1.5.3 (2023-01-11)
This patch release does not contain any functional changes, but is being released using an updated signing key for verification as part of our commitment to best security practices. Please review the README note for additional details.
Security
- Update auth0 dependencies #80 (jimmyjames)
1.5.2 (2022-10-26)
Changed
- Update Gradle and configure ship CLI and orb #73 (jimmyjames)
Security
- Update dependencies to address CVE-2022-42003 #74 (jimmyjames)
1.5.1 (2022-03-30)
Security
1.5.0 (2022-03-14)
Changed
- Update auth0 dependencies to address CVE-2020-36518 #66 (jimmyjames)
Security
- Update auth0 dependencies to address CVE-2020-36518 #66 (jimmyjames)
1.4.2 (2022-01-20)
Changed
Security
1.4.1 (2021-02-25)
Changed
- Update dependencies #57 (jimmyjames)
1.4.0 (2020-06-18)
Added
- Add WWW-Authenticate header for 401 and 403 requests #51 (jimmyjames)
- Deal with list of issuers in JwtAuthenticationProvider #30 (coperator)
1.3.1 (2020-04-24)
Fixed
- Expose public API dependencies as api scope and update versions #45 (jimmyjames)
1.3.0 (2020-02-07)
Added
- Extract authorities from permissions claim #40 (jimmyjames)
1.2.6 (2019-09-26)
Security
- Update dependencies to address CVE #37 (jimmyjames)
1.2.5 (2019-08-15)
Security
- Update jackson-databind to address CVE-2019-14379 and CVE-2019-14439 #33 (jimmyjames)
1.2.4 (2019-07-03)
Security
- Bump dependency versions #31 (jimmyjames)
1.2.3 (2019-06-04)
Fixed
- Rollback to fixed dependencies versions #28 (lbalmaceda)
1.2.2 (2019-05-23)
Security
- Bump dependencies #26 (lbalmaceda)
1.2.1 (2019-01-03)
Security
- Bump dependencies to fix security issue #13 (lbalmaceda)
1.2.0 (2018-11-22)
Security
1.1.0 (2018-05-31)
Added
- Allow to set a leeway for JWT verification #57 (lbalmaceda)
1.0.0 (2018-01-26)
Changed
1.0.0-rc.3 (2017-06-13)
Changed
- Use java-jwt version 3.2.0 #34 (lbalmaceda)
- Use java-jwt version 3.1.0 #30 (pacey)
1.0.0-rc.2 (2016-12-21)
Changed
1.0.0-rc.1 (2016-12-19)
Auth0 integration with Spring Security to add authorization to your API using JWTs
Get Auth0 Spring Security API using Maven:
<dependency>
<groupId>com.github.auth0</groupId>
<artifactId>auth0-spring-security-api</artifactId>
<version>1.0.0-rc.1</version>
</dependency>or Gradle:
compile 'com.auth0.github:auth0-spring-security-api:1.0.0-rc.1'Inside a WebSecurityConfigurerAdapter you can configure your api to only accept RS256 signed JWTs
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
JwtWebSecurityConfigurer
.forRS256("YOUR_API_AUDIENCE", "YOUR_API_ISSUER")
.configure(http);
}
}or for HS256 signed JWTs
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
JwtWebSecurityConfigurer
.forHS256WithBase64Secret("YOUR_API_AUDIENCE", "YOUR_API_ISSUER", "YOUR_BASE_64_ENCODED_SECRET")
.configure(http);
}
}Then using Spring Security HttpSecurity you can specify which paths requires authentication
http.authorizeRequests()
.antMatchers("/api/**").fullyAuthenticated();and you can even specify that the JWT should have a single or several scopes
http.authorizeRequests()
.antMatchers(HttpMethod.GET, "/api/users/**").hasAuthority("read:users");