// the find
murraco/spring-boot-jwt
JWT auth service using Spring Boot, Spring Security and MySQL
A minimal Spring Boot 3.5 / Spring Security 6 reference implementation for stateless JWT authentication with HMAC-SHA256 signing. It covers signup, signin, and role-based access control with two roles. This is a learning resource and starter template, not a production-ready auth service.
Uses current Spring Security 6 idioms correctly — SecurityFilterChain, authorizeHttpRequests, Jakarta namespaces — so you won't be unlearning deprecated 2.x patterns. JJWT 0.12.x is the right library choice and the token filter is wired before UsernamePasswordAuthenticationFilter as it should be. SpringDoc OpenAPI integration works out of the box with a bearer scheme configured, which makes manual testing frictionless. The dev/prod profile split and environment-variable-driven JWT secret show some operational awareness.
No refresh token flow — the 5-minute default expiry just locks users out, and the only fix is re-signin. There is no token revocation mechanism at all, which is fine for short-lived tokens but the README waves at this without offering a concrete path forward. Credentials are passed as query parameters on the signin endpoint (`?username=admin&password=admin123456`), which leaks them into server logs and browser history — they should be in the request body. The test coverage is thin: one controller test class with no evidence it covers the JWT filter chain, error paths, or role-enforcement behaviour.