need. See application.yml.
| roles required | |
|---|---|
| /admin-only | admin |
| /user-only | user |
| /admin-or-user | admin or user |
| /public-to-all |
| permissions required | |
|---|---|
| /read | files:read |
| /write | files:write |
| /archive | files:archive |
| /read-log | files:read:log |
| /write-log | files:write:log |
| /archive-log | files:archive:log |