JWT IN SPRING BOOT

🧩 1. What is JWT (JSON Web Token)?

Definition (Simple):
JWT stands for JSON Web Token, which is a compact and secure way to transfer information
between two parties — usually a client (like browser or mobile app) and a server (like your
Spring Boot backend).

The information inside a JWT is digitally signed so that the receiver can verify that it has not
been changed.

✅ Example (In real life terms)

Imagine you visit a movie theater and buy a ticket.

That ticket has:

 Your seat number (information)

 The theater’s official stamp (signature)

When you show the ticket to the guard, he doesn’t call the counter to ask — he just checks
the stamp and trusts it’s genuine.

JWT works the same way — it’s a digital ticket given by your backend after you log in.

🧠 2. Why we use JWT in Spring Boot?

Normally, when a user logs in to a website, we need a way to remember them in future
requests. There are two main ways:

1. Sessions (Old way):

The server stores login info in memory (or database), and the browser gets a session
ID in a cookie.
❌ Problem: This doesn’t scale well — if you have many users or multiple servers, it
becomes hard to manage.

2. JWT (Modern way):

The server doesn’t store login info at all. It gives the client a token that contains all
needed info (like username, roles, expiry time), and the client sends it with every
request.
✅ Advantage: Stateless, scalable, and works perfectly for REST APIs.
🔒 Why it’s great:

 Stateless – server doesn’t need to remember user sessions.

 Secure – tokens are signed, cannot be easily forged.

 Portable – works across multiple services or platforms (web, mobile, etc.).

 Fast – no database lookup needed on each request.

⚙️3. How JWT works step-by-step

Let’s see a simple flow.

🔹 Step 1: User logs in

 The user sends username/password to /api/auth/login.

 The backend verifies them (for example, using a database).

🔹 Step 2: Server creates JWT

 If credentials are correct, the server creates a JWT that contains user info like:

 {

 "sub": "malik",

 "role": "USER",

 "iat": 1718429343,

 "exp": 1718432943

 }

 Then it signs the token using a secret key (only the server knows it).

🔹 Step 3: Server sends token to user

 The backend sends the JWT to the client as a response.

🔹 Step 4: Client stores the token

 The client stores it in localStorage or sessionStorage (in React, Angular, etc.).

🔹 Step 5: User accesses protected routes

  When the client calls a protected API, it sends the JWT in the Authorization header:

 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6...

🔹 Step 6: Server validates token

 The backend checks if the token:

o is properly signed,

o is not expired,

o and is valid.

 If yes → user is authenticated.

 If not → “Unauthorized” error.

🔍 4. Structure of a JWT

A JWT has 3 parts, separated by dots (.):

[Link]

Example:

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJtYWxpayIsInJvbGUiOiJVU0VSIiwiZXhwIjoxNzE4NDMyOTQzf
Q.XJtq49BBw1yzqX3AHEqpmG3o2bU7nAt3gERePTbHUBo

Let’s break it down:

1. Header → contains metadata like the algorithm used.

2. {

3. "alg": "HS256",

4. "typ": "JWT"

5. }

6. Payload → contains user data.

7. {

8. "sub": "malik",

9. "role": "USER",
 10. "exp": 1718432943

11. }

12. Signature → server’s digital signature using secret key to ensure the token wasn’t
changed.

🧩 5. What would happen if JWT didn’t exist?

Without JWT:

 We’d need sessions stored in the server.

 Each request would require a session lookup in memory or DB.

 Hard to scale when using multiple servers (each needs shared session storage).

 APIs would be stateful (not ideal for microservices or REST).

JWT solves all this by making APIs stateless.

🔄 6. Any other way to do the same thing?

Yes, alternatives exist:

 OAuth2 tokens – used for large-scale or third-party login systems (Google, GitHub
login).

 Session-based authentication – simple for small apps.

 API keys – for service-to-service communication.

But JWT is the most common and modern choice for REST APIs.

💻 7. Syntax & Example in Spring Boot

Let’s see a simple practical example.

