Spring Boot Shiro JWT
Example of integrating Spring Boot & Apache Shiro & JWT together to do the authentication/authorization stuff.
Get Started
1. Start the service
mvn spring-boot:run2. Get tokens
curl -i -H "Content-Type: application/json" -X POST -d '{"username":"alice","password":"alice-password"}' http://localhost:8080/loginYou will see the token in response header for user alice. Note that the status code 401 will be returned
if you provide incorrect username or password.
See all predefined users in section Users, Roles and Permissions.
3. Access protected APIs
The general command to verify if the auth works is as follows:
curl -i -H "Authorization: Bearer token-you-got-in-step-2" http://localhost:8080/admin-onlyor without token:
curl -i http://localhost:8080/admin-onlyYou can change the token and the URL as need. See all predefined URLs in section APIs. The response status code varies in different situations:
| public api | protected api | |
|---|---|---|
| token valid and with enough authorities | 200 | 200 |
| token valid and without enough authorities | 200 | 403 |
| token missing or invalid | 200 | 401 |
Users, Roles and Permissions
The following users are defined in the demo. For details, see schema.sql and data.sql.
| username | password | roles | permissions |
|---|---|---|---|
| alice | alice-password | admin | * |
| bob | bob-password | user | files:read,write |
| chris | chris-password | file-operator | files:* |
| david | david-password | log-archiver | files:read,archive:log |
Note: the in-memory database called
H2is used by default. It's very easy to switch toMySQLas need. See application.yml.
APIs
Role Based APIs
| roles required | |
|---|---|
| /admin-only | admin |
| /user-only | user |
| /admin-or-user | admin or user |
| /public-to-all |
Permission Based APIs
| permissions required | |
|---|---|
| /read | files:read |
| /write | files:write |
| /archive | files:archive |
| /read-log | files:read:log |
| /write-log | files:write:log |
| /archive-log | files:archive:log |