What this layer provides
- Pluggable authentication modes
- Unified authorization model
- Stateless HTTP security
- Consistent API key error responses
Security / Authentication
Security for Spring Boot microservices
Spring Middleware provides a unified security model for Spring Boot microservices. It builds on Spring Security and supports JWT, OIDC, API keys, and basic authentication, with explicit configuration of protected and public endpoints across services.
JWT authentication
OIDC integration
API key authentication
Basic authentication
Authorization rules
Protected and public paths
Configuration entry point
middleware:
security:
type: API_KEY
public-paths: []
protected-paths: []Security modes
Authentication is selected through middleware.security.type.
NONE
- No authentication
- All requests permitted
- Useful for local/dev
BASIC_AUTH
- HTTP Basic authentication
- In-memory or custom users
- Uses protected path rules
JWT
- Resource server mode
- Token validation via secret
- Roles from claims
OIDC
- External identity provider
- JWK validation
- Roles via claim mapping
API_KEY
- Header-based authentication
- Configurable keys and roles
- Unified error model
Authorization model
All security modes share the same path-based authorization rules.
Public paths
- Always accessible
- No authentication required
- Used for health, docs, public APIs
Protected paths
- Require authentication
- Optional role checks
- Ant-style path matching
protected-paths:
- type: ROLES
path: /api/**
methods: [ GET ]
allowed-roles: [ ADMIN ]API key flow
Request processing for API key authentication.
Incoming request
Resolve protected path
Extract API key header
Validate key
Authentication + roles
Configuration example
Typical API key setup.
middleware:
security:
type: API_KEY
public-paths:
- /swagger-ui/**
protected-paths:
- type: ROLES
path: /api/**
allowed-roles: [ ADMIN ]
api-key:
credentials:
- key: ${API_KEY}
roles: [ ADMIN ]