Step 1: Add dependencies in [Link]

<dependency>

<groupId>[Link]</groupId>
 <artifactId>jjwt-api</artifactId>

<version>0.11.5</version>

</dependency>

<dependency>

<groupId>[Link]</groupId>

<artifactId>jjwt-impl</artifactId>

<version>0.11.5</version>

<scope>runtime</scope>

</dependency>

<dependency>

<groupId>[Link]</groupId>

<artifactId>jjwt-jackson</artifactId>

<version>0.11.5</version>

<scope>runtime</scope>

</dependency>

Step 2: Create JwtUtil class

import [Link].*;

import [Link];

import [Link];

import [Link];

public class JwtUtil {

private final String SECRET = "ThisIsASecretKeyForJwt123456789"; // must be long

public String generateToken(String username) {

return [Link]()

.setSubject(username)

.setIssuedAt(new Date([Link]()))

.setExpiration(new Date([Link]() + 1000 * 60 * 60)) // 1 hour

.signWith([Link]([Link]()), SignatureAlgorithm.HS256)

.compact();

public String extractUsername(String token) {

return [Link]()

.setSigningKey([Link]([Link]()))

.build()

.parseClaimsJws(token)

.getBody()

.getSubject();

public boolean validateToken(String token) {

try {

[Link]()

.setSigningKey([Link]([Link]()))

.build()

.parseClaimsJws(token);

return true;

} catch (JwtException e) {
 return false;

Step 3: Example Controller

@Autowired

private UserRepository userRepository;

@Autowired

private PasswordEncoder passwordEncoder;

@PostMapping("/login")

public ResponseEntity<?> login(@RequestBody AuthRequest request) {

User user = [Link]([Link]());

if (user != null && [Link]([Link](), [Link]()))

{

String token = [Link]([Link]());

return [Link](new AuthResponse(token));

} else {

return [Link]([Link]).body("Invalid credentials");

🔹 Try it out

1. Run your Spring Boot app.

2. POST /api/auth/login?username=malik&password=1234
→ You’ll get a JWT token.

3. Copy that token and call:

4. GET /api/auth/welcome
 5. Header: Authorization: Bearer <token>

→ You’ll see: Welcome malik!

✅ 8. Summary (Quick Recap)

Concept Explanation

JWT A signed token used for authentication

Purpose To make REST APIs stateless and secure

Contains Header, Payload, Signature

Stored at Client-side (browser/app)

Checked by Server before serving protected resources

Libraries used jjwt in Spring Boot

Alternative methods Session-based auth, OAuth2, API keys

how Spring Boot actually verifies JWT on every request

🧩 1. The problem we’re solving

When a user logs in, we give them a JWT token.

Now the question is — how does Spring Boot know that a request coming
later (say, /api/users) is from an authenticated user?

Because the user only sends a token like this:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6...

So our backend needs a system to intercept every request, check this token,
and only allow access if the token is valid.

That’s where JWT verification happens.

⚙️2. The behind-the-scenes flow

Let’s break it step by step:

🔹 Step 1: Client sends token with every request

When the user logs in, they get a JWT token.

Then for every API call, they send:

GET /api/welcome

Authorization: Bearer <token>

🔹 Step 2: Request enters Spring Boot

When Spring Boot receives this request, it doesn’t yet know who the user is.

So we add a filter (a class that runs before the request reaches the controller).

That filter will:

 Read the token from the Authorization header

 Validate it using our JwtUtil class

 If valid → set user info in Spring’s SecurityContext

 If invalid → reject the request

🔍 3. The JWT Filter — the real verifier

Let’s create a simple one.

🧱 Example: [Link]

import [Link];

import [Link];

import [Link];

import [Link];

import [Link];
import [Link];

import [Link];

public class JwtAuthFilter extends OncePerRequestFilter {

private final JwtUtil jwtUtil = new JwtUtil();

@Override

protected void doFilterInternal(HttpServletRequest request,

HttpServletResponse response,

FilterChain filterChain)

throws ServletException, IOException {

String authHeader = [Link]("Authorization");

// 1. Check if header has a token

if (authHeader != null && [Link]("Bearer ")) {

String token = [Link](7);

// 2. Validate token

if ([Link](token)) {

String username = [Link](token);

 // 3. Set authentication info in context (so Spring knows user is
authenticated)

var authentication =

new
[Link]
nToken(

username, null, [Link]());

[Link]().setAuthentication(authentication);

// Continue to next filter / controller

[Link](request, response);

🔍 What’s happening:

Step What it does

1 Checks if the request has a token

2 Uses JwtUtil to validate it

3 Extracts username if valid

4 Tells Spring Security “This user is authenticated”

5 Passes control to the controller (like /welcome)

🔒 4. Connecting the filter with Spring Security

We must tell Spring Security to use our JwtAuthFilter before it lets anyone in.

