Securing a Rest Service using Spring Security, oauth2 and jwt

Authentication and Authorization are two important concepts when it comes to spring security. Although used interchangeably, they mean different things. Authentication has to do with verifying a uer while Authorization is verifying what the user can do. In this article, I talk about how spring security comes to play when building a rest service.

Task Description

Build an open API for news with multiple authors.

1. Authors should be able to sign up with their name, email, password and bio
– Protected APIs
3. They should be able to submit an article which makes them the author
4. They should be able to edit ONLY their own articles if authenticated successfully
5. They should be able to delete ONLY their articles
– Public APIs
6. Create endpoint to view all articles that are published
7. There should be an endpoint to view all authors

It is easy to identify from the task above that the system would have multiple users and it is going to be a role-based system. The different users of the system can carry out different activities and each user should only permitted to carry out the activities assigned to them.


There are two users of the system:

  1. The author: can signup, submit article, edit and delete their article
  2. Other users: view published articles, view authors


In this project, we would use oauth2 and jwt for the user authentication and authorization.

Jwt ensures a stateless exchange of tokens and it works well for securing endpoints.


Project Setup

I talk more about how to setup a project and what it entails in my previous article. However, in this article, I use Spring Initialzr to generate the spring boot project and populate the dependencies.

The dependencies used are:

  • spring-boot-starter-web
  • spring-boot-starter-security
  • spring-boot-starter-data-jpa
  • spring-boot-starter-web
  • spring-security-jwt
  • spring-security-oauth2

I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

No Comments

Post A Comment