Security is one of the most important aspects of any application, and you should consider the following when choosing a security mechanism:
- For most use cases, JWT authentication will be sufficient, so stick to that if you are not sure
- If you want single-sign-on capabilities in your application, use OAuth 2.0/OIDC rather than trying to make JWT or session authentication work as an SSO solution
- If you already have Keycloak or Okta set up in your company, choose OAuth 2.0/OIDC and connect to it
- Choose session-based authentication only if you want a stateful authentication
- Do not open up CORS unless you have to
- Use Spring Security to add authorization logic to your API endpoints and services
- Remove all secrets from the application-prod.yml file and use placeholders to inject values from the command line or environment variables. Never put any secrets or passwords in code or config files
- Change the generated JWT secrets for production
Refer to https://www.jhipster.tech/security/ for more about security in JHipster.