DEV Community: Jakub Leško The latest articles on DEV Community by Jakub Leško (@kubadlo). https://dev.to/kubadlo https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F128697%2F5eb4fff3-878e-4fc2-99ef-4f7948699373.png DEV Community: Jakub Leško https://dev.to/kubadlo en Spring Security with JWT Jakub Leško Mon, 14 Jan 2019 17:43:08 +0000 https://dev.to/kubadlo/spring-security-with-jwt-3j76 https://dev.to/kubadlo/spring-security-with-jwt-3j76 <p>Spring Security’s default behavior is easy to use for a standard web application. It uses cookie-based authentication and sessions. Also, it automatically handles CSRF tokens for you (to prevent man in the middle attacks). In most cases you just need to set authorization rights for specific routes, a method to retrieve the user from the database and that’s it.</p> <p>On the other hand, you probably don’t need full session if you’re building just a REST API which will be consumed with external services or your SPA/mobile application. Here comes the JWT (JSON Web Token) – a small digitally signed token. All needed information can be stored in the token, so your server can be session-less.</p> <p>JWT needs to be attached to every HTTP request so the server can authorize your users. There are some options on how to send the token. For example, as an URL parameter or in HTTP Authorization header using the Bearer schema:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Authorization: Bearer &lt;token string&gt; </code></pre> </div> <p>JSON Web Token contains three main parts:</p> <ol> <li>Header – typically includes the type of the token and hashing algorithm.</li> <li>Payload – typically includes data about a user and for whom is token issued.</li> <li>Signature – it’s used to verify if a message wasn’t changed along the way.</li> </ol> <h2> Example token </h2> <p>A JWT token from authorization header will probably look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJzZWN1cmUtYXBpIiwiYXVkIjoic2VjdXJlLWFwcCIsInN1YiI6InVzZXIiLCJleHAiOjE1NDgyNDI1ODksInJvbCI6WyJST0xFX1VTRVIiXX0.GzUPUWStRofrWI9Ctfv2h-XofGZwcOog9swtuqg1vSkA8kDWLcY3InVgmct7rq4ZU3lxI6CGupNgSazypHoFOA </code></pre> </div> <p>As you can see there are three parts separated with comma – header, claims, and signature. Header and payload are Base64 encoded JSON objects.</p> <h4> Header: </h4> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"JWT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"alg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HS512"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> Claims/Payload: </h4> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"secure-api"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"secure-app"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1548242589</span><span class="p">,</span><span class="w"> </span><span class="nl">"rol"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"ROLE_USER"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Example application </h2> <p>In the following example, we will create a simple API with 2 routes – one publicly available and one only for authorized users.</p> <p>We will use page <a href="https://start.spring.io/" rel="noopener noreferrer">start.spring.io</a> to create our application skeleton and select Security and Web dependencies. Rest of the options are up to your preferences.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fjakublesko.com%2Fimages%2Fblog%2F2019-01-14-spring-initializr.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fjakublesko.com%2Fimages%2Fblog%2F2019-01-14-spring-initializr.png" title="Screenshot of Spring Initializr with new application details" alt="Spring Initializr screenshot"></a></p> <p>JWT support for Java is provided by the library <a href="https://github.com/jwtk/jjwt" rel="noopener noreferrer">JJWT</a> so we also need to add following dependencies to the pom.xml file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.jsonwebtoken<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>jjwt-api<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.10.5<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.jsonwebtoken<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>jjwt-impl<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.10.5<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;scope&gt;</span>runtime<span class="nt">&lt;/scope&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.jsonwebtoken<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>jjwt-jackson<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.10.5<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;scope&gt;</span>runtime<span class="nt">&lt;/scope&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h2> Controllers </h2> <p>Controllers in our example applications will be simple as much as possible. They will just return a message or HTTP 403 error code in case the user is not authorized.