Thursday, 24 February 2022

Spring Boot Security + JWT Welcome Example

In this tutorial, we will be developing a Spring Boot application that makes use of JWT authentication for securing an exposed REST API. In this example, we will be making use of hard-coded user values for user authentication.

Any user will be able to consume this API only if it has a valid JSON Web Token (JWT).






Develop a Spring Boot application that exposes a simple REST GET API with mapping /welcome.

Configure Spring Security for JWT. Expose REST POST API with mapping /token using which User will get a valid JSON Web Token. And then, allow the user access to the API /welcome only if it has a valid token.




The Maven project will look as follows:



Spring Security and JWT Configuration

We will be configuring Spring Security and JWT for performing 2 operations-

  • Generating JWT — Expose a POST API with mapping /token. On passing correct username and password it will generate a JSON Web Token(JWT)
  • Validating JWT — If user tries to access GET API with mapping /welcome. It will allow access only if request has a valid JSON Web Token(JWT).


The sequence flow for these operations will be as follows-

Generating JWT




Validating JWT




Add the Spring Security and JWT dependencies

The secret key is combined with the header and the payload to create a unique hash. We are only able to verify this hash if you have the secret key.

jwt.secret=java


JwtUtil

The JwtUtil is responsible for performing JWT operations like creation and validation.It makes use of the io.jsonwebtoken.Jwts for achieving this.

JWTUserDetailsService

JWTUserDetailsService implements the Spring Security UserDetailsService interface. It overrides the loadUserByUsername for fetching user details from the database using the username. The Spring Security Authentication Manager calls this method for getting the user details from the database when authenticating the user details provided by the user. Here we are getting the user details from a hardcoded User List. Also the password for a user is stored in encrypted format using BCrypt. 


JwtAuthenticationController

Expose a POST API /authenticate using the JwtAuthenticationController. The POST API gets username and password in the body- Using Spring Authentication Manager we authenticate the username and password.If the credentials are valid, a JWT token is created using the JWTTokenUtil and provided to the client.

JwtRequest

This class is required for storing the username and password we recieve from the client.

JwtResponse

This is class is required for creating a response containing the JWT to be returned to the user.

JwtRequestFilter

The JwtRequestFilter extends the Spring Web Filter OncePerRequestFilter class. For any incoming request this Filter class gets executed. It checks if the request has a valid JWT token. If it has a valid JWT Token then it sets the Authentication in the context, to specify that the current user is authenticated.

JwtAuthenticationEntryPoint

This class will extend Spring’s AuthenticationEntryPoint class and override its method commence. It rejects every unauthenticated request and send error code 401

WebSecurityConfig

This class extends the WebSecurityConfigurerAdapter is a convenience class that allows customization to both WebSecurity and HttpSecurity.


Start the Spring Boot Application

  • Generate a JSON Web Token -
  • Create a POST request with url localhost:9191/token. Body should have valid username and password. In our case username is "amir" and password is "amir123".






  • Validate the JSON Web Token
  • - Try accessing the url localhost:9191/welcome using the above generated token in the header as follows

Source Code: Spring-boot-Jwt

Reference: https://medium.com/swlh/spring-boot-security-jwt-hello-world-example-b479e457664c















































on

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)