This is a template to help you to get started with jwt-based spring boot backend.
Besides, this project can be used as a Single-Sign On center (or authentication service)
directly.
We will use open-ssl to generate the private and public key and sign JWT tokens
with the private key.
Other applications can use the public key to verify the JWT tokens.
basic modelsfor user, access token, and refresh tokenlogin apiissue access token and refresh tokenweb login apiissue access/refresh tokens in http only cookieset max login failure attemptsblock login for a while if too many failure attemptsrefresh apiexchange new tokens via refresh tokenweb refresh apiexchange new tokens via the refresh token in http only cookieregister apiwith email verificationlogout apirevoke access token via redis blacklistchange password apiforget and reset password apiadmin apiuser activate/deactivate, change role, and getUserList- validation on
@RequestBody @RateLimit on user or ipbased on bucket token algorithm and redisapi documentationvia swagger (at path/swagger-ui/index.html)
We provide an example frontend application written in Vue.js at here to work with this project.
-
install Docker, JDK-17 and Maven (recommended to use IntelliJ IDE)
-
clone the repo and run
mvn installor./mvnw install -
set up a postgresql server on localhost:5432 with database
spring-test -
set up a redis server on localhost:6379
-
install open-ssl and run
./jwtRSA256.sh -
cd to
./src/main/resources/, then copyapplication-dev.propertiesandapplication-dev.ymltoapplication.propertiesandapplication.yml -
edit
application.propertiesdepends on your needdb related settings
# connect to database `spring-test` on localhost:5432 spring.datasource.url=jdbc:postgresql://localhost:5432/spring-test # set username and password to connect to your database spring.datasource.username=postgres spring.datasource.password=pa55ward spring.datasource.driver-class-name=org.postgresql.Driver spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect spring.jpa.properties.hibernate.hbm2ddl.auto=updatejwt related settings
# change this to your desired issuer in jwt jwt.issuer=joejoe2.com # domain for access/refresh tokens in cookie(if you are using web login api) # can be exact domain or example.com for all subdomains jwt.cookie.domain=example.com # specify lifetime of access and refresh token in seconds jwt.access.token.lifetime=900 jwt.refresh.token.lifetime=1800default admin account
# username can only contain a-z, A-Z, and 0-9 # max length is 32 default.admin.username=admin # password can only contain a-z, A-Z, and 0-9 # min length is 8, max length is 32 default.admin.password=pa55ward # change to your email [email protected]mail sender(need to send verification code to newly registered user)
# this is a example if you use the gmail as smtp server to send eamil spring.mail.host=smtp.gmail.com spring.mail.port=587 [email protected] spring.mail.password=pa55ward spring.mail.properties.mail.smtp.auth=true spring.mail.properties.mail.smtp.starttls.enable=trueset reset password url(redirect user to your reset password page in frontend, we will append token for you to send the password reset request)
# set reset password url reset.password.url=http://localhost:8888/resetPassword?token=set allow host(cors for your frontend)
# for frontend applications at any port of the localhost allow.host=http://localhost:[*] # for the frontend application at frontend.example.com allow.host=https://frontend.example.com # for frontend applications belong to subdomains of .example.com allow.host=https://*.example.comlogin related settings(ex. block user to login for 900 seconds after 5 consecutive unsuccessful attempts with incorrect password)
# login max attempt settings login.maxAttempts=5 # in seconds login.attempts.coolTime=900 -
copy the contents of
private.keyandpublic.key(generated at project root in step 4.) intoapplication.ymljwt: secret: privateKey: | -----BEGIN PRIVATE KEY----- ... your PRIVATE KEY ... -----END PRIVATE KEY----- publicKey: | -----BEGIN PUBLIC KEY----- ... your PUBLIC KEY ... -----END PUBLIC KEY----- -
now you can start to develop your own project
We use RSA private key to sign tokens and public key to verify tokens (described in above). So you can use the public key to parse and verify the tokens out of this application (could use this application as an AuthService).
run mvn test or ./mvnw test
run
mvn spotless:apply
or
./mvnw spotless:apply
- install docker and docker-compose
- copy
./env/application.env.exampleto./env/application.envand edit just like application.properties(mentioned above), but you need to setjwt.secret.privateKeyandjwt.secret.publicKeylike this formatjwt.secret.publicKey="-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzFVaIiZtFKJgIrrXa9ZQ fHeGu3o/CFGAhybGXXcU6XWZpyIHNTUdx7ah1z+pMecXWqOIkmKVN92ktgV+TAEB mB91TMr23dMU95JC5wz7H1sxUmO+0HuA5XkGUTXf6GqpIAYLvKnNNhd8eCFm/YAE S9LMsRBVZqgAb7GDJDb+B4NTzUGtWn71/2rSnDsXg1+aV271MM7n20AcvRruXDWx bz5Wx5kKnTbwrOSvQ1chCo/gg+t+xCUdZ78SyT2bRuUIe+d0qHyqdY6i4lvbiXzC noZRygIMYfRyxh0y52Mw6NXLvowOZ2DDYtQMeJglyocOFeYqSgqiRsaELvoQ/5Y8 1wIDAQAB -----END PUBLIC KEY-----" - copy
./nginx/nginx-certbot.env.exampleto./nginx/nginx-certbot.env(just setCERTBOT_EMAILat first line) - edit
./nginx/user_conf.d/server.conf(just change server_name to your own FQDN) - make sure that
POSTGRES_PASSWORDandPOSTGRES_DBin./docker-compose.ymlis same with settings in./env/application.env docker-compose upordocker-compose up -d