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RestController</span> <span class="nd">@RequestMapping</span><span class="o">(</span><span class="s">"/api/public"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">PublicController</span> <span class="o">{</span> <span class="nd">@GetMapping</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getMessage</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="s">"Hello from public API controller"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RestController</span> <span class="nd">@RequestMapping</span><span class="o">(</span><span class="s">"/api/private"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">PrivateController</span> <span class="o">{</span> <span class="nd">@GetMapping</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getMessage</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="s">"Hello from private API controller"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Filters </h2> <p>First, we will define some reusable constants and defaults for generation and validation of JWTs.</p> <p><em>Note: You should not hardcode JWT signing key into your application code (we will ignore that for now in the example). You should use an environment variable or .properties file. Also, keys need to have an appropriate length. For example, HS512 algorithm needs a key with size at least 512 bytes.</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">final</span> <span class="kd">class</span> <span class="nc">SecurityConstants</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">AUTH_LOGIN_URL</span> <span class="o">=</span> <span class="s">"/api/authenticate"</span><span class="o">;</span> <span class="c1">// Signing key for HS512 algorithm</span> <span class="c1">// You can use the page http://www.allkeysgenerator.com/ to generate all kinds of keys</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">JWT_SECRET</span> <span class="o">=</span> <span class="s">"n2r5u8x/A%D*G-KaPdSgVkYp3s6v9y$B&amp;E(H+MbQeThWmZq4t7w!z%C*F-J@NcRf"</span><span class="o">;</span> <span class="c1">// JWT token defaults</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">TOKEN_HEADER</span> <span class="o">=</span> <span class="s">"Authorization"</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">TOKEN_PREFIX</span> <span class="o">=</span> <span class="s">"Bearer "</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">TOKEN_TYPE</span> <span class="o">=</span> <span class="s">"JWT"</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">TOKEN_ISSUER</span> <span class="o">=</span> <span class="s">"secure-api"</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">TOKEN_AUDIENCE</span> <span class="o">=</span> <span class="s">"secure-app"</span><span class="o">;</span> <span class="kd">private</span> <span class="nf">SecurityConstants</span><span class="o">()</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">IllegalStateException</span><span class="o">(</span><span class="s">"Cannot create instance of static util class"</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The first filter will be used directly for user authentication. It’ll check for username and password parameters from URL and calls Spring’s authentication manager to verify them.</p> <p>If username and password are correct, then the filter will create a JWT token and returns it in HTTP Authorization header.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">JwtAuthenticationFilter</span> <span class="kd">extends</span> <span class="nc">UsernamePasswordAuthenticationFilter</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">AuthenticationManager</span> <span class="n">authenticationManager</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">JwtAuthenticationFilter</span><span class="o">(</span><span class="nc">AuthenticationManager</span> <span class="n">authenticationManager</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">authenticationManager</span> <span class="o">=</span> <span class="n">authenticationManager</span><span class="o">;</span> <span class="n">setFilterProcessesUrl</span><span class="o">(</span><span class="nc">SecurityConstants</span><span class="o">.</span><span class="na">AUTH_LOGIN_URL</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">Authentication</span> <span class="nf">attemptAuthentication</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">)</span> <span class="o">{</span> <span class="kt">var</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getParameter</span><span class="o">(</span><span class="s">"username"</span><span class="o">);</span> <span class="kt">var</span> <span class="n">password</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getParameter</span><span class="o">(</span><span class="s">"password"</span><span class="o">);</span> <span class="kt">var</span> <span class="n">authenticationToken</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UsernamePasswordAuthenticationToken</span><span class="o">(</span><span class="n">username</span><span class="o">,</span> <span class="n">password</span><span class="o">);</span> <span class="k">return</span> <span class="n">authenticationManager</span><span class="o">.