By Syed Rizwan

8-using-spring-boot-to-create-secure-rest-apis-with-jwt-authentication.html

Using Spring Boot to Create Secure REST APIs with JWT Authentication

In today's digital landscape, securing REST APIs is more crucial than ever. As applications increasingly rely on APIs for data exchange, ensuring that these endpoints are protected from unauthorized access is a top priority. One effective way to achieve this is through the use of JSON Web Tokens (JWT) for authentication. This article aims to guide you through the process of creating secure REST APIs using Spring Boot and JWT authentication, complete with code examples, best practices, and troubleshooting tips.

What is JWT?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Key Components of JWT

  • Header: Contains metadata about the token, including the type of token and the signing algorithm.
  • Payload: Contains the claims or the information you want to transmit. This can include user ID, roles, expiration time, etc.
  • Signature: Ensures that the token hasn't been altered. It is created by taking the encoded header, encoded payload, and a secret key.

Why Use JWT for Authentication?

JWTs offer several benefits for securing APIs:

  • Statelessness: No need to store session data on the server, which enhances scalability.
  • Interoperability: JWTs can be used across different domains and languages.
  • Compactness: Being a compact token, JWTs can be easily transmitted via HTTP headers.

Setting Up a Spring Boot Project

To start, you'll need to set up a Spring Boot project. You can easily do this using Spring Initializr.

Step 1: Create Your Spring Boot Application

  1. Visit Spring Initializr.
  2. Choose the following:
  3. Project: Maven Project
  4. Language: Java
  5. Spring Boot version: (Choose the latest stable version)
  6. Dependencies: Spring Web, Spring Security, Spring Data JPA, H2 Database (for testing)
  7. Click on "Generate" to download the project.

Step 2: Import the Project

Import the downloaded project into your preferred IDE (like IntelliJ IDEA or Eclipse).

Configuring Spring Security

To secure your REST API, you need to configure Spring Security to use JWT.

Step 3: Add Dependencies

In your pom.xml, add the following dependencies for JWT:

<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt</artifactId>
    <version>0.9.1</version>
</dependency>

Step 4: Create Security Configuration

Now, create a security configuration class.

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/api/auth/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
}

Step 5: Create JWT Utility Class

You need a utility class to handle JWT creation and validation.

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.stereotype.Component;

import java.util.Date;
import java.util.HashMap;
import java.util.Map;

@Component
public class JwtUtil {
    private String SECRET_KEY = "your_secret_key"; // Change this

    public String generateToken(String username) {
        Map<String, Object> claims = new HashMap<>();
        return createToken(claims, username);
    }

    private String createToken(Map<String, Object> claims, String subject) {
        return Jwts.builder()
                .setClaims(claims)
                .setSubject(subject)
                .setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 60 * 10)) // 10 hours
                .signWith(SignatureAlgorithm.HS256, SECRET_KEY)
                .compact();
    }

    public Boolean validateToken(String token, String username) {
        final String extractedUsername = extractUsername(token);
        return (extractedUsername.equals(username) && !isTokenExpired(token));
    }

    private Boolean isTokenExpired(String token) {
        return extractExpiration(token).before(new Date());
    }

    private Date extractExpiration(String token) {
        return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody().getExpiration();
    }

    public String extractUsername(String token) {
        return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody().getSubject();
    }
}

Implementing Authentication

Step 6: Create Authentication Controller

Now, create a controller for authentication.

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;

@RestController
@RequestMapping("/api/auth")
public class AuthController {

    @Autowired
    private JwtUtil jwtUtil;

    @PostMapping("/login")
    public String login(@RequestBody AuthRequest authRequest) {
        // Authenticate user (dummy authentication for demo purposes)
        String username = authRequest.getUsername();
        // Here you can add real user authentication

        return jwtUtil.generateToken(username);
    }
}

Step 7: Create AuthRequest Class

Create a simple DTO for authentication requests.

public class AuthRequest {
    private String username;
    private String password;

    // Getters and Setters
}

Testing the API

To test your API, you can use tools like Postman.

  1. Login: Send a POST request to /api/auth/login with JSON body containing username and password.
  2. Access secured endpoints: Use the received JWT in the Authorization header as Bearer <token>.

Conclusion

In this tutorial, we walked through the process of securing a Spring Boot REST API using JWT authentication. We covered the basics of JWT, set up a Spring Boot application, configured Spring Security, and implemented JWT creation and validation.

Key Takeaways

  • JWT is a robust solution for securing REST APIs.
  • Spring Security allows for easy integration of JWT authentication.
  • Always ensure that your secret key is stored securely.

By following these steps, you can build secure and scalable APIs that protect user data and maintain the integrity of your application. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.