Security in Spring Community is managed entirely byDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/CristianRR94/springCommunity/llms.txt
Use this file to discover all available pages before exploring further.
WebSecurityConfig, which wires together two main concerns: a stateless JWT filter chain that authenticates every protected request, and a CORS policy that controls which browser origins are permitted to call the API. Both must be correctly configured before deploying to a production environment.
Security Filter Chain
ThesecurityFilterChain bean in WebSecurityConfig defines the full request-handling pipeline. It is built with the following settings:
CSRF protection disabled
CSRF protection is explicitly disabled because the API is stateless and token-based. Browser cookies carrying session state are never used, so CSRF attacks are not a concern.
CORS enabled
CORS is applied using the
CorsConfigurationSource bean defined in the same class, ensuring that cross-origin preflight (OPTIONS) requests are handled before any authentication logic runs.Route authorization rules
Routes are divided into two groups — public and authenticated:
| Path pattern | Access |
|---|---|
/auth/** | Public (no token required) |
/api/usuarios/** | Public (registration and user lookup) |
/images/** | Public (static image serving) |
/ws-chat | Public (WebSocket handshake endpoint) |
/api/eventos/** | Authenticated |
/api/participantes/** | Authenticated |
| Any other request | Authenticated |
Stateless session management
No HTTP session is ever created or used. Every request must carry a valid
Authorization: Bearer <token> header.CORS Configuration
ThecorsConfigurationSource() bean controls which browser origins, HTTP methods, and headers are accepted. The current configuration is tuned for local development with an Angular front-end running on port 4200.
Allowed Origins
http://localhost:4200 — the Angular dev server. Must be updated for production.Allowed Methods
GET, POST, DELETE, PUT, OPTIONS — all methods used by the REST API.Allowed Headers
Content-Type and Authorization — the only two headers the client sends.Allow Credentials
true — required so the browser forwards the Authorization header in cross-origin requests.Changing CORS for Production
Before going to production, replacehttp://localhost:4200 with your actual front-end domain in WebSecurityConfig. Using setAllowedOriginPatterns (rather than setAllowedOrigins) lets you use wildcards for subdomain support if needed.
Logout
Logout is handled atPOST /auth/logout by Spring Security’s built-in logout mechanism, extended with a custom handler. When a logout request arrives:
Token revocation
The custom
LogoutHandler reads the Authorization header, extracts the Bearer token, and calls tokenManagementService.revokeAllTokensByToken(token), which invalidates all active tokens belonging to that user — not just the one presented.Role System
Spring Community uses a single-role model. EveryUsuario entity has a rol field that defaults to "USUARIO" at registration. The getAuthorities() method on Usuario prepends the Spring Security ROLE_ prefix at runtime:
ROLE_USUARIO. The roles are embedded in the JWT claims at token-generation time, but on each authenticated request JwtAuthFilter still performs two database lookups: one against TokenRepository to verify the token has not been revoked, and one against UsuarioRepository (via UserDetailsService) to load the current UserDetails and its authorities.
Only
ROLE_USUARIO exists in the current implementation. Route-level hasRole() checks are not used; all protected routes simply require any authenticated user. Extending the role system would require adding new role values to the rol column and adding hasRole() matchers to the filter chain.