- \n
- Spring Web<\/li>\n
- Spring Security<\/li>\n<\/ul>\n\n
![\"Fig](\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/05\/springinitializrjwt-1024x612.png\")
<\/a>Fig 1: Generate a spring boot project with the dependencies (spring security and spring web) for the jwt token example<\/figcaption><\/figure>\n<\/div>\n 2. Add JSON Web Token Dependencies<\/h2>\n
In the
pom.xml<\/code> file of the project (if using Maven), add the following dependencies for JWT token handling:<\/p>\n\n <dependency>\n <groupId>io.jsonwebtoken<\/groupId>\n <artifactId>jjwt-api<\/artifactId>\n <version>0.12.5<\/version>\n <\/dependency>\n <dependency>\n <groupId>io.jsonwebtoken<\/groupId>\n <artifactId>jjwt-impl<\/artifactId>\n <version>0.12.5<\/version>\n <scope>runtime<\/scope>\n <\/dependency>\n <dependency>\n <groupId>io.jsonwebtoken<\/groupId>\n <artifactId>jjwt-jackson<\/artifactId>\n <version>0.12.5<\/version>\n <scope>runtime<\/scope>\n <\/dependency>\n<\/pre>\n
3. Create JWT Utility Class<\/h2>\n
Next, create a utility class for handling JWT operations. This class will be responsible for generating JWT tokens and verifying them. Below is a simple implementation of the JWT utility class:<\/p>\n
\n@Component\npublic class JwtUtil {\n\n @Value(\"${jcg.jwt.secret}\")\n private String jwtSecret;\n\n public String generateToken(UserDetails userDetails) {\n Map<String, Object> claims = new HashMap<>();\n claims.put(\"Authorities\", userDetails.getAuthorities());\n\n return Jwts.builder()\n .setClaims(claims)\n .setSubject(userDetails.getUsername())\n .setIssuedAt(new Date())\n .setExpiration(new Date(System.currentTimeMillis() + 86400))\n .signWith(getSignInKey(), SignatureAlgorithm.HS256)\n .compact();\n }\n\n public String extractUsername(String token) {\n return extractClaim(token, Claims::getSubject);\n }\n\n public <T> T extractClaim(String token, Function<Claims, T> claimsResolver) {\n final Claims claims = extractAllClaims(token);\n return claimsResolver.apply(claims);\n }\n\n private Claims extractAllClaims(String token) {\n \n return Jwts.parser()\n .setSigningKey(getSignInKey())\n .build()\n .parseClaimsJws(token)\n .getBody();\n }\n\n public boolean validateToken(String token, UserDetails userDetails) {\n final String username = extractUsername(token);\n return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));\n }\n\n private boolean isTokenExpired(String token) {\n return extractExpiration(token).before(new Date());\n }\n\n private Date extractExpiration(String token) {\n return extractClaim(token, Claims::getExpiration);\n }\n \n private SecretKey getSignInKey() {\n byte[] keyBytes = Decoders.BASE64.decode(jwtSecret);\n return Keys.hmacShaKeyFor(keyBytes);\n }\n}\n\n<\/pre>\nThe code block above represents a class named
JwtUtil<\/code> which is responsible for handling JWT (JSON Web Token) operations within our application. Here is a break down its functionalities:<\/p>\n- \n
- The class injects the JWT secret key from the
application.properties<\/code> file using the@Value<\/code> annotation.<\/li>\n- Token Generation<\/strong>: The
generateToken<\/code> method creates a JWT token based on the providedUserDetails<\/code>. It sets the subject<\/strong> (username), issue date<\/strong>, expiration date,<\/strong> and signs the token using the HMAC SHA-256 algorithm with the secret key.<\/li>\nextractUsername<\/code> Method<\/strong>: This method takes a JWT token as input and returns the username extracted from the token’s subject claim. It delegates the claim extraction process to theextractClaim<\/code> method, passing in the token and a function reference (Claims::getSubject<\/code>) to extract the subject claim.<\/li>\nextractClaim<\/code> Method<\/strong>: This generic method takes a JWT token and aFunction<\/code> that resolves a specific claim from the token’sClaims<\/code> object. It first extracts all claims from the token by invoking theextractAllClaims<\/code> method. Then, it applies the providedclaimsResolver<\/code> function to theClaims<\/code> object to extract the desired claim.<\/li>\nextractAllClaims<\/code> Method<\/strong>: This method is responsible for parsing the JWT token, verifying its signature using the provided signing key, and extracting all claims from the token’s body. It uses theJwts.parser()<\/code> method to create a parser instance, sets the signing key withsetSigningKey(getSignInKey())<\/code>, and then parses the token withparseClaimsJws(token)<\/code>.<\/li>\n- Secret Key Retrieval<\/strong>: The
getSignInKey<\/code> method retrieves the secret key for signing and verifying JWT tokens. It decodes the base64-encoded secret key obtained from theapplication.properties<\/code> file and converts it into aSecretKey<\/code> object.<\/li>\n<\/ul>\n3.1 Generate and Set JWT Secret Key<\/h3>\n