</span><span class="na">authenticate</span><span class="o">(</span><span class="n">authenticationToken</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">successfulAuthentication</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">FilterChain</span> <span class="n">filterChain</span><span class="o">,</span> <span class="nc">Authentication</span> <span class="n">authentication</span><span class="o">)</span> <span class="o">{</span> <span class="kt">var</span> <span class="n">user</span> <span class="o">=</span> <span class="o">((</span><span class="nc">User</span><span class="o">)</span> <span class="n">authentication</span><span class="o">.</span><span class="na">getPrincipal</span><span class="o">());</span> <span class="kt">var</span> <span class="n">roles</span> <span class="o">=</span> <span class="n">user</span><span class="o">.</span><span class="na">getAuthorities</span><span class="o">()</span> <span class="o">.</span><span class="na">stream</span><span class="o">()</span> <span class="o">.</span><span class="na">map</span><span class="o">(</span><span class="nl">GrantedAuthority:</span><span class="o">:</span><span class="n">getAuthority</span><span class="o">)</span> <span class="o">.</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">toList</span><span class="o">());</span> <span class="kt">var</span> <span class="n">signingKey</span> <span class="o">=</span> <span class="nc">SecurityConstants</span><span class="o">.</span><span class="na">JWT_SECRET</span><span class="o">.</span><span class="na">getBytes</span><span class="o">();</span> <span class="kt">var</span> <span class="n">token</span> <span class="o">=</span> <span class="nc">Jwts</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">signWith</span><span class="o">(</span><span class="nc">Keys</span><span class="o">.</span><span class="na">hmacShaKeyFor</span><span class="o">(</span><span class="n">signingKey</span><span class="o">),</span> <span class="nc">SignatureAlgorithm</span><span class="o">.</span><span class="na">HS512</span><span class="o">)</span> <span class="o">.</span><span class="na">setHeaderParam</span><span class="o">(</span><span class="s">"typ"</span><span class="o">,</span> <span class="nc">SecurityConstants</span><span class="o">.</span><span class="na">TOKEN_TYPE</span><span class="o">)</span> <span class="o">.</span><span class="na">setIssuer</span><span class="o">(</span><span class="nc">SecurityConstants</span><span class="o">.</span><span class="na">TOKEN_ISSUER</span><span class="o">)</span> <span class="o">.</span><span class="na">setAudience</span><span class="o">(</span><span class="nc">SecurityConstants</span><span class="o">.</span><span class="na">TOKEN_AUDIENCE</span><span class="o">)</span> <span class="o">.</span><span class="na">setSubject</span><span class="o">(</span><span class="n">user</span><span class="o">.</span><span class="na">getUsername</span><span class="o">())</span> <span class="o">.</span><span class="na">setExpiration</span><span class="o">(</span><span class="k">new</span> <span class="nc">Date</span><span class="o">(</span><span class="nc">System</span><span class="o">.</span><span class="na">currentTimeMillis</span><span class="o">()</span> <span class="o">+</span> <span class="mi">864000000</span><span class="o">))</span> <span class="o">.</span><span class="na">claim</span><span class="o">(</span><span class="s">"rol"</span><span class="o">,</span> <span class="n">roles</span><span class="o">)</span> <span class="o">.</span><span class="na">compact</span><span class="o">();</span> <span class="n">response</span><span class="o">.</span><span class="na">addHeader</span><span class="o">(</span><span class="nc">SecurityConstants</span><span class="o">.</span><span class="na">TOKEN_HEADER</span><span class="o">,</span> <span class="nc">SecurityConstants</span><span class="o">.</span><span class="na">TOKEN_PREFIX</span> <span class="o">+</span> <span class="n">token</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The second filter handles all HTTP requests and checks if there is an Authorization header with the correct token. For example, if the token is not expired or if the signature key is correct.</p> <p>If the token is valid then the filter will add authentication data into Spring’s security context.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">JwtAuthorizationFilter</span> <span class="kd">extends</span> <span class="nc">BasicAuthenticationFilter</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">Logger</span> <span class="n">log</span> <span class="o">=</span> <span class="nc">LoggerFactory</span><span class="o">.</span><span class="na">getLogger</span><span class="o">(</span><span class="nc">JwtAuthorizationFilter</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="kd">public</span> <span class="nf">JwtAuthorizationFilter</span><span class="o">(</span><span class="nc">AuthenticationManager</span> <span class="n">authenticationManager</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">authenticationManager</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">doFilterInternal</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">FilterChain</span> <span class="n">filterChain</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span><span class="o">,</span> <span class="nc">ServletException</span> <span class="o">{</span> <span class="kt">var</span> <span class="n">authentication</span> <span class="o">=</span> <span class="n">getAuthentication</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">authentication</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">filterChain</span><span class="o">.