Authentication & Authorization¶
Definition¶
JWT (JSON Web Tokens)¶
// JWT STRUCTURE
// Header.Payload.Signature
// eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIn0.signature
// HEADER
{
"alg": "RS256", // Algorithm
"typ": "JWT" // Type
}
// PAYLOAD (Claims)
{
"sub": "user-123", // Subject (user ID)
"iss": "auth-service", // Issuer
"aud": "api-service", // Audience
"exp": 1704067200, // Expiration
"iat": 1704063600, // Issued at
"roles": ["admin", "user"], // Custom claims
"email": "[email protected]"
}
// SIGNATURE
HMACSHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
secret
)
// VALIDATION (Java)
@Component
class JwtValidator {
public Claims validate(String token) {
return Jwts.parserBuilder()
.setSigningKey(publicKey)
.build()
.parseClaimsJws(token)
.getBody();
}
}
// JWT BEST PRACTICES
// ✓ Short expiration (15 min for access tokens)
// ✓ Use refresh tokens for long sessions
// ✓ Use RS256 (asymmetric) for distributed systems
// ✓ Validate all claims (exp, iss, aud)
// ✗ Don't store sensitive data in payload
// ✗ Don't use JWT for session management
OAuth 2.0 & OIDC¶
OAuth 2.0: Authorization framework OIDC: Identity layer on top of OAuth 2.0
Roles: - Resource Owner: User who owns the data - Client: Application requesting access - Authorization Server: Issues tokens (Auth0, Okta) - Resource Server: API hosting protected resources
RBAC & ABAC¶
// RBAC: Role-Based Access Control
// Permissions assigned to roles, roles assigned to users
// User → Roles → Permissions
// John → [admin] → [read, write, delete]
// Jane → [viewer] → [read]
@PreAuthorize("hasRole('ADMIN')")
public void deleteUser(String userId) {
userRepository.deleteById(userId);
}
@PreAuthorize("hasAnyRole('ADMIN', 'MANAGER')")
public List<Report> getReports() {
return reportRepository.findAll();
}
// Permission-based (more granular)
@PreAuthorize("hasPermission(#orderId, 'Order', 'read')")
public Order getOrder(String orderId) {
return orderRepository.findById(orderId);
}
// ABAC: Attribute-Based Access Control
// Decisions based on attributes of user, resource, environment
// Example policy: "Managers can approve orders under $10,000
// in their own department during business hours"
@Component
class OrderApprovalPolicy implements AccessPolicy {
@Override
public boolean evaluate(Subject subject, Resource resource, Action action) {
Order order = (Order) resource;
User user = (User) subject;
return user.hasRole("MANAGER")
&& order.getTotal().compareTo(BigDecimal.valueOf(10000)) < 0
&& order.getDepartment().equals(user.getDepartment())
&& isBusinessHours();
}
}
// OPA (Open Policy Agent) - External policy engine
// Policies written in Rego language
// allow {
// input.user.role == "manager"
// input.resource.amount < 10000
// }
API Authentication¶
// API KEY AUTHENTICATION
// Simple but less secure, good for server-to-server
@Component
class ApiKeyFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain) {
String apiKey = request.getHeader("X-API-Key");
if (apiKey == null || !apiKeyService.isValid(apiKey)) {
response.setStatus(HttpStatus.UNAUTHORIZED.value());
return;
}
ApiKeyDetails details = apiKeyService.getDetails(apiKey);
SecurityContextHolder.getContext().setAuthentication(
new ApiKeyAuthentication(details)
);
chain.doFilter(request, response);
}
}
// BEARER TOKEN (JWT)
// Authorization: Bearer eyJhbGciOiJIUzI1NiJ9...
@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(jwt -> jwt
.jwtAuthenticationConverter(jwtAuthConverter())
)
)
.authorizeHttpRequests(auth -> auth
.requestMatchers("/public/**").permitAll()
.requestMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
);
return http.build();
}
}
// mTLS (Mutual TLS)
// Both client and server present certificates
// Used for service-to-service authentication
Tips & Tricks¶
Interview Tips¶
- Know AuthN vs AuthZ difference
- Explain OAuth 2.0 flows
- Understand JWT structure and validation
- Know RBAC vs ABAC
Common Questions¶
- "How do you secure an API?"
- "Explain OAuth 2.0"
- "JWT vs session cookies?"
- "RBAC vs ABAC?"
Security Best Practices¶
- Use HTTPS everywhere
- Short-lived access tokens
- Rotate secrets regularly
- Validate all inputs
- Principle of least privilege
JWT Gotchas¶
- Can't revoke (use short expiration)
- Don't store in localStorage (XSS risk)
- Validate signature AND claims
- Don't use "none" algorithm
Key Insight: Authentication proves identity. Authorization enforces access rules. Defense in depth: multiple layers of both.
- *