Producing a strong secret key is essential to ensure the security of JWT tokens. This entails generating an HMAC hash string consisting of 256 bits and configuring it as the JWT secret within the
application.properties<\/code> file. The online tool generator located at devglan.com\/online-tools<\/a> can generate an HMAC hash string of 256 bits.<\/div> <\/div><\/p>\n3.1.1 Set JWT Secret in application.properties<\/h4>\n
Once the secret key is generated, it needs to be set in the
application.properties<\/code> file of the Spring Boot application:<\/p>\n\njcg.jwt.secret=YOUR_GENERATED_SECRET_KEY\n<\/pre>\n
Replace
YOUR_GENERATED_SECRET_KEY<\/code> with the generated HMAC hash string obtained earlier. <\/p>\n3.2 Implementing Authentication Token Filter<\/h3>\n
Next, let’s implement an Authentication Token Filter which is crucial for securing REST endpoints with JWT tokens. Below is an example of an authentication token filter:<\/p>\n
\n@Component\npublic class JwtRequestFilter extends OncePerRequestFilter {\n\n @Autowired\n private JwtUtil jwtUtil;\n\n @Autowired\n private UserDetailsService userDetailsService;\n\n @Override\n protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)\n throws ServletException, IOException {\n\n final String authorizationHeader = request.getHeader(\"Authorization\");\n\n String username = null;\n String jwt = null;\n\n if (authorizationHeader != null && authorizationHeader.startsWith(\"Bearer \")) {\n jwt = authorizationHeader.substring(7);\n username = jwtUtil.extractUsername(jwt);\n }\n\n if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {\n\n UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);\n\n if (jwtUtil.validateToken(jwt, userDetails)) {\n\n UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken =\n new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());\n usernamePasswordAuthenticationToken\n .setDetails(new WebAuthenticationDetailsSource().buildDetails(request));\n \n SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);\n }\n }\n filterChain.doFilter(request, response);\n }\n}\n<\/pre>\nThis filter intercepts incoming requests, extracts JWT tokens from the request header, validates them, and sets up authentication in the Spring Security context if the token is valid.<\/p>\n
4. Configure Spring Security<\/h2>\n
Next, configure Spring Security to use JWT for authentication. Create a
SecurityConfig<\/code> class and configure it as follows:<\/p>\n\n@Configuration\n@EnableWebSecurity\npublic class SecurityConfig {\n\n private static final String ADMIN = \"ADMIN\";\n private static final String USER = \"USER\";\n\n @Bean\n public JwtRequestFilter jwtRequestFilter() {\n return new JwtRequestFilter();\n }\n\n @Bean\n public DaoAuthenticationProvider authenticationProvider() throws Exception {\n DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();\n authProvider.setUserDetailsService(userDetailsService());\n authProvider.setPasswordEncoder(passwordEncoder());\n\n return authProvider;\n }\n\n @Bean\n public SecurityFilterChain securityFilterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {\n http.csrf(AbstractHttpConfigurer::disable)\n .cors(AbstractHttpConfigurer::disable)\n .authorizeHttpRequests(req -> req\n .requestMatchers(\"\/admin\/**\").hasRole(ADMIN)\n .requestMatchers(\"\/user\/**\").hasAnyRole(USER, ADMIN)\n .requestMatchers(\"\/authenticate\")\n .permitAll()\n .anyRequest()\n .authenticated())\n .sessionManagement(session -> session.sessionCreationPolicy(STATELESS))\n .authenticationProvider(authenticationProvider())\n .addFilterBefore(jwtRequestFilter(), UsernamePasswordAuthenticationFilter.class);\n\n return http.build();\n }\n\n @Bean\n public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception {\n return authConfig.getAuthenticationManager();\n }\n\n @Bean\n public PasswordEncoder passwordEncoder() {\n return new BCryptPasswordEncoder();\n }\n\n @Bean\n public UserDetailsService userDetailsService() throws Exception {\n InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();\n manager.createUser(User\n .withUsername(\"thomas\")\n .password(encoder().encode(\"paine\"))\n .roles(ADMIN).build());\n manager.createUser(User\n .withUsername(\"bill\")\n .password(encoder().encode(\"withers\"))\n .roles(USER).build());\n return manager;\n }\n\n @Bean\n public PasswordEncoder encoder() {\n return new BCryptPasswordEncoder();\n }\n\n @Bean\n public CorsFilter corsFilter() {\n UrlBasedCorsConfigurationSource source\n = new UrlBasedCorsConfigurationSource();\n CorsConfiguration config = new CorsConfiguration();\n config.setAllowCredentials(true);\n config.addAllowedOrigin(\"*\");\n config.addAllowedHeader(\"*\");\n config.addAllowedMethod(\"*\");\n source.registerCorsConfiguration(\"\/**\", config);\n return new CorsFilter(source);\n }\n}\n\n<\/pre>\nThis code block configures security settings for the application using Spring Security. Let’s break down its functionalities:<\/p>\n
