DEV Community: Mattia Forlani The latest articles on DEV Community by Mattia Forlani (@mattia_forlani). https://dev.to/mattia_forlani https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3806744%2F1775ce30-5829-4616-b7a3-fb4114b5f320.jpg DEV Community: Mattia Forlani https://dev.to/mattia_forlani en How I Built a Production-Ready JWT Auth Template with Java 21 and Spring Security 6 Mattia Forlani Wed, 04 Mar 2026 23:58:52 +0000 https://dev.to/mattia_forlani/how-i-built-a-production-ready-jwt-auth-template-with-java-21-and-spring-security-6-5de2 https://dev.to/mattia_forlani/how-i-built-a-production-ready-jwt-auth-template-with-java-21-and-spring-security-6-5de2 <h1> How I Built a Production-Ready JWT Auth Template with Java 21 and Spring Security 6 </h1> <p>Every Java project needs authentication. And every time, you spend days wiring up Spring Security, configuring JWT, setting up roles, handling token refresh... before you even write a single line of business logic.</p> <p>I got tired of it. So I built a template I can reuse — and decided to share it.</p> <h2> What's Inside </h2> <ul> <li> <strong>Spring Boot 3.2</strong> + <strong>Spring Security 6</strong> stateless JWT auth</li> <li> <strong>Java 21</strong> features used throughout — Records, Sealed classes, Pattern matching</li> <li> <strong>Role-based authorization</strong> — USER, ADMIN, MODERATOR out of the box</li> <li> <strong>Access token + refresh token</strong> rotation</li> <li> <strong>React + TypeScript</strong> frontend demo with password strength indicator</li> <li> <strong>Docker + PostgreSQL</strong> — one command to run everything</li> <li> <strong>Postman collection</strong> included</li> </ul> <h2> Why Java 21 Features Matter Here </h2> <p>This isn't just a Spring Boot project with Java 21 slapped on it. The modern Java features are used where they actually improve the code.</p> <h3> Records for DTOs </h3> <p>Instead of bloated POJOs with getters, setters, constructors and <code>equals/hashCode</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="n">record</span> <span class="nf">LoginRequest</span><span class="o">(</span> <span class="nd">@NotBlank</span><span class="o">(</span><span class="n">message</span> <span class="o">=</span> <span class="s">"Username is required"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">username</span><span class="o">,</span> <span class="nd">@NotBlank</span><span class="o">(</span><span class="n">message</span> <span class="o">=</span> <span class="s">"Password is required"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">password</span> <span class="o">)</span> <span class="o">{}</span> </code></pre> </div> <p>Immutable, zero boilerplate, built-in <code>equals</code>, <code>hashCode</code> and <code>toString</code>. Spring validation works out of the box.</p> <h3> Sealed Classes for Exception Hierarchy </h3> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="n">sealed</span> <span class="kd">class</span> <span class="nc">AuthException</span> <span class="kd">extends</span> <span class="nc">RuntimeException</span> <span class="n">permits</span> <span class="nc">AuthException</span><span class="o">.</span><span class="na">UserAlreadyExistsException</span><span class="o">,</span> <span class="nc">AuthException</span><span class="o">.</span><span class="na">InvalidTokenException</span><span class="o">,</span> <span class="nc">AuthException</span><span class="o">.</span><span class="na">UserNotFoundException</span><span class="o">,</span> <span class="nc">AuthException</span><span class="o">.</span><span class="na">RoleNotFoundException</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="kd">class</span> <span class="nc">UserAlreadyExistsException</span> <span class="kd">extends</span> <span class="nc">AuthException</span> <span class="o">{</span> <span class="o">...</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="kd">class</span> <span class="nc">InvalidTokenException</span> <span class="kd">extends</span> <span class="nc">AuthException</span> <span class="o">{</span> <span class="o">...</span> <span class="o">}</span> <span class="c1">// ...</span> <span class="o">}</span> </code></pre> </div> <p>The compiler knows every possible subtype. This means the switch expression in the exception handler is exhaustive — no unchecked cases.</p> <h3> Pattern Matching Switch in Exception Handler </h3> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kt">var</span> <span class="n">status</span> <span class="o">=</span> <span class="k">switch</span> <span class="o">(</span><span class="n">ex</span><span class="o">)</span> <span class="o">{</span> <span class="k">case</span> <span class="nc">AuthException</span><span class="o">.