Understanding RBAC and Implementing Spring Security with JWT in Java

The article begins with an overview of RBAC (Role‑Based Access Control), defining its purpose and describing how roles link users to permissions, improving efficiency and reducing security gaps.

It then details the four RBAC model classifications:

RBAC0 : The basic model with two relationship types (many‑to‑one and many‑to‑many) between users and roles.

RBAC1 : Extends RBAC0 by introducing role hierarchies (sub‑roles) and inheritance.

RBAC2 : Adds constraints such as role mutual exclusion, cardinality limits, prerequisite roles, and runtime mutual exclusion.

RBAC3 : Combines RBAC1 and RBAC2 into a unified model.

Next, the concept of permissions is clarified as a collection of resources (page access, CRUD operations, etc.), and the use of user groups for batch role assignment is introduced.

For practical implementation, the article walks through a simple Spring Security setup:

1. Add the Spring Security starter dependency:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
    <version>2.3.1.RELEASE</version>
</dependency>

2. Configure an in‑memory user store and a basic WebSecurityConfigurerAdapter that permits all requests:

@Configuration
public class MyWebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Bean
    PasswordEncoder passwordEncoder(){
        return NoOpPasswordEncoder.getInstance();
    }
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("admin").password("123").roles("admin");
    }
}

3. Extend the configuration to use JWT for stateless authentication, adding the JwtTokenUtil utility class, a custom JwtAuthenticationTokenFilter , and a JwtUserDetailsServiceImpl that loads users from a database.

public class JwtTokenUtil implements Serializable {
    private String secret;
    private Long expiration;
    private String header;
    // token generation, parsing, validation methods ...
}

4. Register the JWT filter in the security chain and configure CORS, CSRF disabling, and endpoint permissions:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and().authorizeRequests()
        .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
        .antMatchers("/auth/**").permitAll()
        .anyRequest().authenticated();
    http.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
}

The guide also shows how to create a custom authentication filter that processes JSON login requests, replacing the default UsernamePasswordAuthenticationFilter :

public class CustomAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        if (request.getContentType().equals(MediaType.APPLICATION_JSON_VALUE)) {
            // parse JSON body to obtain username and password
        }
        return super.attemptAuthentication(request, response);
    }
}

Password encryption is handled with BCryptPasswordEncoder , and the article demonstrates how to encode passwords before storing them and how to verify them during login.

Finally, the article presents a complete backend configuration that combines RBAC permission checks, JWT stateless authentication, JSON login handling, and BCrypt password hashing, providing a solid foundation for secure Java backend development.