- \n
- The
jwtRequestFilter<\/code> method defines a bean for theJwtRequestFilter<\/code> class. This filter intercepts incoming requests, extracts JWT tokens, and authenticates them.<\/li>\n- DaoAuthenticationProvider Bean<\/strong>: The
authenticationProvider<\/code> method defines a bean for theDaoAuthenticationProvider<\/code> class. This provider authenticates users based on the provided user details service and password encoder.<\/li>\n- SecurityFilterChain Bean<\/strong>: The
securityFilterChain<\/code> method sets up authorization rules based on request matchers and roles.\n- \n
- Authorization Rules<\/strong>: The
.authorizeHttpRequests()<\/code> method specifies authorization rules for different types of requests:\n- \n
- Requests to
\/admin\/**<\/code> endpoints require theADMIN<\/code> role.<\/li>\n- Requests to
\/user\/**<\/code> endpoints require either theUSER<\/code> orADMIN<\/code> role.<\/li>\n- Requests to
\/authenticate<\/code> endpoint are permitted without authentication (permit all).<\/li>\n- All other requests (
anyRequest()<\/code>) require authentication.<\/li>\n<\/ul>\n<\/li>\n- Session Management<\/strong>: Session management is configured to be stateless (
sessionCreationPolicy(STATELESS)<\/code>), meaning no server-side session will be created or used for storing user authentication state.<\/li>\n<\/ul>\n<\/li>\n- AuthenticationManager Bean<\/strong>: The
authenticationManager<\/code> method defines a bean for theAuthenticationManager<\/code> interface. It retrieves the authentication manager from the authentication configuration.<\/li>\n- UserDetailsService Bean<\/strong>: The
userDetailsService<\/code> method defines an in-memory user store usingInMemoryUserDetailsManager<\/code>. We create two users with different roles: anADMIN<\/code> user with username “thomas<\/strong>” and aUSER<\/code> user with username “bill<\/strong>“. <\/li>\n<\/ul>\n4.1 Custom UserDetails Implementation<\/h3>\n
Spring Security relies on the
UserDetails<\/code> interface for both authentication and authorization purposes. Below is an implementation of theUser<\/code> class which implements theUserDetails<\/code> interface for authentication and authorization:<\/p>\n\npublic class User implements UserDetails {\n\n private int id;\n private String username;\n private String password;\n private Collection<? extends GrantedAuthority> authorities;\n\n public User() {\n }\n\n public User(String username, String password, Collection<? extends GrantedAuthority> authorities) {\n this.password = password;\n this.username = username;\n this.authorities = authorities;\n }\n\n public User(String username, Collection<String> authorities) {\n this.username = username;\n this.authorities = authorities.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList());\n }\n\n \/\/ UserDetails interface methods\n @Override\n public String getUsername() {\n return username;\n }\n\n @Override\n public String getPassword() {\n return password;\n }\n\n @Override\n public Collection<? extends GrantedAuthority> getAuthorities() {\n return authorities;\n }\n\n @Override\n public boolean isEnabled() {\n return true;\n }\n\n @Override\n public boolean isCredentialsNonExpired() {\n return true;\n }\n\n @Override\n public boolean isAccountNonLocked() {\n return true;\n }\n\n @Override\n public boolean isAccountNonExpired() {\n return true;\n }\n\n}\n<\/pre>\nThe
User<\/code> class implements theUserDetails<\/code> interface and represents a user in the application. It includes fields for username, password, and authorities. TheUserDetails<\/code> interface is a core interface in Spring Security used for user authentication and authorization. It represents a principal (user) in the system and provides methods for accessing user details and authorities.<\/p>\ngetAuthorities()<\/code> method returns the authorities (roles) granted to the user.getPassword()<\/code> andgetUsername()<\/code> methods return the password and username of the user, respectively.isAccountNonExpired()<\/code>isAccountNonLocked()<\/code>,isCredentialsNonExpired()<\/code>,isEnabled()<\/code> methods returntrue<\/code> if the user account is not expired, not locked, credentials are not expired, and the user is enabled, respectively.<\/p>\n5. Integration with Spring Boot<\/h2>\n
