How to secure Spring Boot with JWT Authentication and Authorization

kishorek2511 — Thu, 11 May 2023 06:07:45 +0000

Hello learners, here we are going to learn about spring security implementation with spring boot3.0 and JWT.

JWT (JSON Web Tokens) is a standard for representing claims securely between two parties. It is a compact, URL-safe means of representing claims to be transferred between two parties. A JWT consists of three parts: a header, a payload, and a signature.

Header consist of algorithm and token type, Payload consist of subject,name,issuedat, Verify Signature is the combination of encoded header,payload and secret key. JWT token is a combination of these three.

Spring Security can be integrated with JWT to secure web applications by generating, parsing, and validating JWTs.

The following is a overview of how JWT authentication and authorization works in Spring Boot:

User authentication: When a user logs in to the system, the server verifies the user's credentials, such as their username and password. If the credentials are correct, the server generates a JWT for the user and returns it to the client.

JWT creation: The server creates a JWT by encoding the user's identity information and other necessary data, such as expiration time, into a JSON object. The JSON object is then signed using a secret key or public/private key pair.

Token storage: The client stores the JWT locally, usually in a cookie or local storage.

Authorization: For each subsequent request, the client sends the JWT in the request header. The server verifies the JWT's signature and decodes its contents to extract the user's identity information and other details. Based on this information, the server can then authorize the user to access certain resources or perform certain actions.

Token validation: The server can also validate the JWT to ensure that it has not been tampered with and has not expired. If the token is invalid, the server can reject the request or request the user to log in again.

Steps to Implement JWT

Step 1: Add the JWT dependencies

Step 2: Create a endpoint to authenticate and generate JWT

In CreateToken method, we are creating token by setting claims,subject,issued and expiration date, signature.

Step 3: Create a filter to validate JWT

create a class for filter and extends with OncePerRequestFilter, override doFilterInternal method and invoke authorization token from header. Validate the token by extracting username and expiration date from the token. This filer is used to validate the JWT token for each API call.

Step 4: Add the configuration to authorize API calls

Create a class and add a method to authorize, in above code given access to "/products/new","/products/authenticate" endpoints to all users, for "/products/**" endpoint only authenticated users with valid JWT can access.

Testing the implementation

Authenticating and Generating the token

Copy the generated token and add it to other API call, I'm accessing the below API with Admin credentials

If we try to access the API with Admin credentials where only user can access will get 403 Forbidden error

Spring Security role based Authentication & Authorization Implementation with Spring Boot 3.0

kishorek2511 — Wed, 10 May 2023 10:30:15 +0000

Hello learners, here we are going to know about spring security implementation with spring boot. Spring security provides authentication, authorization, and protection against common attacks.

Authentication - Authentication is how we verify the identity of the user trying to access a particular resource, once authentication is performed we know the identity and can perform authorization.
Authorization - Authorization means giving permission to access particular resource/url.

Steps to Implement Spring Security

Step 1: Add Spring Security dependency in POM.XML

Step 2: Create a configuration class , add authentication and authorization methods.

@EnableWebSecurity provides default security configuration to our application.Default security activates both HTTP security filters and the security filter chain and applies basic authentication to our endpoints.

@Configuration tells Spring Boot to scan the class for bean definitions and register them with the application context.

authenticateProvider() method is used to store all the user deatils like username, password, roles.Spring Security contains DaoAuthenticationProvider class which contains userDetailsService and passwordEncoder.passwordEncoder() is used to encrypt the password and encrypted password is stored in DB.

SecutityFilterChain() method is to authorize the resources, here
.requestMatchers("/products/welcome","/products/new").permitAll() is to give access to all the users, any user can access those two urls.
requestMatchers("/products/**").authenticated() is to give access to authenticated users.

Step 3: Implement role based authorization

@PreAuthorize annotation is used to specify a expression that will be evaluated before the method is executed. If the expression evaluates to true, the method is executed otherwise, an AccessDeniedException is thrown.

The getAllProducts() method can only be executed by users with the ROLE_USER role, while the getProductById() method can be executed by users with the ROLE_ADMINrole.
Testing the implementation

Added the sample code to test the implementation.

After giving user credentials user can able to access the user endpoint
When user try to access Admin endpoint with user credential, error page will display

DEV Community: kishorek2511

How to secure Spring Boot with JWT Authentication and Authorization

Steps to Implement JWT

Spring Security role based Authentication & Authorization Implementation with Spring Boot 3.0