</span><span class="na">doFilter</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="k">return</span><span class="o">;</span> <span class="o">}</span> <span class="nc">SecurityContextHolder</span><span class="o">.</span><span class="na">getContext</span><span class="o">().</span><span class="na">setAuthentication</span><span class="o">(</span><span class="n">authentication</span><span class="o">);</span> <span class="n">filterChain</span><span class="o">.</span><span class="na">doFilter</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">UsernamePasswordAuthenticationToken</span> <span class="nf">getAuthentication</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">)</span> <span class="o">{</span> <span class="kt">var</span> <span class="n">token</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getHeader</span><span class="o">(</span><span class="nc">SecurityConstants</span><span class="o">.</span><span class="na">TOKEN_HEADER</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="nc">StringUtils</span><span class="o">.</span><span class="na">isNotEmpty</span><span class="o">(</span><span class="n">token</span><span class="o">)</span> <span class="o">&amp;&amp;</span> <span class="n">token</span><span class="o">.</span><span class="na">startsWith</span><span class="o">(</span><span class="nc">SecurityConstants</span><span class="o">.</span><span class="na">TOKEN_PREFIX</span><span class="o">))</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="kt">var</span> <span class="n">signingKey</span> <span class="o">=</span> <span class="nc">SecurityConstants</span><span class="o">.</span><span class="na">JWT_SECRET</span><span class="o">.</span><span class="na">getBytes</span><span class="o">();</span> <span class="kt">var</span> <span class="n">parsedToken</span> <span class="o">=</span> <span class="nc">Jwts</span><span class="o">.</span><span class="na">parser</span><span class="o">()</span> <span class="o">.</span><span class="na">setSigningKey</span><span class="o">(</span><span class="n">signingKey</span><span class="o">)</span> <span class="o">.</span><span class="na">parseClaimsJws</span><span class="o">(</span><span class="n">token</span><span class="o">.</span><span class="na">replace</span><span class="o">(</span><span class="s">"Bearer "</span><span class="o">,</span> <span class="s">""</span><span class="o">));</span> <span class="kt">var</span> <span class="n">username</span> <span class="o">=</span> <span class="n">parsedToken</span> <span class="o">.</span><span class="na">getBody</span><span class="o">()</span> <span class="o">.</span><span class="na">getSubject</span><span class="o">();</span> <span class="kt">var</span> <span class="n">authorities</span> <span class="o">=</span> <span class="o">((</span><span class="nc">List</span><span class="o">&lt;?&gt;)</span> <span class="n">parsedToken</span><span class="o">.</span><span class="na">getBody</span><span class="o">()</span> <span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"rol"</span><span class="o">)).</span><span class="na">stream</span><span class="o">()</span> <span class="o">.</span><span class="na">map</span><span class="o">(</span><span class="n">authority</span> <span class="o">-&gt;</span> <span class="k">new</span> <span class="nc">SimpleGrantedAuthority</span><span class="o">((</span><span class="nc">String</span><span class="o">)</span> <span class="n">authority</span><span class="o">))</span> <span class="o">.</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">toList</span><span class="o">());</span> <span class="k">if</span> <span class="o">(</span><span class="nc">StringUtils</span><span class="o">.</span><span class="na">isNotEmpty</span><span class="o">(</span><span class="n">username</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">UsernamePasswordAuthenticationToken</span><span class="o">(</span><span class="n">username</span><span class="o">,</span> <span class="kc">null</span><span class="o">,</span> <span class="n">authorities</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">ExpiredJwtException</span> <span class="n">exception</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"Request to parse expired JWT : {} failed : {}"</span><span class="o">,</span> <span class="n">token</span><span class="o">,</span> <span class="n">exception</span><span class="o">.</span><span class="na">getMessage</span><span class="o">());</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">UnsupportedJwtException</span> <span class="n">exception</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"Request to parse unsupported JWT : {} failed : {}"</span><span class="o">,</span> <span class="n">token</span><span class="o">,</span> <span class="n">exception</span><span class="o">.