Open Source · Apache-2.0

Authentication made simple
for Spring Boot

Sena is a plug-and-play authentication and access-management framework for Spring Boot RESTful services — part of the MetheaX project. Drop it in, configure a keystore, and ship.

Get Started View on GitHub
Java 21 Spring Boot 4.0 JWT / JWE (RSA-OAEP-256) Argon2id Password Hashing
Features

Everything you need for secure APIs

Sena handles the full auth lifecycle out of the box, so your team can focus on business logic.

🔐

JWT / JWE Tokens

Encrypted access and refresh tokens via Nimbus JOSE+JWT using RSA-OAEP-256 + A256GCM.

🛡️

Argon2id Password Hashing

Modern, memory-hard password encoding that resists GPU and side-channel attacks.

🔑

RSA Key-Pair Encryption

2048-bit RSA keys loaded from PKCS12 keystores. Separate keys for access and refresh tokens.

🗂️

Role & Resource Authorization

Fine-grained URI permission control — bind roles to resources with a simple database model.

🌐

Public URI Whitelist

Selectively expose endpoints without authentication. Configure per HTTP method.

📋

Session Management

Server-side session tracking with full token revocation support per user or session.

📝

Spring Data JPA Auditing

Automatic createdBy / updatedBy population integrated with Spring Security context.

🔌

Plug-and-Play Integration

Add one Maven dependency, configure component scan and keystores — no boilerplate auth code required.

Architecture

Module structure

Sena is split into focused modules. Depend only on what you need.

sena-core

Core

Domain entities, repositories, security primitives, JPA configuration, utilities, and keystore services.

  • Account / Group / User
  • Role / Permission
  • Resource / SessionManagement
  • JWTConfig
  • HibernateExtension
  • KeyStoreService
  • JwtUtil / CryptoUtil
sena-auth

Auth

Authentication REST API — token issuance, refresh, and revocation, plus the Spring Security filter chain.

  • POST /auth/token
  • POST /auth/refresh/token
  • POST /auth/token/revoke
  • WebSecurity config
  • AuthorizationFilter
sena-auth-app

Auth App

Runnable sample host application demonstrating a complete Sena integration with a minimal Spring Boot setup.

  • AdminApplication
  • Sample keystore
  • application.properties
REST API

Authentication endpoints

All endpoints are mounted under /auth/** and are publicly accessible by default.

Method Path Description
POST /auth/token Obtain a new access token + refresh token pair
POST /auth/refresh/token Exchange a valid refresh token for a new access token
POST /auth/token/revoke Revoke an active access token (invalidates the session) 
// POST /auth/token
{
  "username": "admin",
  "password": "secret"
}
{
  "status":  200,
  "message": "Access token generated!!!",
  "token": {
    "accessToken":  "<JWE>",
    "refreshToken": "<JWE>",
    "tokenType":    "Bearer ",
    "expiredIn":    "1234567890"
  }
}
# Pass the access token in all subsequent requests
Authorization: Bearer <JWE>
Domain Model

Core entities

All entities live in the sena-core module and are auto-wired via Spring Data JPA.

Account
Organisation or company
Group
Department or team within an Account
User
System user with Argon2-encoded password
Role
Named role assigned to users
Resource
API endpoint URI
Permission
Binds a Role to a Resource
PublicPermission
Whitelisted URIs & allowed HTTP methods
SessionManagement
Active token sessions — used for revocation
JWTConfig
JWT expiry and signing configuration
Quick Start

Integrate in minutes

Prerequisites: JDK 21+, Maven 3.8+, PostgreSQL.

1

Clone & build

git clone https://github.com/MetheaX/Sena-Framework.git cd Sena-Framework mvn clean install
2

Add the dependency

<dependency> <groupId>com.metheax.sena</groupId> <artifactId>sena-auth</artifactId> <version>0.0.1-SNAPSHOT</version> </dependency>
3

Configure component scan

@SpringBootApplication(scanBasePackages = {"com.metheax.sena", "com.yourcompany"}) @EnableJpaRepositories(basePackages = {"com.metheax.sena", "com.yourcompany"}) @EntityScan(basePackages = {"com.metheax.sena", "com.yourcompany"}) public class YourApplication { public static void main(String[] args) { SpringApplication.run(YourApplication.class, args); } }
4

Configure datasource & keystores

# application.yml spring: datasource: url: jdbc:postgresql://localhost:5432/yourdb username: youruser password: yourpassword jpa: hibernate: ddl-auto: update # PKCS12 keystores (generate with keytool or KeyStore Explorer) keystore-token-file: classpath:keystore/token.pfx keystore-token-password: changeit keystore-token-alias: token keystore-key-token-password: changeit keystore-refresh-token-file: classpath:keystore/refresh.pfx keystore-refresh-token-password: changeit keystore-refresh-token-alias: refresh keystore-key-refresh-token-password: changeit
5

Seed initial data

Insert a default admin account, group, user, role, resource, and permission. Default credentials: admin / admin (change immediately in production).

-- Account INSERT INTO core_account VALUES ('68bcf443-...', NOW(), 'System', 'A', ...); -- Group, Role, Resource, Permission, User -- See README for full seed SQL → github.com/MetheaX/Sena-Framework#seed-initial-data
Testing

85%+ instruction coverage

JaCoCo enforces a minimum 85% instruction coverage gate on every build.

sena-core
140
unit tests
≥ 85% instruction coverage
sena-auth
35
unit tests
≥ 85% instruction coverage
mvn test -pl sena-core,sena-auth