</span><span class="na">UserAlreadyExistsException</span> <span class="n">e</span> <span class="o">-&gt;</span> <span class="nc">HttpStatus</span><span class="o">.</span><span class="na">CONFLICT</span><span class="o">;</span> <span class="k">case</span> <span class="nc">AuthException</span><span class="o">.</span><span class="na">InvalidTokenException</span> <span class="n">e</span> <span class="o">-&gt;</span> <span class="nc">HttpStatus</span><span class="o">.</span><span class="na">UNAUTHORIZED</span><span class="o">;</span> <span class="k">case</span> <span class="nc">AuthException</span><span class="o">.</span><span class="na">RoleNotFoundException</span> <span class="n">e</span> <span class="o">-&gt;</span> <span class="nc">HttpStatus</span><span class="o">.</span><span class="na">INTERNAL_SERVER_ERROR</span><span class="o">;</span> <span class="k">case</span> <span class="nc">AuthException</span><span class="o">.</span><span class="na">UserNotFoundException</span> <span class="n">e</span> <span class="o">-&gt;</span> <span class="nc">HttpStatus</span><span class="o">.</span><span class="na">NOT_FOUND</span><span class="o">;</span> <span class="k">default</span> <span class="o">-&gt;</span> <span class="nc">HttpStatus</span><span class="o">.</span><span class="na">BAD_REQUEST</span><span class="o">;</span> <span class="o">};</span> </code></pre> </div> <p>Clean, readable, type-safe. No instanceof chains.</p> <h3> Optional Chain in JWT Filter </h3> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="n">parseJwt</span><span class="o">(</span><span class="n">request</span><span class="o">)</span> <span class="o">.</span><span class="na">filter</span><span class="o">(</span><span class="n">jwt</span> <span class="o">-&gt;</span> <span class="nc">SecurityContextHolder</span><span class="o">.</span><span class="na">getContext</span><span class="o">().</span><span class="na">getAuthentication</span><span class="o">()</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">.</span><span class="na">ifPresent</span><span class="o">(</span><span class="n">jwt</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">username</span> <span class="o">=</span> <span class="n">jwtTokenProvider</span><span class="o">.</span><span class="na">extractUsername</span><span class="o">(</span><span class="n">jwt</span><span class="o">);</span> <span class="nc">UserDetails</span> <span class="n">userDetails</span> <span class="o">=</span> <span class="n">userDetailsService</span><span class="o">.</span><span class="na">loadUserByUsername</span><span class="o">(</span><span class="n">username</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">jwtTokenProvider</span><span class="o">.</span><span class="na">isTokenValid</span><span class="o">(</span><span class="n">jwt</span><span class="o">,</span> <span class="n">userDetails</span><span class="o">))</span> <span class="o">{</span> <span class="kt">var</span> <span class="n">authToken</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UsernamePasswordAuthenticationToken</span><span class="o">(</span> <span class="n">userDetails</span><span class="o">,</span> <span class="kc">null</span><span class="o">,</span> <span class="n">userDetails</span><span class="o">.</span><span class="na">getAuthorities</span><span class="o">()</span> <span class="o">);</span> <span class="n">authToken</span><span class="o">.</span><span class="na">setDetails</span><span class="o">(</span><span class="k">new</span> <span class="nc">WebAuthenticationDetailsSource</span><span class="o">().</span><span class="na">buildDetails</span><span class="o">(</span><span class="n">request</span><span class="o">));</span> <span class="nc">SecurityContextHolder</span><span class="o">.</span><span class="na">getContext</span><span class="o">().</span><span class="na">setAuthentication</span><span class="o">(</span><span class="n">authToken</span><span class="o">);</span> <span class="o">}</span> <span class="o">});</span> </code></pre> </div> <p>No nested null checks, no if/else chains.</p> <h2> Security Configuration </h2> <p>Spring Security 6 dropped <code>WebSecurityConfigurerAdapter</code>. The new approach uses beans directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">csrf</span><span class="o">(</span><span class="nl">AbstractHttpConfigurer:</span><span class="o">:</span><span class="n">disable</span><span class="o">)</span> <span class="o">.</span><span class="na">sessionManagement</span><span class="o">(</span><span class="n">s</span> <span class="o">-&gt;</span> <span class="n">s</span><span class="o">.