This project demonstrates the implementation of asymmetric encryption in a Spring Boot application using RSA key pairs for secure JWT authentication.
It integrates Spring Security to protect API endpoints, performs encryption/decryption, and ensures secure user authentication and authorization.

The project also includes full unit testing with JUnit 5 and Mockito, making it a robust and well-tested example of modern Java security practices.

• ✅ Secure JWT Authentication – Leverages RSA public/private keys for signing and verifying tokens, reducing risk of token forgery.
• ✅ Modern Spring Security Setup – A great reference for configuring Spring Security with asymmetric key pairs.
• ✅ End-to-End Encryption/Decryption – Demonstrates secure communication between client and server.
• ✅ Well-Tested Codebase – Includes unit tests with JUnit 5 + Mockito for reliability and maintainability.
• ✅ Production-Ready Example – Can be used as a blueprint for real-world applications requiring secure authentication and authorization.

Asymmetric encryption uses a key pair to secure data:

• Private Key → Kept secret on the server, used for signing or decrypting data.
• Public Key → Shared with clients, used for verifying signatures or encrypting data.

Unlike symmetric encryption (where the same key is used for encryption and decryption), asymmetric encryption provides stronger security and is widely used in authentication systems, including SSL/TLS and JWT-based authentication.

The project includes a set of robust configurations to ensure security, auditing, and API documentation are seamlessly integrated:

• BeansConfig: Central configuration class providing essential Spring beans:
  • PasswordEncoder → Uses BCrypt to securely hash user passwords.
  • AuthenticationManager → Manages authentication processes for Spring Security.
  • AuditorAware → Provides the current authenticated user for auditing purposes.

• ApplicationAuditorAware: Implements AuditorAware<String> to automatically track the ID of the currently authenticated user, enabling audit trails for entity changes.
• JpaConfig: Activates JPA Auditing, integrating ApplicationAuditorAware for automatic population of auditing fields (createdBy, modifiedBy).

• OpenApiConfig: Configures OpenAPI / Swagger for clear, interactive API documentation:
  • Defines API metadata: title, description, version, license, and contact information.
  • Specifies server environments (local and production).
  • Configures JWT-based authentication (bearerAuth) for secured endpoints.

This project implements secure JWT authentication using asymmetric encryption (RSA key pairs) in Spring Boot. The following components ensure robust security and token management:

• KeyUtils: Utility class for loading RSA private and public keys from PEM files.
  • Handles decoding and key specification for encryption and decryption.
  • Ensures secure and reusable key handling.

Follow these steps to generate your local RSA key pair inside your project directory:

cd src/main/resources
mkdir keys
cd keys
mkdir local-only
cd local-only

# Generate private key
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048

# Generate public key from the private one
openssl rsa -pubout -in private_key.pem -out public_key.pem

• JwtService: Core service for token generation, validation, and refresh.
  • Generates Access Tokens and Refresh Tokens with custom expiration times.
  • Uses RSA private key to sign JWTs and public key to validate.
  • Validates token integrity, expiration, and token type (ACCESS_TOKEN / REFRESH_TOKEN).

• JwtFilter: Intercepts all incoming requests to:
  • Extract JWT from the Authorization header.
  • Validate token and username.
  • Set authentication in Spring Security context for secured endpoints.
  • Excludes authentication endpoints (/auth/**) from filtering.

• SecurityConfig:
  • Defines public endpoints that do not require authentication (login, register, Swagger docs).
  • Secures all other endpoints with JWT-based authentication.
  • Configures stateless session management.
  • Integrates JwtFilter before UsernamePasswordAuthenticationFilter.

• Full asymmetric encryption with RSA for secure JWT signing and verification.
• Support for refresh token mechanism for continuous authentication.
• Seamless integration with Spring Security and method-level security annotations.
• All endpoints and security rules are easily configurable.