{"id":37024506,"url":"https://github.com/bratkartoffel/security-jwt","last_synced_at":"2026-01-14T02:57:49.457Z","repository":{"id":50729051,"uuid":"91423639","full_name":"bratkartoffel/security-jwt","owner":"bratkartoffel","description":"Spring Boot Addon to add JWT based security","archived":false,"fork":false,"pushed_at":"2026-01-12T17:05:01.000Z","size":2993,"stargazers_count":31,"open_issues_count":4,"forks_count":10,"subscribers_count":2,"default_branch":"develop","last_synced_at":"2026-01-12T22:53:04.663Z","etag":null,"topics":["jwt","jwt-token","security","spring-boot","spring-security"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bratkartoffel.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2017-05-16T06:30:10.000Z","updated_at":"2026-01-12T17:05:04.000Z","dependencies_parsed_at":"2026-01-12T19:02:24.175Z","dependency_job_id":null,"html_url":"https://github.com/bratkartoffel/security-jwt","commit_stats":null,"previous_names":[],"tags_count":45,"template":false,"template_full_name":null,"purl":"pkg:github/bratkartoffel/security-jwt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bratkartoffel%2Fsecurity-jwt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bratkartoffel%2Fsecurity-jwt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bratkartoffel%2Fsecurity-jwt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bratkartoffel%2Fsecurity-jwt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bratkartoffel","download_url":"https://codeload.github.com/bratkartoffel/security-jwt/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bratkartoffel%2Fsecurity-jwt/sbom","scorecard":{"id":251476,"data":{"date":"2025-08-11","repo":{"name":"github.com/bratkartoffel/security-jwt","commit":"b527fed12a9a1e952d8a722cf595800e1cd36e28"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":6.1,"checks":[{"name":"Maintained","score":10,"reason":"30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":9,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: topLevel 'checks' permission set to 'write': .github/workflows/build.yaml:15","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":0,"reason":"Found 0/11 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:   6 out of   6 GitHub-owned GitHubAction dependencies pinned","Info:   9 out of   9 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENCE.md:0","Info: FSF or OSI recognized license: MIT License: LICENCE.md:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'develop'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build.yaml:18"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 19 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-17T08:34:02.172Z","repository_id":50729051,"created_at":"2025-08-17T08:34:02.173Z","updated_at":"2025-08-17T08:34:02.173Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28408799,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T01:52:23.358Z","status":"online","status_checked_at":"2026-01-14T02:00:06.678Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["jwt","jwt-token","security","spring-boot","spring-security"],"created_at":"2026-01-14T02:57:48.703Z","updated_at":"2026-01-14T02:57:49.443Z","avatar_url":"https://github.com/bratkartoffel.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Spring Security Addon for JWT\n\n[![Java CI](https://github.com/bratkartoffel/security-jwt/actions/workflows/build.yaml/badge.svg)](https://github.com/bratkartoffel/security-jwt/actions/workflows/build.yaml)\n[![Code Coverage](https://img.shields.io/codecov/c/github/bratkartoffel/security-jwt/develop.svg)](https://codecov.io/github/bratkartoffel/security-jwt?branch=develop)\n[![License](http://img.shields.io/:license-mit-blue.svg?style=flat)](http://doge.mit-license.org)\n[![Central Version](https://img.shields.io/maven-central/v/eu.fraho.spring/security-jwt-base)](https://mvnrepository.com/artifact/eu.fraho.spring)\n\nProviding a simple way to integrate [JWT](https://jwt.io/introduction/) into your spring boot application.\n\nThis project is split into multiple parts:\n\n* base: Basic integration of JWT into spring security (without refresh tokens)\n* internal: Support for an in-memory cache (ExpiringMap) for refresh tokens\n* memcache: Support for memcache to store refresh tokens\n* hibernate: Support for hibernate to store refresh tokens\n* redis: Support for redis to store refresh tokens\n* files: Support for filesystem to store refresh tokens\n\nSimply use the dependencies within your build script, spring boot takes care of the rest. The default configuration\nshould be sufficient for the most use cases.\n\n# Contents\n\n* base:\n    * JWT Integration into Spring Security (including\n      some [REST-Controllers](base/src/main/java/eu/fraho/spring/securityJwt/base/controller) to authenticate against)\n    * A [CryptPasswordEncoder](base/src/main/java/eu/fraho/spring/securityJwt/base/password/CryptPasswordEncoder.java)\n      to generate / use linux system crypt(1)-hashes (supporting the newer $5$ and $6$ hashes and rounds)\n    * Full support for [Swagger 2](https://github.com/springfox/springfox) documentation (REST Controller and DTO are\n      annotated and described)\n* module [internal](internal):\n    * Refresh token support through an internal, in-memory map\n* module [memcache](memcache):\n    * Refresh token support through an external memcache server\n* module [hibernate](hibernate):\n    * Refresh token support using hibernate and a database table\n* module [redis](redis):\n    * Refresh token support using a redis server\n* module [files](files):\n    * Refresh token support using a json file\n* various *-spring-boot-starter:\n    * Spring boot starter modules to integrate into the autoconfiguration ecosystem\n\n# Dependencies\n\n```xml\n\n\u003cdependencies\u003e\n    \u003cdependency\u003e\n        \u003cgroupId\u003eeu.fraho.spring\u003c/groupId\u003e\n        \u003cartifactId\u003esecurity-jwt-base\u003c/artifactId\u003e\n        \u003cversion\u003e5.2.0\u003c/version\u003e\n    \u003c/dependency\u003e\n    \u003c!