</span><span class="na">sessionCreationPolicy</span><span class="o">(</span><span class="nc">SessionCreationPolicy</span><span class="o">.</span><span class="na">STATELESS</span><span class="o">))</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">(</span><span class="n">auth</span> <span class="o">-&gt;</span> <span class="n">auth</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="no">PUBLIC_ENDPOINTS</span><span class="o">).</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/api/admin/**"</span><span class="o">).</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">)</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/api/mod/**"</span><span class="o">).</span><span class="na">hasAnyRole</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">,</span> <span class="s">"MODERATOR"</span><span class="o">)</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">addFilterBefore</span><span class="o">(</span><span class="n">jwtAuthFilter</span><span class="o">,</span> <span class="nc">UsernamePasswordAuthenticationFilter</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>Stateless, no sessions, JWT filter injected before Spring's default auth filter.</p> <h2> Password Validation </h2> <p>Both backend and frontend enforce strong passwords.</p> <p><strong>Backend</strong> — <code>@Pattern</code> on the DTO rejects weak passwords even if someone bypasses the UI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Pattern</span><span class="o">(</span> <span class="n">regexp</span> <span class="o">=</span> <span class="s">"^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[@$!%*?&amp;_\\-#])[A-Za-z\\d@$!%*?&amp;_\\-#]{8,}$"</span><span class="o">,</span> <span class="n">message</span> <span class="o">=</span> <span class="s">"Password must contain uppercase, lowercase, number and special character"</span> <span class="o">)</span> <span class="nc">String</span> <span class="n">password</span> </code></pre> </div> <p><strong>Frontend</strong> — real-time strength indicator with 5-segment bar and checklist that checks off rules as you type.</p> <h2> Docker Setup </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">.</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8080:8080"</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">db</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">db</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:16-alpine</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">POSTGRES_DB</span><span class="pi">:</span> <span class="s">authdb</span> <span class="na">POSTGRES_USER</span><span class="pi">:</span> <span class="s">authuser</span> <span class="na">POSTGRES_PASSWORD</span><span class="pi">:</span> <span class="s">authpass</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pg_isready</span><span class="nv"> </span><span class="s">-U</span><span class="nv"> </span><span class="s">authuser</span><span class="nv"> </span><span class="s">-d</span><span class="nv"> </span><span class="s">authdb"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> </code></pre> </div> <p>The <code>healthcheck</code> on PostgreSQL ensures the app container only starts after the database is actually ready — not just running.</p> <h2> API Endpoints </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Method</th> <th>Endpoint</th> <th>Auth</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>POST</td> <td>/api/auth/register</td> <td>Public</td> <td>Register new user</td> </tr> <tr> <td>POST</td> <td>/api/auth/login</td> <td>Public</td> <td>Login, get tokens</td> </tr> <tr> <td>POST</td> <td>/api/auth/refresh</td> <td>Public</td> <td>Refresh access token</td> </tr> <tr> <td>POST</td> <td>/api/auth/logout</td> <td>Bearer</td> <td>Invalidate token</td> </tr> <tr> <td>GET</td> <td>/api/me</td> <td>USER</td> <td>Current user info</td> </tr> <tr> <td>GET</td> <td>/api/user/profile</td> <td>USER</td> <td>User profile</td> </tr> <tr> <td>GET</td> <td>/api/mod/dashboard</td> <td>MOD+</td> <td>Moderator area</td> </tr> <tr> <td>GET</td> <td>/api/admin/users</td> <td>ADMIN</td> <td>Admin area</td> </tr> </tbody> </table></div> <h2> Get the Template </h2> <p>The full template with React frontend, Docker setup and Postman collection is available here:</p> <p>👉 <a href="https://forlani6.gumroad.com/" rel="noopener noreferrer">Spring Boot JWT Auth Template on Gumroad</a></p> <p>Includes everything you need to clone it, run <code>docker-compose up --build</code>, and have a working auth system in minutes.</p> <h2> Tags </h2> <p><code>#java</code> <code>#springboot</code> <code>#webdev</code> <code>#security</code> <code>#jwt</code></p> java springboot webdev security