</span><span class="na">getMessage</span><span class="o">());</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">MalformedJwtException</span> <span class="n">exception</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"Request to parse invalid JWT : {} failed : {}"</span><span class="o">,</span> <span class="n">token</span><span class="o">,</span> <span class="n">exception</span><span class="o">.</span><span class="na">getMessage</span><span class="o">());</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">SignatureException</span> <span class="n">exception</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"Request to parse JWT with invalid signature : {} failed : {}"</span><span class="o">,</span> <span class="n">token</span><span class="o">,</span> <span class="n">exception</span><span class="o">.</span><span class="na">getMessage</span><span class="o">());</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">IllegalArgumentException</span> <span class="n">exception</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"Request to parse empty or null JWT : {} failed : {}"</span><span class="o">,</span> <span class="n">token</span><span class="o">,</span> <span class="n">exception</span><span class="o">.</span><span class="na">getMessage</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Security configuration </h2> <p>The last part we need to configure is Spring Security itself. The configuration is simple, we need to set just a few details:</p> <ul> <li>Password encoder – in our case bcrypt</li> <li> <a href="https://en.wikipedia.org/wiki/Cross-origin_resource_sharing" rel="noopener noreferrer">CORS</a> configuration</li> <li>Authentication manager – in our case simple in-memory authentication but in real life, you’ll need something like <a href="https://www.baeldung.com/spring-security-authentication-with-a-database" rel="noopener noreferrer">UserDetailsService</a> </li> <li>Set which endpoints are secure and which are publicly available</li> <li>Add our 2 filters into the security context</li> <li>Disable session management – we don’t need sessions so this will prevent the creation of session cookies </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@EnableWebSecurity</span> <span class="nd">@EnableGlobalMethodSecurity</span><span class="o">(</span><span class="n">securedEnabled</span> <span class="o">=</span> <span class="kc">true</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfiguration</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span><span class="o">.</span><span class="na">cors</span><span class="o">().</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">csrf</span><span class="o">().</span><span class="na">disable</span><span class="o">()</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span> <span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/api/public"</span><span class="o">).</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">addFilter</span><span class="o">(</span><span class="k">new</span> <span class="nc">JwtAuthenticationFilter</span><span class="o">(</span><span class="n">authenticationManager</span><span class="o">()))</span> <span class="o">.</span><span class="na">addFilter</span><span class="o">(</span><span class="k">new</span> <span class="nc">JwtAuthorizationFilter</span><span class="o">(</span><span class="n">authenticationManager</span><span class="o">()))</span> <span class="o">.</span><span class="na">sessionManagement</span><span class="o">()</span> <span class="o">.</span><span class="na">sessionCreationPolicy</span><span class="o">(</span><span class="nc">SessionCreationPolicy</span><span class="o">.</span><span class="na">STATELESS</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">AuthenticationManagerBuilder</span> <span class="n">auth</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">auth</span><span class="o">.</span><span class="na">inMemoryAuthentication</span><span class="o">()</span> <span class="o">.</span><span class="na">withUser</span><span class="o">(</span><span class="s">"user"</span><span class="o">)</span> <span class="o">.</span><span class="na">password</span><span class="o">(</span><span class="n">passwordEncoder</span><span class="o">().</span><span class="na">encode</span><span class="o">(</span><span class="s">"password"</span><span class="o">))</span> <span class="o">.</span><span class="na">authorities</span><span class="o">(</span><span class="s">"ROLE_USER"</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">PasswordEncoder</span> <span class="nf">passwordEncoder</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">BCryptPasswordEncoder</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">CorsConfigurationSource</span> <span class="nf">corsConfigurationSource</span><span class="o">()</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">UrlBasedCorsConfigurationSource</span> <span class="n">source</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UrlBasedCorsConfigurationSource</span><span class="o">();</span> <span class="n">source</span><span class="o">.