RS256 JWT flow between two microservices, then how Spring actually validates it internally.
how Spring Security internally validates that JWT step by step.
Here's what the actual code looks like in the Inventory Service (spring-boot-starter-oauth2-resource-server):
application.yml — tell Spring where to fetch the public key:
spring:
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: http://auth-service/oauth2/jwks
SecurityConfig.java — configure the filter chain:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/api/inventory/reserve").hasRole("ORDER_SVC")
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(jwt -> jwt.jwtAuthenticationConverter(jwtAuthConverter()))
);
return http.build();
}
@Bean
public JwtAuthenticationConverter jwtAuthConverter() {
JwtGrantedAuthoritiesConverter converter = new JwtGrantedAuthoritiesConverter();
converter.setAuthoritiesClaimName("roles"); // map "roles" claim → GrantedAuthority
converter.setAuthorityPrefix("ROLE_");
JwtAuthenticationConverter jwtConverter = new JwtAuthenticationConverter();
jwtConverter.setJwtGrantedAuthoritiesConverter(converter);
return jwtConverter;
}
}
InventoryController.java — the endpoint is now protected:
@RestController
@RequestMapping("/api/inventory")
public class InventoryController {
@PostMapping("/reserve")
@PreAuthorize("hasRole('ORDER_SVC')")
public ResponseEntity<String> reserveStock(
@RequestBody ReserveRequest req,
@AuthenticationPrincipal Jwt jwt) { // inject the parsed JWT
String callerService = jwt.getSubject(); // "order-service"
// proceed with reservation...
return ResponseEntity.ok("Reserved for " + callerService);
}
}
What does BearerTokenAuthenticationFilter do exactly in Spring Security?
What BearerTokenAuthenticationFilter does
It is a OncePerRequestFilter — guaranteed to run exactly once per request, sitting early in Spring Security's filter chain. Its entire job is to bridge the raw HTTP world (a string in a header) to Spring Security's authentication world (a typed Authentication object in the SecurityContext).
Step 1 — Token extraction via DefaultBearerTokenResolver
It reads the Authorization header and strips Bearer from the front. It also optionally checks request parameters (access_token=...) if you configure allowFormEncodedBodyParameter or allowUriQueryParameter. If no token is found at all, it just calls chain.doFilter() — the request passes through unauthenticated, and a later filter or your controller will enforce access.
Step 2 — Wraps the raw token in BearerTokenAuthenticationToken
This is a lightweight container that holds the raw JWT string and is marked as not yet authenticated (isAuthenticated() = false). Think of it as the question — "here's a token, can you validate it?"
Step 3 — Hands off to AuthenticationManager
The filter calls authenticationManager.authenticate(token). The manager routes this to JwtAuthenticationProvider, which calls NimbusJwtDecoder to do the actual RS256 verification, expiry check, issuer check, etc.
Step 4a — On success: populates SecurityContextHolder
If authentication succeeds, the provider returns a fully populated JwtAuthenticationToken (which is authenticated, carries the parsed claims, and has GrantedAuthority objects derived from your roles). The filter stores this in SecurityContextHolder.getContext().setAuthentication(...), then calls chain.doFilter() — the request proceeds to your controller, where @PreAuthorize and @AuthenticationPrincipal work because the context is populated.
Step 4b — On failure: delegates to AuthenticationEntryPoint
If the provider throws JwtValidationException (bad signature, expired, wrong issuer), the filter catches it, clears the SecurityContext (important — prevents stale auth from leaking), and calls authenticationEntryPoint.commence(...), which writes a 401 Unauthorized response with a WWW-Authenticate: Bearer error="invalid_token" header.
Key things it does NOT do
It does not do authorization — that's AuthorizationFilter further down the chain.
It doesn't decode the JWT itself — that's NimbusJwtDecoder.
It doesn't map claims to roles — that's JwtAuthenticationConverter.
The filter's job is purely: extract → wrap → delegate → store or reject.
Top comments (0)