-- or --\u003e\n    \u003cdependency\u003e\n        \u003cgroupId\u003eeu.fraho.spring\u003c/groupId\u003e\n        \u003cartifactId\u003esecurity-jwt-base-spring-boot-starter\u003c/artifactId\u003e\n        \u003cversion\u003e5.2.0\u003c/version\u003e\n    \u003c/dependency\u003e\n\u003c/dependencies\u003e\n```\n\nWhen you want to add refresh token support, then choose one of the following dependencies:\n\n```xml\n\n\u003cdependencies\u003e\n    \u003cdependency\u003e\n        \u003cgroupId\u003eeu.fraho.spring\u003c/groupId\u003e\n        \u003cartifactId\u003esecurity-jwt-internal\u003c/artifactId\u003e\n        \u003cversion\u003e5.2.0\u003c/version\u003e\n    \u003c/dependency\u003e\n    \u003cdependency\u003e\n        \u003cgroupId\u003eeu.fraho.spring\u003c/groupId\u003e\n        \u003cartifactId\u003esecurity-jwt-memcache\u003c/artifactId\u003e\n        \u003cversion\u003e5.2.0\u003c/version\u003e\n    \u003c/dependency\u003e\n    \u003cdependency\u003e\n        \u003cgroupId\u003eeu.fraho.spring\u003c/groupId\u003e\n        \u003cartifactId\u003esecurity-jwt-hibernate\u003c/artifactId\u003e\n        \u003cversion\u003e5.2.0\u003c/version\u003e\n    \u003c/dependency\u003e\n    \u003cdependency\u003e\n        \u003cgroupId\u003eeu.fraho.spring\u003c/groupId\u003e\n        \u003cartifactId\u003esecurity-jwt-redis\u003c/artifactId\u003e\n        \u003cversion\u003e5.2.0\u003c/version\u003e\n    \u003c/dependency\u003e\n    \u003cdependency\u003e\n        \u003cgroupId\u003eeu.fraho.spring\u003c/groupId\u003e\n        \u003cartifactId\u003esecurity-jwt-files\u003c/artifactId\u003e\n        \u003cversion\u003e5.2.0\u003c/version\u003e\n    \u003c/dependency\u003e\n\u003c/dependencies\u003e\n```\n\nFor details on the usage of the plugins please see the README within the relevant module directories.\n\n# Usage\n\nStarting with version 1.0.0 there are two ways on how to use these libraries.\n\nThe old way is by directly using the libraries as dependencies and doing some manual configuration. The newer way used\nspring boot autoconfiguration and reduced the needed configuration a lot.\n\nTo see this library \"in action\", please take a look\nat [the examples](https://github.com/bratkartoffel/security-jwt-examples).\n\n# Spring boot and library versions\n\nThe minimum supported spring boot version and java version changed during the lifetime of this library and sadly wasn't\nalways aligned to the semantic versioning scheme. Take the following table of supported versions as reference prior\nupdating this library in your project.\n\n| Library Version | Compatible Spring boot versions | Required java version |\n|-----------------|---------------------------------|-----------------------|\n| `\u003c 3.0.0`       | [1.5.0, 2.0.0[                  | 8+                    |\n| `3.0.0 - 4.4.0` | [2.0.0, 2.2.0[                  | 8+                    |\n| `4.4.1 - 4.4.2` | [2.2.0, 2.6.0[                  | 8+                    |\n| `4.5.x - 4.6.x` | [2.0.0, 3.0.0[                  | 8+                    |\n| `5.0.0 - 5.0.x` | [3.0.0, 4.0.0[                  | 17+                   |\n| `\u003e= 5.1.0`      | [3.0.0                          | 17+                   |\n\n## Spring Boot Autoconfig (recommended):\n\n* Use any *-spring-boot-starter dependency you like\n* Bouncycastle will be automagically loaded and installed if on classpath\n* My enhanced PasswordEncoder (using Unix-Crypt-Style hashes) will be used as default\n\n## Manual configuration (legacy):\n\n* Add the dependencies to your build script\n* Configure your boot application to pick up our components (add \"eu.fraho.spring.securityJwt\" to the scanBasePackages\n  field of your ```@SpringBootApplication```)\n* Optionally add the BouncyCastle Provider (e.g. within\n  the [main-Method](base/src/testFixtures/java/eu/fraho/spring/securityJwt/base/util/CreateEcdsaJwtKeys.java))\n    * **Hint:** This is required if you would like to use the ECDSA signature algorithm!\n* Optionally use my enhanced PasswordEncoder as a ```@Bean```\n* Optionally choose a refresh token store implementation and set it as ```fraho.jwt.refresh.cache-impl```\n\n## General steps for both methods:\n\n* Create an implementation of UserDetailsService that returns an instance\n  of [JwtUser](base/src/main/java/eu/fraho/spring/securityJwt/base/dto/JwtUser.java)\n* By default, this service creates a random hmac secret for signatures on each startup. To stay consistent accross\n  service restarts and not kicking clients out please either change the algorithm (recommended) or specifiy at least an\n  hmac keyfile.\n\n# Usage for clients\n\n* Request new tokens by sending an authentication request to ```/auth/login```\n* Somehow store the received token(s)\n    * Or use the cookie flow so the browser can store the tokens safely\n* To access a secured controller set the retrieved token as ```Authorization: \u003cTokenType\u003e \u003cToken\u003e```\n    * When using cookies this is done automatically by your browser\n\n# Configuration\n\nThis library will run out-of the box, but you should at least take a look at the different configuration properties. I\ntried to make them reasonable secure, but if you're really paranoid you can change them as you like.\n\nBy default, this library creates an hmac secret on startup. As this is no problem for testing and running your\napplication you are strongly adviced to define a static key. Otherwise you will render all access tokens invalid upon\nservice restart, thus requiring your clients to login again.