Member-only story
Secure REST API with Spring Boot 3.0, Spring Security 6.0 and PASETO
Welcome to another Spring Boot tutorial. Today let’s have a look at how to build a Spring Boot REST API that supports Token based Authentication with PASETO.
· Prerequisites
· Overview
∘ What is PASETO?
∘ PASETO Vs JOSE (JWS, JWE and JWT)
∘ PASETO token format
· Getting Started
∘ Creating entities
∘ The UserDetailsService
∘ Spring Security configuration
∘ PASETO Utility service
∘ Project structure
· Testing
· Conclusion
· References
Prerequisites
This is the list of all the prerequisites:
- Spring Boot 3 +
- Maven 3.6.+
- Java 17 (Spring Security 6 requires JDK 17)
- PostgreSQL
- Postman / insomnia or any other API testing tool.
Overview
What is PASETO?
PASETO (Platform-Agnostic SEcurity TOken) is a specification and reference implementation for secure stateless tokens. It is pronounced paw-set-oh (pɔːsɛtəʊ).
PASETO encodes claims to be transmitted in a JSON (RFC8259) object and is either encrypted symmetrically or signed using public-key cryptography.
PASETO Vs JOSE (JWS, JWE and JWT)
The key difference between PASETO and the JOSE family of standards (JWS [RFC7516], JWE [RFC7517], JWK [RFC7518], JWA [RFC7518], and JWT [RFC7519]) is that JOSE allows implementors and users to mix and match their own choice of cryptographic algorithms (specified by the “alg” header in JWT), while PASETO has clearly defined protocol versions to prevent unsafe configurations from being selected.
PASETO token format
A PASETO token consists of three or four segments that have been base64-encoded and dot-separated data, similar to JWTs.
