By Syed Rizwan

2-how-to-create-a-secure-rest-api-using-spring-boot-and-jwt-authentication.html

How to Create a Secure REST API Using Spring Boot and JWT Authentication

In today’s digital landscape, securing your applications is more critical than ever. REST APIs serve as the backbone for many web and mobile applications, allowing different software systems to communicate effectively. However, without proper security measures, your API can become vulnerable to a range of attacks. In this article, we will explore how to create a secure REST API using Spring Boot and JSON Web Tokens (JWT) for authentication. We'll cover definitions, use cases, and provide you with actionable coding insights.

What is a REST API?

REST (Representational State Transfer) is an architectural style that defines a set of constraints for creating web services. REST APIs use standard HTTP requests for communication, making them easy to use and widely adopted. They are stateless, meaning each request from a client must contain all the information the server needs to fulfill that request.

Use Cases for REST APIs

  • Web and Mobile Applications: REST APIs are commonly used to connect front-end applications with back-end services.
  • Microservices Architecture: They enable the development of microservices that can communicate with one another.
  • Third-party Integrations: REST APIs allow external services to interact with your application seamlessly.

What is JWT?

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling you to securely transmit information between parties.

Why Use JWT for Authentication?

  • Stateless: JWTs do not require session storage, making them scalable.
  • Compact: They are small in size, reducing the overhead on your server.
  • Self-contained: JWTs can carry all the necessary information about the user to eliminate the need for additional database queries.

Getting Started with Spring Boot

Prerequisites

Before we dive into coding, ensure you have the following installed:

  • Java Development Kit (JDK) 11 or higher
  • Maven
  • An IDE (like IntelliJ IDEA or Eclipse)

Step 1: Create a Spring Boot Project

Create a new Spring Boot project using Spring Initializr (https://start.spring.io/). Select the following dependencies:

  • Spring Web
  • Spring Security
  • Spring Data JPA
  • H2 Database (for testing)

Step 2: Project Structure

Your project structure should look like this:

src
└── main
    ├── java
    │   └── com
    │       └── example
    │           ├── demo
    │           │   ├── DemoApplication.java
    │           │   ├── controller
    │           │   ├── model
    │           │   ├── repository
    │           │   └── security
    │           └── config
    └── resources
        └── application.properties

Step 3: Configure JWT Authentication

3.1. Create the JWT Utility Class

Create a utility class to handle JWT creation and validation.

package com.example.demo.security;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.stereotype.Component;

import java.util.Date;
import java.util.HashMap;
import java.util.Map;

@Component
public class JwtUtil {

    private String SECRET_KEY = "mysecretkey"; // Use a strong secret in production

    public String generateToken(String username) {
        Map<String, Object> claims = new HashMap<>();
        return createToken(claims, username);
    }

    private String createToken(Map<String, Object> claims, String subject) {
        return Jwts.builder()
                .setClaims(claims)
                .setSubject(subject)
                .setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 60 * 10)) // 10 hours expiration
                .signWith(SignatureAlgorithm.HS256, SECRET_KEY)
                .compact();
    }

    public Boolean validateToken(String token, String username) {
        final String extractedUsername = extractUsername(token);
        return (extractedUsername.equals(username) && !isTokenExpired(token));
    }

    private Boolean isTokenExpired(String token) {
        return extractExpiration(token).before(new Date());
    }

    private Date extractExpiration(String token) {
        return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody().getExpiration();
    }

    private String extractUsername(String token) {
        return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody().getSubject();
    }
}

3.2. Create the Authentication Controller

Create a controller to manage user authentication and token generation.

package com.example.demo.controller;

import com.example.demo.security.JwtUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;

@RestController
@RequestMapping("/auth")
public class AuthController {

    @Autowired
    private JwtUtil jwtUtil;

    @PostMapping("/login")
    public String login(@RequestParam String username) {
        // Here you would normally validate the user credentials
        return jwtUtil.generateToken(username);
    }
}

Step 4: Configure Spring Security

Create a security configuration class to secure your API endpoints.

package com.example.demo.config;

import com.example.demo.security.JwtFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private JwtFilter jwtFilter;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        // Configure your authentication manager
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/auth/login").permitAll()
            .anyRequest().authenticated()
            .and().addFilter(jwtFilter);
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
}

Step 5: Create a JWT Filter

Implement a filter to validate the JWT token for secured routes.

package com.example.demo.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.WebAuthenticationFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class JwtFilter extends WebAuthenticationFilter {

    @Autowired
    private JwtUtil jwtUtil;

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws ServletException, IOException {
        final String authorizationHeader = request.getHeader("Authorization");

        String username = null;
        String jwt = null;

        if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
            jwt = authorizationHeader.substring(7);
            username = jwtUtil.extractUsername(jwt);
        }

        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
            // Validate the token and set the authentication in the context
        }

        chain.doFilter(request, response);
    }
}

Step 6: Testing Your API

Run your Spring Boot application and test the endpoints using Postman or another API client.

  1. Login: Send a POST request to /auth/login with a username, and receive a JWT in response.
  2. Access Protected Resource: Use the JWT as a Bearer token in the Authorization header to access secured endpoints.

Conclusion

In this article, we've walked through the steps to build a secure REST API using Spring Boot and JWT authentication. By following these guidelines, you can ensure that your API is well-protected against unauthorized access while maintaining a smooth user experience.

As you continue to develop your API, consider implementing additional security measures such as rate limiting, input validation, and logging. These practices will further enhance the security and reliability of your application. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.