By Syed Rizwan

5-securing-rest-apis-with-jwt-in-a-spring-boot-application.html

Securing REST APIs with JWT in a Spring Boot Application

In today's digital landscape, securing REST APIs is more critical than ever. As developers, we need to ensure that our applications are not only functional but also safe from unauthorized access. One of the most popular methods for achieving this is by using JSON Web Tokens (JWT). In this article, we'll explore what JWT is, how it works, and how to implement it in a Spring Boot application to secure your REST APIs.

What is JWT?

Definition of JWT

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

Structure of JWT

A JWT is composed of three parts:

  1. Header: Contains metadata about the token, including the type (JWT) and the signing algorithm (e.g., HMAC SHA256).
  2. Payload: Contains the claims, which are the statements about an entity (typically the user) and additional data.
  3. Signature: Created by combining the encoded header, encoded payload, and a secret key. This ensures the integrity of the token.

This structure looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Why Use JWT for Securing REST APIs?

  • Statelessness: JWT allows you to maintain a stateless session, which means that the server does not need to store session information. This is particularly useful for distributed systems.
  • Compact: JWTs are URL-safe and can be easily sent in HTTP headers, making them lightweight.
  • Cross-Domain Support: JWTs can be used across different domains, making them ideal for microservices.

Use Cases for JWT in Spring Boot

  • User Authentication: Secure login processes by issuing JWTs upon successful authentication.
  • Authorization: Control access to specific resources based on roles embedded within the JWT.
  • Single Sign-On (SSO): Facilitate seamless authentication across multiple applications.

Step-by-Step Implementation of JWT in Spring Boot

Step 1: Setting Up Your Spring Boot Project

  1. Create a new Spring Boot project using Spring Initializr with the following dependencies:
  2. Spring Web
  3. Spring Security
  4. Spring Data JPA
  5. H2 Database (for testing)
  6. jjwt (Java JWT library)

Step 2: Adding Dependencies

In your pom.xml, add the following dependencies:

<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt</artifactId>
    <version>0.9.1</version>
</dependency>

Step 3: Configuring Spring Security

Create a configuration class to set up Spring Security:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/auth/**").permitAll() // Public endpoints
            .anyRequest().authenticated() // Secure all other endpoints
            .and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
}

Step 4: Creating the JWT Utility Class

This class will handle token creation and validation:

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.stereotype.Component;

import java.util.Date;
import java.util.HashMap;
import java.util.Map;

@Component
public class JwtUtil {

    private String SECRET_KEY = "secret"; // Change this in production
    private long EXPIRATION_TIME = 1000 * 60 * 60; // 1 hour

    public String generateToken(String username) {
        Map<String, Object> claims = new HashMap<>();
        return createToken(claims, username);
    }

    private String createToken(Map<String, Object> claims, String subject) {
        return Jwts.builder()
                .setClaims(claims)
                .setSubject(subject)
                .setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
                .signWith(SignatureAlgorithm.HS256, SECRET_KEY)
                .compact();
    }

    public Boolean validateToken(String token, String username) {
        final String extractedUsername = extractUsername(token);
        return (extractedUsername.equals(username) && !isTokenExpired(token));
    }

    private String extractUsername(String token) {
        return extractAllClaims(token).getSubject();
    }

    private Claims extractAllClaims(String token) {
        return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody();
    }

    private Boolean isTokenExpired(String token) {
        return extractAllClaims(token).getExpiration().before(new Date());
    }
}

Step 5: Create Authentication Controller

This controller will handle user authentication and provide JWTs:

import org.springframework.web.bind.annotation.*;

@RestController
@RequestMapping("/auth")
public class AuthController {

    private final JwtUtil jwtUtil;

    public AuthController(JwtUtil jwtUtil) {
        this.jwtUtil = jwtUtil;
    }

    @PostMapping("/login")
    public String login(@RequestBody AuthRequest authRequest) {
        // Validate user credentials (pseudo-code)
        if (isValidUser(authRequest.getUsername(), authRequest.getPassword())) {
            return jwtUtil.generateToken(authRequest.getUsername());
        }
        throw new RuntimeException("Invalid Credentials");
    }
}

class AuthRequest {
    private String username;
    private String password;

    // Getters and Setters
}

Step 6: Testing Your Implementation

  1. Start your Spring Boot application.
  2. Use Postman or another API client to send a POST request to http://localhost:8080/auth/login with a JSON body containing valid credentials.
  3. If successful, you will receive a JWT token that can be used in subsequent requests to secure endpoints.

Troubleshooting Common Issues

  • Token Expiration: Ensure you handle token expiration gracefully on the client side.
  • Invalid Token: Always verify the signature and claims on the server side.
  • CORS Issues: If you're developing a frontend application, configure CORS properly in your Spring Boot application to allow cross-origin requests.

Conclusion

Securing REST APIs with JWT in a Spring Boot application is a robust solution that enhances the security of your applications. By following the steps outlined in this guide, you can effectively implement JWT authentication and authorization, providing a seamless experience for your users while safeguarding sensitive data. As you expand your application, consider exploring advanced JWT features and best practices to further enhance your security strategy. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.