Spring Boot Security: Authentication และ Authorization
#java13 เม.ย. 2569
Spring Security คืออะไร
Spring Security เป็น framework สำหรับ authentication (ยืนยันตัวตน) และ authorization (กำหนดสิทธิ์) ใน Spring Boot applications
ติดตั้ง
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.12.3</version>
</dependency>
Security Configuration
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.csrf(csrf -> csrf.disable())
.sessionManagement(session ->
session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(auth -> auth
.requestMatchers("/api/auth/**").permitAll()
.requestMatchers("/api/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
)
.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class)
.build();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
JWT Service
@Service
public class JwtService {
@Value("${jwt.secret}")
private String secret;
public String generateToken(UserDetails userDetails) {
return Jwts.builder()
.subject(userDetails.getUsername())
.issuedAt(new Date())
.expiration(new Date(System.currentTimeMillis() + 86400000))
.signWith(getSignKey())
.compact();
}
public boolean isTokenValid(String token, UserDetails userDetails) {
String username = extractUsername(token);
return username.equals(userDetails.getUsername()) && !isTokenExpired(token);
}
private SecretKey getSignKey() {
return Keys.hmacShaKeyFor(Decoders.BASE64.decode(secret));
}
}
Auth Controller
@RestController
@RequestMapping("/api/auth")
public class AuthController {
@PostMapping("/login")
public ResponseEntity<AuthResponse> login(@RequestBody LoginRequest request) {
Authentication auth = authManager.authenticate(
new UsernamePasswordAuthenticationToken(request.email(), request.password())
);
UserDetails user = (UserDetails) auth.getPrincipal();
String token = jwtService.generateToken(user);
return ResponseEntity.ok(new AuthResponse(token));
}
@PostMapping("/register")
public ResponseEntity<User> register(@RequestBody @Valid RegisterRequest request) {
User user = userService.register(request);
return ResponseEntity.status(HttpStatus.CREATED).body(user);
}
}
Method Security
@EnableMethodSecurity
@Configuration
public class MethodSecurityConfig {}
@Service
public class UserService {
@PreAuthorize("hasRole('ADMIN') or #userId == authentication.principal.id")
public User getUser(Long userId) { ... }
@PreAuthorize("hasRole('ADMIN')")
public void deleteUser(Long userId) { ... }
}
สรุป
Spring Security ให้ security ที่ครบครันสำหรับ Spring Boot apps รองรับ JWT, OAuth2, LDAP และอื่นๆ ควรตั้งค่า HTTPS และ rate limiting ด้วยในงาน production ครับ