Spring Security + JWT

What is JWT

JWT, or JSON Web Token, is an open standard utilized to share security data between two parties — a client and a server. Each JWT contains encoded JSON objects, counting a set of claims. 

JWTs are marked employing a cryptographic calculation to guarantee that the claims cannot be changed after the token is issued.

How JWT Works

JWTs differ from other web tokens in that they contain a set of claims. Claims are used to transmit information between two parties. What these claims are depends on the use case at hand. For example, a claim may assert who issued the token, how long it is valid for, or what permissions the client has been granted.

A JWT is a Base64URL encoded string, split into three sections, delimited by periods.

header : This section contains JWT metadata; typically information about the type of token and the algorithm used to sign it. It is encoded JSON.

payload : This is the content of the token. This information is typically used by the server to verify that the user has permission to perform the action they are requesting.

signature : The signature guarantees that the token hasn’t been modified.The party that makes the JWT signs the header and payload with a secret that's known to both the issuer and receiver, or with a private key known as it were to the sender. When the token is used, the getting party confirms that the header and payload match the signature.

Why use JWT

JWTs are used as a secure way to authenticate users and share information.

A private key, or secret, is used by the issuer to sign the JWT. The receiver of the JWT will confirm the signature to guarantee that the token hasn’t been changed after it was marked by the issuer. It is difficult for unauthenticated sources to figure the signing key and attemt to change the claims inside the JWT.

Spring Security and JWT Configuration

Generating JWT : Create a POST API with the /authenticate mapping. It will generate a JSON Web Token (JWT) if you provide the right username and password.

Validating JWT : If a user uses the mapping /hello to access the GET API, it will only allow access if the request has a valid JSON Web Token (JWT).

JwtUtil

The JwtUtil is in charge of JWT activities such as creation and validation. It employs the io.jsonwebtoken. Jwts for pulling it off.

HelloResource

Using the HelloResource, expose a POST API /authenticate. The username and password are stored in the body of the POST API request. We authenticate the account and password using the Spring Authentication Manager. If the credentials are valid, the JwtUtil creates a JWT token and sends it to the client.

Authentication Request

Authentication Response

JwtRequestFilter

The JwtRequestFilter extends the Spring Web Filter OncePerRequestFilter class. For any incoming request, this Filter class gets executed. It checks if the request contains a valid JWT token. If it's a valid JWT Token, then it sets the authentication in context to specify that this user is authenticated.

Security Config