\n\nI recommend using ECDSA for tokens (you can\nuse [this](base/src/testFixtures/java/eu/fraho/spring/securityJwt/base/util/CreateEcdsaJwtKeys.java) class for that) and\nsetting the ```algorithm``` field to something like ES256.\n\n## Token configuration (Prefix fraho.jwt.token)\n\n| Property        | Default                     | Description                                                                                                                                                                                                                                                                                                                                         |\n|-----------------|-----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| algorithm       | HS256                       | The signature algorithm used for the tokens. For a list of valid algorithms please see either the [JWT spec](https://tools.ietf.org/html/rfc7518#section-3) or [JWSAlgorithm](https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/src/main/java/com/nimbusds/jose/JWSAlgorithm.java)                                                        |\n| cookie.enabled  | false                       | Enables support for tokens sent as a cookie                                                                                                                                                                                                                                                                                                         |\n| cookie.names    | JWT-ACCESSTOKEN, XSRF-TOKEN | Sets the name of the cookie with the token. The first entry in this list is used when sending out the cookie, any other names are optionally taken when validating incoming requests.                                                                                                                                                               |\n| cookie.domain   | null                        | The issued tokens will only be valid for the specified domain. Defaults to the issuing server domain.                                                                                                                                                                                                                                               |\n| cookie.httpOnly | true                        | The cookie will not be accessible by client JavaScript if enabled (highly recommend)                                                                                                                                                                                                                                                                |\n| cookie.path     | /                           | The issued access token cookie will only be sent by the client to URIs matching this pattern                                                                                                                                                                                                                                                        |\n| cookie.secure   | true                        | The cookie will only be sent over an encrypted (https) connection (highly recommend)                                                                                                                                                                                                                                                                |\n| expiration      | 1 hour                      | The validity period of issued tokens. For details on how this field has to specified see [TimeWithPeriod](base/src/main/java/eu/fraho/spring/securityJwt/base/dto/TimeWithPeriod.java)                                                                                                                                                              |\n| header.enabled  | true                        | Enables support for tokens sent as a header. (highly recommended)                                                                                                                                                                                                                                                                                   |\n| header.names    | Authorization               | Sets the name of the headers which may contain the token.                                                                                                                                                                                                                                                                                           |\n| hmac            | null                        | Defines the key file when using a hmac signature method                                                                                                                                                                                                                                                                                             |\n| issuer          | fraho-security              | Sets the issuer of the token. The issuer is used in the tokens ```iss``` field                                                                                                                                                                                                                                                                      |\n| path            | /auth/login                 | Sets the path for the RestController, defining the endpoint for login requests.                                                                                                                                                                                                                                                                     |\n| priv            | null                        | Defines the private key file when using a public / private key signature method. May be null if this service should only verify, but not issue tokens. In this case, any calls to ```generateToken``` or ```generateRefreshToken``` will throw an FeatureNotConfiguredException. To the caller, it will be shown as a UNAUTHORIZED Http StatusCode. |\n| pub             | null                        | Defines the public key file when using a public / private key signature method                                                                                                                                                                                                                                                                      |\n\n## Refresh configuration (Prefix fraho.jwt.refresh)\n\n| Property        | Default          | Description                                                                                                                                                                                                                                                                                                                                                                                                              |\n|-----------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| cache-impl      | null             | Defines the implemenation for refresh token storage. The specified class has to implement the [RefreshTokenStore](base/src/main/java/eu/fraho/spring/securityJwt/base/service/RefreshTokenStore.java) Interface. To disable the refresh tokens at all use null as value.\u003cbr\u003eYou have to add at least one of the optional dependencies below to add refresh token support.\u003cbr\u003ePlease see module READMEs for valid values. |\n| cookie.enabled  | false            | Enables support for tokens sent as a cookie                                                                                                                                                                                                                                                                                                                                                                              |\n| cookie.names    | JWT-REFRESHTOKEN | Sets the name of the cookie with the token. The first entry in this list is used when sending out the cookie, any other names are optionally taken when validating incoming requests.                                                                                                                                                                                                                                    |\n| cookie.domain   | null             | If this value is not specified, then the redirect for refreshing the cookies will be sent only with the path specified. Otherweise the domain will be prepended to the redirect, thus allowing to use an external refresh server. See [javax.servlet.http.Cookie#setDomain(String)](https://docs.oracle.com/javaee/7/api/javax/servlet/http/Cookie.html#setDomain-java.lang.String-)                                     |\n| cookie.httpOnly | true             | The cookie will not be accessible by client JavaScript if enabled (highly recommend)                                                                                                                                                                                                                                                                                                                                     |\n| cookie.secure   | true             | The cookie will only be sent over an encrypted (https) connection (recommend)                                                                                                                                                                                                                                                                                                                                            |\n| cookie.path     | /auth/refresh    | The issued access token cookie will only be sent by the client to URIs matching this pattern. This path spec has to include the endpoint for refreshing tokens, otherwise this won't work! See [javax.servlet.http.Cookie#setPath(String)](https://docs.oracle.com/javaee/7/api/javax/servlet/http/Cookie.html#setPath-java.lang.String-)                                                                                |\n| expiration      | 1 day            | How long are refresh tokens valid? For details on how this field has to specified see [TimeWithPeriod](base/src/main/java/eu/fraho/spring/securityJwt/base/dto/TimeWithPeriod.java)                                                                                                                                                                                                                                      |\n| length          | 24               | Defines the length of refresh tokens in bytes, without the base64 encoding                                                                                                                                                                                                                                                                                                                                               |\n| path            | /auth/refresh    | Sets the path for the RestController, defining the endpoint for refresh requests.                                                                                                                                                                                                                                                                                                                                        |\n\n## Other configuration properties\n\n| Property              | Default      | Description                                                                                                                                                                                                                                                                                                                                                                       |\n|-----------------------|--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| fraho.jwt.logout.path | /auth/logout | Sets the path for the RestController, defining the endpoint for logging out. This path is only available if cookies are enabled.                                                                                                                                                                                                                                                  |\n| fraho.totp.length     | 16           | Defines the length of the generated TOTP secrets                                                                                                                                                                                                                                                                                                                                  |\n| fraho.totp.variance   | 3            | Defines the allowed variance / validity of TOTP pins. The number defines how many \"old / expired\" pins will be considered valid. A value of \"3\" is the official suggestion for TOTP. This value is used to consider small clock-differences between the client and server.                                                                                                        |\n| fraho.crypt.algorithm | SHA512       | Configure the used crypt algorithm. For a list of possible values see [CryptAlgorithm](base/src/main/java/eu/fraho/spring/securityJwt/base/dto/CryptAlgorithm.java) Please be aware that changing this parameter has a major effect on the strength of the hashed password! Do not use insecure algorithms (as DES or MD5 as time of writing) unless you really know what you do! |\n| fraho.crypt.rounds    | 10,000       | Defines the \"strength\" of the hashing function. The more rounds used, the more secure the generated hash. But beware that more rounds mean more cpu-load and longer computation times! This parameter is only used if the specified algorithm supports hashing rounds.                                                                                                            |\n\n# Building\n\n```bash\n# on linux:\n./gradlew assemble\n# on windows:\ngradlew.bat assemble\n```\n\n# Hacking\n\n* This repository uses the git flow layout\n* Changes are welcome, but please use pull requests with separate branches\n* TravisCI has to pass before merging\n* Code coverage should stay about the same level (please write tests for new features!)\n* When writing new modules please use my abstract testclasses which provide a great base (\n  see [internal](internal/src/test/java/eu/fraho/spring/securityJwt/internal) for an example)\n\n# Releasing\n\nReleasing is done with the default gradle tasks:\n\n```bash\n# to local repository:\n./gradlew publishToMavenLocal\n# to central:\n./gradlew publish\n```\n\n# JWT Request Flow\n\n## UML (with headers)\n\n[![Sequence diagram](doc/headers.png)](doc/headers.png)\n\n## UML (with cookies)\n\n[![Sequence diagram](doc/cookies.png)](doc/cookies.png)\n\n## HTTP-Requests\n\nRequest a token (login):\n\n```\n\u003e POST /auth/login HTTP/1.1\n\u003e Host: localhost:8080\n\u003e Content-Type: application/json\n\u003e Content-Length: 63\n\u003e\n\u003e {\n\u003e   \"username\": \"userA\",\n\u003e   \"password\": \"userA\"\n\u003e }\n\u003e\n\u003c HTTP/1.1 200\n\u003c Content-Type: application/json;charset=UTF-8\n\u003c Content-Length: 491\n\u003c\n\u003c {\n\u003c   \"accessToken\": {\n\u003c     \"token\": \"eyJhbGciOiJFUzI1NiJ9.\u003csome more token code\u003e\",\n\u003c     \"expiresIn\": 3600,\n\u003c     \"type\": \"Bearer\"\n\u003c   },\n\u003c   \"refreshToken\": {\n\u003c     \"token\": \"5bYNdXEGQRzz6xD4yFmw2wNPjXAh+wMc\",\n\u003c     \"expiresIn\": 604800\n\u003c   }\n\u003c }\n```\n\nUsage of token to access some (secured) data:\n\n```\n\u003e GET /users HTTP/1.1\n\u003e Authorization: Bearer eyJhbGciOiJFUzI1NiJ9...\n\u003e\n\u003c HTTP/1.1 200\n\u003c Content-Type: application/json;charset=UTF-8\n\u003c Content-Length: 42\n\u003c\n\u003c (some json content, result of request)\n```\n\nUse refresh token when token expired:\n\n```\n\u003e POST /auth/refresh HTTP/1.1\n\u003e Content-Type: application/json\n\u003e Content-Length: 56\n\u003e\n\u003e {\n\u003e   \"refreshToken\": \"5bYNdXEGQRzz6xD4yFmw2wNPjXAh+wMc\"\n\u003e }\n\u003e\n\u003c HTTP/1.1 200\n\u003c Content-Type: application/json;charset=UTF-8\n\u003c Content-Length: 491\n\u003c Date: Fri, 19 May 2017 08:05:19 GMT\n\u003c\n\u003c {\n\u003c   \"accessToken\": {\n\u003c     \"token\": \"eyJhbGciOiJFUzI1NiJ9.\u003csome more token code\u003e\",\n\u003c     \"expiresIn\": 3600,\n\u003c     \"type\": \"Bearer\"\n\u003c   },\n\u003c   \"refreshToken\": {\n\u003c     \"token\": \"U3LFL8dVZAeAp8Js6db2zrHGPfGslIeQ\",\n\u003c     \"expiresIn\": 604800\n\u003c   }\n\u003c }\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbratkartoffel%2Fsecurity-jwt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbratkartoffel%2Fsecurity-jwt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbratkartoffel%2Fsecurity-jwt/lists"}