Finally, Let’s integrate the JWT utility and Spring Security configurations with our Spring Boot application. Here’s a basic example of a REST controller for authentication:<\/p>\n
\n@RestController\npublic class AuthController {\n\n @Autowired\n private AuthenticationManager authenticationManager;\n\n @Autowired\n private JwtUtil jwtUtil;\n\n @Autowired\n private UserDetailsService userDetailsService;\n\n @PostMapping(\"\/authenticate\")\n public ResponseEntity createAuthenticationToken(@RequestBody AuthRequest authRequest) throws Exception {\n try {\n authenticationManager.authenticate(\n new UsernamePasswordAuthenticationToken(authRequest.getUsername(), authRequest.getPassword())\n );\n } catch (BadCredentialsException e) {\n throw new Exception(\"Incorrect username or password\", e);\n }\n\n \n final UserDetails userDetails = userDetailsService\n .loadUserByUsername(authRequest.getUsername());\n\n final String jwt = jwtUtil.generateToken(userDetails);\n\n return ResponseEntity.ok(new AuthResponse(jwt));\n }\n \n @GetMapping(\"\/auth\/details\")\n public UserDetails getDetails(){\n var detail = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();\n return detail;\n }\n\n}\n\n<\/pre>\nThis block of code defines an
AuthController<\/code> class responsible for handling authentication-related HTTP requests in the application.<\/p>\n- \n
- The controller class autowires the dependencies (
AuthenticationManager<\/code>,JwtUtil<\/code>, andUserDetailsService<\/code>) required for authentication and token generation.<\/li>\n- createAuthenticationToken Method<\/strong>: This method handles POST requests to
\/authenticate<\/code> endpoint. It attempts to authenticate the user by passing the provided credentials to theAuthenticationManager<\/code>. If authentication is successful, it generates a JWT token usingJwtUtil<\/code> and returns it in the response body.<\/li>\n- getDetails Method<\/strong>: This method handles GET requests to
\/auth\/details<\/code> endpoint. It retrieves the authenticated user’s details (such as username, authorities) from theSecurityContextHolder<\/code>.<\/li>\n<\/ul>\n5.1 Securing REST Endpoints<\/h3>\n
\n@RestController\npublic class SimpleController {\n \n @RolesAllowed(\"ADMIN\")\n @GetMapping(\"\/admin\")\n public ResponseEntity<String> testAdmin() {\n return ResponseEntity.ok(\"This is the Admin role\");\n }\n\n @RolesAllowed(\"USER\")\n @GetMapping(\"\/user\")\n public ResponseEntity<String> testUser() {\n return ResponseEntity.ok(\"This is the User role\");\n }\n}\n<\/pre>\nThis
SimpleController<\/code> class defines endpoints that are accessible only to users with specific roles. It enforces role-based access control (RBAC), ensuring that certain operations can only be performed by users with the appropriate roles.<\/p>\n- \n
- testAdmin Method<\/strong>: This method handles GET requests to the
\/admin<\/code> endpoint. It is annotated with@RolesAllowed(\"ADMIN\")<\/code>, which specifies that only users with the role “ADMIN<\/strong>” are allowed to access this endpoint. <\/li>\n- testUser Method<\/strong>: This method handles GET requests to the
\/user<\/code> endpoint. Similar to thetestAdmin<\/code> method, it is annotated with@RolesAllowed(\"USER\")<\/code>, indicating that only users with the role “USER<\/strong>” can access this endpoint.<\/li>\n<\/ul>\nTo verify the functionality of the application, we can utilize POSTMAN to send a request to http:\/\/localhost:8080\/authenticate<\/strong> and acquire a JWT token.<\/p>\n
![\"\"](\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/05\/authenticate-endpoint-1024x602.png\")
<\/a><\/figure>\nNext, proceed by setting the request header with the JWT key and verify if http:\/\/localhost:8080\/auth\/details<\/a> functions correctly.<\/p>\n
![\"\"](\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/05\/requestheaderwithjwt-1-1024x718.png\")
<\/a><\/figure>\nNow, let’s verify if we can access the http:\/\/localhost:8080\/user<\/a> endpoint:<\/p>\n
\n![\"\"](\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/05\/userrole-1024x614.png\")
<\/a><\/figure>\n<\/div>\nIf a user with the USER<\/strong> role attempts to access the
\/admin<\/code> endpoint, Spring Security will deny the request, and the user will receive an HTTP status code indicating access forbidden (403).<\/p>\n - testUser Method<\/strong>: This method handles GET requests to the
- createAuthenticationToken Method<\/strong>: This method handles POST requests to
- Requests to
- Requests to
- DaoAuthenticationProvider Bean<\/strong>: The
- Token Generation<\/strong>: The
- The class injects the JWT secret key from the
![\"\"](\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2024\/05\/jwt-admin-deny-1024x564.png\")
<\/a><\/figure>\n<\/div>\n