Using Sureness to secure Javalin REST API by providing authentication(JWT,Basic,Digest) and authorization(RBAC)
- Creating a simple REST API using Javalin
- Learn how to integrate Sureness into a Javalin application
- Learn how to issue a JWT
- Test API authentication - use JWT Auth, Basic Auth, Digest Auth to test the security of the REST API
- Test API authorization - use different users to verify that they can access the REST API
First, you will need to create a maven project and add Javalin, Sureness dependencies coordinate
We need to create a simple Javalin app and provide some REST API for test.
The default configuration -
DefaultSurenessConfig uses the document datasource
sureness.yml as the auth datasource.
It supports JWT, Basic Auth, Digest Auth authentication.
2. Config Document Datasource -
Sureness authentication requires us to provide our own account data, role permission data. These data may come from document, databases,, annotations, etc. When we use sureness default configuration above, the datasource is document -
Create a file named
sureness.yml in the
resource directory. Configure account data, role permission data in the
The essence of sureness is to intercept all rest requests for authenticating and authorizing. The interceptor can be a filter or interceptor, it intercepts all request to check them. In Javalin, we use
Sureness uses exception handling process:
- If auth success, method -
checkIn()will return a
SubjectSumobject containing user information.
- If auth failure, method -
checkIn()will throw different types of auth exceptions.
We need to continue the subsequent process based on these exceptions.(eg: return the request response)
Here we need to customize the exceptions thrown by
checkIn, passed directly when auth success, catch exception when auth failure and do something:
Now we provide a REST API to issue JWT. We can use this JWT to test JWT auth.
All done, we can test now!
Through the above steps, a complete auth function project is completed. Someone maybe think that with only these few steps, where is its complete function and what can it support?
This built project is based on the RBAC permission model and supports Baisc authentication, Digest authentication and JWT authentication. It can fine-grained control the user's access to the restful api provided by the Javalin. That is to control which users can access which api.
Let's test it. (we use postman and chrome to test.)
Use postman Basic auth, as shown below:
- success - input username: admin, password: admin
- fail - input username: admin, password: 12345
Note: If password has been encrypted, Digest auth not support.(So the account admin not support Digest auth).
Use chrome to Digest auth, as shown below:
First, we should access [GET /auth/token] api to get a JWT to use, as shown below:
Then, use the JWT as Bearer Token to access REST API, as shown below:
- success - user tom has role role3, the api [DELETE - /api/v2/host] support role3 access, so tom can access api [DELETE - /api/v2/host] success, as shown below:
- fail - user tom only has role role3, the api [GET - /api/v1/source1] only support role2 access, not support role3, so tom can not access api [GET - /api/v1/source1], as shown below:
Javalin is a framework dedicated to simplicity and ease of use, and so is Sureness.
We hope you enjoy this tutorial. Of course, the tutorial only introduces a simple introduction. Our account data, role permission data can not only be written in
sureness.yml, but also loaded and obtained from the database and annotations. We can also customize the authentication method, data source, etc.
Finally, thank you again for reading.