CHANGELOG.md

Change Log

1.3.1 (2020-04-24)

Full Changelog

Fixed

• Expose public API dependencies as api scope and update versions #45 (jimmyjames)

1.3.0 (2020-02-07)

Full Changelog

Added

• Extract authorities from permissions claim #40 (jimmyjames)

1.2.6 (2019-09-26)

Full Changelog

Security

• Update dependencies to address CVE #37 (jimmyjames)

1.2.5 (2019-08-15)

Full Changelog

Security

• Update jackson-databind to address CVE-2019-14379 and CVE-2019-14439 #33 (jimmyjames)

1.2.4 (2019-07-03)

Full Changelog

Security

• Bump dependency versions #31 (jimmyjames)

1.2.3 (2019-06-04)

Full Changelog

Fixed

• Rollback to fixed dependencies versions #28 (lbalmaceda)

1.2.2 (2019-05-23)

Full Changelog

Security

• Bump dependencies #26 (lbalmaceda)

1.2.1 (2019-01-03)

Full Changelog

Security

• Bump dependencies to fix security issue #13 (lbalmaceda)

1.2.0 (2018-11-22)

Full Changelog

Security

• Use latest Gradle wrapper and Bump dependencies #4 (napstr)

1.1.0 (2018-05-31)

Full Changelog

Added

• Allow to set a leeway for JWT verification #57 (lbalmaceda)

1.0.0 (2018-01-26)

Full Changelog

Changed

• Remove unused guava dependency Issue #47 #48 (rhanton)

1.0.0-rc.3 (2017-06-13)

Full Changelog

Changed

• Use java-jwt version 3.2.0 #34 (lbalmaceda)
• Use java-jwt version 3.1.0 #30 (pacey)

1.0.0-rc.2 (2016-12-21)

Full Changelog

Changed

• Rework authentication classes and add more tests. #22 (hzalaz)

1.0.0-rc.1 (2016-12-19)

Auth0 integration with Spring Security to add authorization to your API using JWTs

Download

Get Auth0 Spring Security API using Maven:

<dependency>
    <groupId>com.github.auth0</groupId>
    <artifactId>auth0-spring-security-api</artifactId>
    <version>1.0.0-rc.1</version>
</dependency>

or Gradle:

compile 'com.auth0.github:auth0-spring-security-api:1.0.0-rc.1'

Usage

Inside a WebSecurityConfigurerAdapter you can configure your api to only accept RS256 signed JWTs

@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        JwtWebSecurityConfigurer
                .forRS256("YOUR_API_AUDIENCE", "YOUR_API_ISSUER")
                .configure(http);
    }
}

or for HS256 signed JWTs

@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        JwtWebSecurityConfigurer
                .forHS256WithBase64Secret("YOUR_API_AUDIENCE", "YOUR_API_ISSUER", "YOUR_BASE_64_ENCODED_SECRET")
                .configure(http);
    }
}

Then using Spring Security HttpSecurity you can specify which paths requires authentication

    http.authorizeRequests()
        .antMatchers("/api/**").fullyAuthenticated();

and you can even specify that the JWT should have a single or several scopes

    http.authorizeRequests()
        .antMatchers(HttpMethod.GET, "/api/users/**").hasAuthority("read:users");