In Spring Boot 3, we use a SecurityFilterChain bean.

🧱 Example: [Link]

import [Link];

import [Link];

import
[Link];

import [Link];

import
[Link]
cationFilter;

@Configuration

public class SecurityConfig {

@Bean

public SecurityFilterChain securityFilterChain(HttpSecurity http) throws

Exception {

http

.csrf(csrf -> [Link]()) // disable CSRF for APIs

.authorizeHttpRequests(auth -> auth

.requestMatchers("/api/auth/login").permitAll() // allow login without

token

.anyRequest().authenticated() // everything else needs token

 )

.addFilterBefore(new JwtAuthFilter(),
[Link]);

return [Link]();

🧩 Meaning:

 /api/auth/login → open to everyone

 All other routes → must have a valid JWT

 JwtAuthFilter → runs before Spring checks authentication

⚙️5. Full verification flow (summary)

1. User logs in → Server sends back JWT.

2. Client stores JWT (e.g., in browser localStorage).

3. User sends request with JWT in header.

4. JwtAuthFilter runs:

o Reads token

o Validates it

o Extracts username

o Sets authentication

5. Controller runs → sees the user as authenticated.

If the token is expired, invalid, or missing, the filter rejects the request with a
401 Unauthorized.

🧾 Example flow in Postman

1️⃣ Login

POST [Link]

→ Response: eyJhbGciOiJIUzI1NiIsInR5cCI6...

2️⃣ Access Protected API

GET [Link]

Header: Authorization: Bearer <token>

→ Response: Welcome malik!

If you remove the header or send an invalid token →

→ Response: 401 Unauthorized

✅ 6. Why this is important

Without this filter and configuration:

 The backend wouldn’t know if a request is coming from a logged-in user.

 Anyone could call your APIs directly.

 JWTs wouldn’t actually “protect” anything.

This filter + security chain is what makes Spring Boot truly secure with JWT.

🔍 7. Summary Table

Step Component Role

1 JwtUtil Generates & validates tokens

Step Component Role

2 AuthController Handles login and issues token

3 JwtAuthFilter Checks JWT on each request

4 SecurityConfig Defines which APIs are public/protected

5 Spring Security Executes the whole flow automatically

Each Function Explanation

Here’s the JwtUtil class we’re talking about:

import [Link].*;

import [Link];

import [Link];

import [Link];

public class JwtUtil {

private final String SECRET = "ThisIsASecretKeyForJwt123456789"; // must be long

public String generateToken(String username) {

return [Link]()

.setSubject(username)

.setIssuedAt(new Date([Link]()))

.setExpiration(new Date([Link]() + 1000 * 60 * 60)) // 1 hour

.signWith([Link]([Link]()), SignatureAlgorithm.HS256)

.compact();
 }

public String extractUsername(String token) {

return [Link]()

.setSigningKey([Link]([Link]()))

.build()

.parseClaimsJws(token)

.getBody()

.getSubject();

public boolean validateToken(String token) {

try {

[Link]()

.setSigningKey([Link]([Link]()))

.build()

.parseClaimsJws(token);

return true;

} catch (JwtException e) {

return false;

🔍 1. Variable: private final String SECRET

🧠 What it is:
This is the secret key used to sign and verify your JWTs.

🔒 Why we need it:

When you create a JWT, it must be digitally signed.

This signature ensures that:

 No one can modify the token’s data.

 Only your server can verify its authenticity.

Without this key, anyone could create fake tokens.

⚙️Syntax breakdown:

private final String SECRET = "ThisIsASecretKeyForJwt123456789";

 final → value never changes.

 The string must be long enough (usually ≥ 32 characters) for HMAC-SHA256.

💬 Real life analogy:

It’s like the secret “stamp seal” your cinema uses on movie tickets.
If someone copies the ticket but doesn’t have your unique stamp, it’s invalid.

🧩 2. Function: generateToken(String username)

🧠 What it does:

Creates a new JWT token for a given username.

⚙️Syntax:

public String generateToken(String username) {

return [Link]()

.setSubject(username)

.setIssuedAt(new Date([Link]()))

.setExpiration(new Date([Link]() + 1000 * 60 * 60))

.signWith([Link]([Link]()), SignatureAlgorithm.HS256)

.compact();

}
📖 Line-by-line Explanation:

🔹 [Link]()

 Creates a new JWT builder object.

