Hello learners, here we are going to learn about spring security implementation with spring boot3.0 and JWT.
JWT (JSON Web Tokens) is a standard for representing claims securely between two parties. It is a compact, URL-safe means of representing claims to be transferred between two parties. A JWT consists of three parts: a header, a payload, and a signature.
Header consist of algorithm and token type, Payload consist of subject,name,issuedat, Verify Signature is the combination of encoded header,payload and secret key. JWT token is a combination of these three.
Spring Security can be integrated with JWT to secure web applications by generating, parsing, and validating JWTs.
The following is a overview of how JWT authentication and authorization works in Spring Boot:
User authentication: When a user logs in to the system, the server verifies the user's credentials, such as their username and password. If the credentials are correct, the server generates a JWT for the user and returns it to the client.
JWT creation: The server creates a JWT by encoding the user's identity information and other necessary data, such as expiration time, into a JSON object. The JSON object is then signed using a secret key or public/private key pair.
Token storage: The client stores the JWT locally, usually in a cookie or local storage.
Authorization: For each subsequent request, the client sends the JWT in the request header. The server verifies the JWT's signature and decodes its contents to extract the user's identity information and other details. Based on this information, the server can then authorize the user to access certain resources or perform certain actions.
Token validation: The server can also validate the JWT to ensure that it has not been tampered with and has not expired. If the token is invalid, the server can reject the request or request the user to log in again.
Steps to Implement JWT
Step 1: Add the JWT dependencies
Step 2: Create a endpoint to authenticate and generate JWT
In CreateToken method, we are creating token by setting claims,subject,issued and expiration date, signature.
Step 3: Create a filter to validate JWT
create a class for filter and extends with OncePerRequestFilter, override doFilterInternal method and invoke authorization token from header. Validate the token by extracting username and expiration date from the token. This filer is used to validate the JWT token for each API call.
Step 4: Add the configuration to authorize API calls
Create a class and add a method to authorize, in above code given access to "/products/new","/products/authenticate" endpoints to all users, for "/products/**" endpoint only authenticated users with valid JWT can access.
Testing the implementation
Authenticating and Generating the token
Copy the generated token and add it to other API call, I'm accessing the below API with Admin credentials
If we try to access the API with Admin credentials where only user can access will get 403 Forbidden error
Top comments (0)