</span><span class="na">registerCorsConfiguration</span><span class="o">(</span><span class="s">"/**"</span><span class="o">,</span> <span class="k">new</span> <span class="nc">CorsConfiguration</span><span class="o">().</span><span class="na">applyPermitDefaultValues</span><span class="o">());</span> <span class="k">return</span> <span class="n">source</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Test </h2> <h4> Request to public API </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>GET http://localhost:8080/api/public </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>HTTP/1.1 200 X-Content-Type-Options: nosniff X-XSS-Protection: 1<span class="p">;</span> <span class="nv">mode</span><span class="o">=</span>block Cache-Control: no-cache, no-store, max-age<span class="o">=</span>0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Type: text/plain<span class="p">;</span><span class="nv">charset</span><span class="o">=</span>UTF-8 Content-Length: 32 Date: Sun, 13 Jan 2019 12:22:14 GMT Hello from public API controller Response code: 200<span class="p">;</span> Time: 18ms<span class="p">;</span> Content length: 32 bytes </code></pre> </div> <h4> Authenticate user </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>POST http://localhost:8080/api/authenticate?username<span class="o">=</span>user&amp;password<span class="o">=</span>password </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>HTTP/1.1 200 Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJzZWN1cmUtYXBpIiwiYXVkIjoic2VjdXJlLWFwcCIsInN1YiI6InVzZXIiLCJleHAiOjE1NDgyNDYwNzUsInJvbCI6WyJST0xFX1VTRVIiXX0.yhskhWyi-PgIluYY21rL0saAG92TfTVVVgVT1afWd_NnmOMg__2kK5lcna3lXzYI4-0qi9uGpI6Ul33-b9KTnA X-Content-Type-Options: nosniff X-XSS-Protection: 1<span class="p">;</span> <span class="nv">mode</span><span class="o">=</span>block Cache-Control: no-cache, no-store, max-age<span class="o">=</span>0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Length: 0 Date: Sun, 13 Jan 2019 12:21:15 GMT &lt;Response body is empty&gt; Response code: 200<span class="p">;</span> Time: 167ms<span class="p">;</span> Content length: 0 bytes </code></pre> </div> <h4> Request to private API with token </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>GET http://localhost:8080/api/private Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJzZWN1cmUtYXBpIiwiYXVkIjoic2VjdXJlLWFwcCIsInN1YiI6InVzZXIiLCJleHAiOjE1NDgyNDI1ODksInJvbCI6WyJST0xFX1VTRVIiXX0.GzUPUWStRofrWI9Ctfv2h-XofGZwcOog9swtuqg1vSkA8kDWLcY3InVgmct7rq4ZU3lxI6CGupNgSazypHoFOA </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>HTTP/1.1 200 X-Content-Type-Options: nosniff X-XSS-Protection: 1<span class="p">;</span> <span class="nv">mode</span><span class="o">=</span>block Cache-Control: no-cache, no-store, max-age<span class="o">=</span>0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Type: text/plain<span class="p">;</span><span class="nv">charset</span><span class="o">=</span>UTF-8 Content-Length: 33 Date: Sun, 13 Jan 2019 12:22:48 GMT Hello from private API controller Response code: 200<span class="p">;</span> Time: 12ms<span class="p">;</span> Content length: 33 bytes </code></pre> </div> <h4> Request to private API without token </h4> <p>You’ll get HTTP 403 message when you call secured endpoint without a valid JWT.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>GET http://localhost:8080/api/private </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>HTTP/1.1 403 X-Content-Type-Options: nosniff X-XSS-Protection: 1<span class="p">;</span> <span class="nv">mode</span><span class="o">=</span>block Cache-Control: no-cache, no-store, max-age<span class="o">=</span>0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Type: application/json<span class="p">;</span><span class="nv">charset</span><span class="o">=</span>UTF-8 Transfer-Encoding: chunked Date: Sun, 13 Jan 2019 12:27:25 GMT <span class="o">{</span> <span class="s2">"timestamp"</span>: <span class="s2">"2019-01-13T12:27:25.020+0000"</span>, <span class="s2">"status"</span>: 403, <span class="s2">"error"</span>: <span class="s2">"Forbidden"</span>, <span class="s2">"message"</span>: <span class="s2">"Access Denied"</span>, <span class="s2">"path"</span>: <span class="s2">"/api/private"</span> <span class="o">}</span> Response code: 403<span class="p">;</span> Time: 28ms<span class="p">;</span> Content length: 125 bytes </code></pre> </div> <h2> Conclusion </h2> <p>The goal of this article is not to show the one correct way how to use JWTs in Spring Security. It’s an example of how you can do it in your real-life application. Also, I did not want to go too deep into the topic so few things like token refreshing, invalidation, etc. are missing but I’ll cover these topics probably in the future.</p> <p><strong>tl;dr</strong> You can find the full source code of this example API in my <a href="https://github.com/kubadlo/jwt-security" rel="noopener noreferrer">GitHub repository</a>.</p> java spring security jwt