 Think of it as “starting to build a new token step by step.”

🔹 .setSubject(username)

 Sets the subject of the token (the main identifier, usually the username).

 This becomes part of the token’s payload.

👉 Inside the token, it will appear like:

"sub": "malik"

🔹 .setIssuedAt(new Date([Link]()))

 Adds the issue time of the token.

 Helps identify when the token was created.

👉 Inside token:

"iat": 1718429343

🔹 .setExpiration(new Date([Link]() + 1000 * 60 * 60))

 Adds the expiry time for token validity.

 1000 * 60 * 60 = 1 hour from current time.

Without this, tokens would never expire — which is a security risk.

👉 Inside token:

"exp": 1718432943

🔹 .signWith([Link]([Link]()), SignatureAlgorithm.HS256)

 Creates the digital signature.

 HS256 = HMAC using SHA-256 hashing algorithm.

 Uses our secret key to ensure no one can fake tokens.

🔹 .compact()

 Converts the whole thing into one compact string:

 [Link]

 That’s your final JWT.

🔎 Without this function:

You’d have no way to generate tokens after login, meaning users couldn’t be authenticated
statelessly.

🧩 3. Function: extractUsername(String token)

🧠 What it does:

Reads a JWT token and extracts the username (subject) from it.

⚙️Syntax:

public String extractUsername(String token) {

return [Link]()

.setSigningKey([Link]([Link]()))

.build()
 .parseClaimsJws(token)

.getBody()

.getSubject();

📖 Line-by-line Explanation:

🔹 [Link]()

Creates a parser to read or validate existing JWT tokens.

🔹 .setSigningKey([Link]([Link]()))

Sets the same secret key that was used to create the token.
This is how the server verifies that the token wasn’t tampered with.

If the secret is wrong → parsing fails with an exception.

🔹 .build()

Finalizes the parser object so it’s ready to decode and verify tokens.

🔹 .parseClaimsJws(token)

 Takes your token string as input.

 Verifies its signature and expiry.

 If it’s valid → returns all the token’s “claims” (payload data).

🔹 .getBody()

Extracts the payload (the middle part of the token).

🔹 .getSubject()

Reads the "sub" field from the payload (the username we stored earlier).
🔎 Without this function:

You couldn’t know which user sent the token.

Every valid token would be meaningless because it wouldn’t identify the user.

🧩 4. Function: validateToken(String token)

🧠 What it does:

Checks if the token is valid — not expired, not modified, and properly signed.

⚙️Syntax:

public boolean validateToken(String token) {

try {

[Link]()

.setSigningKey([Link]([Link]()))

.build()

.parseClaimsJws(token);

return true;

} catch (JwtException e) {

return false;

📖 Line-by-line Explanation:

🔹 try { ... } catch (JwtException e) { ... }

We use this because if the token is invalid, expired, or tampered,

parseClaimsJws() throws an exception.

So this function returns:

 ✅ true → token is valid

  ❌ false → token is invalid (expired, corrupted, fake, etc.)

🔹 Inside try block:

[Link]()

.setSigningKey([Link]([Link]()))

.build()

.parseClaimsJws(token);

This does two main verifications:

1. Signature Check
It ensures that the token’s signature matches your secret key.
If someone modified even one letter in the payload, the signature won’t match.

2. Expiry Check
It automatically reads the exp field in the payload.
If current time > expiry time → it throws ExpiredJwtException.

🔎 Without this function:

You would accept any token, even:

 Expired ones,

 Tokens made by others,

 Or tokens that have been tampered with.

That would completely break your security.

📋 5. Summary Table

Function Purpose Without It? Key Methods

Create new JWT No token → no login [Link](), .setSubject(), .sig

generateToken()
for user possible nWith()

Read username [Link](), .getSubjec

extractUsername() Can’t identify user
from token t()
Function Purpose Without It? Key Methods

Check if token is Expired or fake

validateToken() parseClaimsJws(), JwtException
valid tokens accepted

Signing key for Anyone could forge

SECRET [Link]()
security tokens

🧩 Bonus Tip: What “Claims” mean

The data inside JWT (like subject, issuedAt, expiry) are called claims.
They’re basically key–value pairs, like:

"sub": "malik",

"role": "USER",

"iat": 1718429343,

"exp": 1718432943

You can even add custom claims:

.setClaims([Link]("role", "ADMIN"))

Then later extract them with:

[Link]("role")