By Syed Rizwan

implementing-secure-jwt-authentication-in-a-spring-boot-application.html

Implementing Secure JWT Authentication in a Spring Boot Application

In the modern era of web applications, security is paramount. One of the most effective ways to secure your applications is through JSON Web Tokens (JWT). This article will guide you through implementing secure JWT authentication in a Spring Boot application, providing you with clear definitions, use cases, and actionable insights.

What is JWT?

JSON Web Tokens (JWT) are an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Key Features of JWT

  • Compact: JWTs are small in size, making them easy to pass in URL, POST data, or HTTP headers.
  • Self-contained: They carry all the necessary information about the user, reducing the need for multiple queries to a database.
  • Stateless: The server does not need to keep a session store; all information is encoded in the token itself.

Use Cases for JWT Authentication

JWT is commonly used in scenarios such as:

  • Single Page Applications (SPAs): Where authentication is required for API access.
  • Mobile Applications: Allowing secure communication between mobile clients and servers.
  • Microservices Architecture: Where multiple services need secure and stateless communication.

Setting Up a Spring Boot Application

Step 1: Setting Up the Project

  1. Create a New Spring Boot Project: You can use Spring Initializr (https://start.spring.io/) to set up your project. Choose the following dependencies:
  2. Spring Web
  3. Spring Security
  4. Spring Data JPA
  5. H2 Database (for development/testing)

  6. Lombok (optional for reducing boilerplate code)

  7. Import the Project: Once the project is generated, import it into your favorite IDE (like IntelliJ IDEA or Eclipse).

Step 2: Project Structure

The typical structure of your project will look like this:

src/main/java/com/example/jwt
├── config
│   └── SecurityConfig.java
├── controller
│   └── AuthController.java
├── model
│   └── User.java
├── repository
│   └── UserRepository.java
├── security
│   ├── JwtRequestFilter.java
│   └── JwtUtil.java
├── service
│   └── UserService.java
└── JwtApplication.java

Step 3: User Model and Repository

Create a User model:

package com.example.jwt.model;

import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;

import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;

@Entity
@Data
@NoArgsConstructor
@AllArgsConstructor
public class User {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;
    private String username;
    private String password;
}

Create a UserRepository:

package com.example.jwt.repository;

import com.example.jwt.model.User;
import org.springframework.data.jpa.repository.JpaRepository;

public interface UserRepository extends JpaRepository<User, Long> {
    User findByUsername(String username);
}

Step 4: JWT Utility Class

Next, create a utility class for generating and validating JWTs:

package com.example.jwt.security;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.stereotype.Component;

import java.util.Date;
import java.util.HashMap;
import java.util.Map;

@Component
public class JwtUtil {
    private String secretKey = "your_secret_key"; // Change this to a secure key
    private long validity = 5 * 60 * 1000; // 5 minutes

    public String generateToken(String username) {
        Map<String, Object> claims = new HashMap<>();
        return createToken(claims, username);
    }

    private String createToken(Map<String, Object> claims, String subject) {
        return Jwts.builder()
                .setClaims(claims)
                .setSubject(subject)
                .setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis() + validity))
                .signWith(SignatureAlgorithm.HS256, secretKey)
                .compact();
    }

    public boolean validateToken(String token, String username) {
        final String extractedUsername = extractUsername(token);
        return (extractedUsername.equals(username) && !isTokenExpired(token));
    }

    private boolean isTokenExpired(String token) {
        return extractExpiration(token).before(new Date());
    }

    private Date extractExpiration(String token) {
        return Jwts.parser().setSigningKey(secretKey).parseClaimsJws(token).getBody().getExpiration();
    }

    public String extractUsername(String token) {
        return Jwts.parser().setSigningKey(secretKey).parseClaimsJws(token).getBody().getSubject();
    }
}

Step 5: Security Configuration

You need to configure Spring Security to use JWT:

package com.example.jwt.config;

import com.example.jwt.security.JwtRequestFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private JwtRequestFilter jwtRequestFilter;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests().antMatchers("/authenticate").permitAll()
            .anyRequest().authenticated()
            .and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
    }
}

Step 6: JWT Request Filter

Implement a filter to validate the JWT for incoming requests:

package com.example.jwt.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.WebAuthenticationFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class JwtRequestFilter extends WebAuthenticationFilter {

    @Autowired
    private JwtUtil jwtUtil;

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws ServletException, IOException {
        final String authorizationHeader = request.getHeader("Authorization");

        String username = null;
        String jwt = null;

        if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
            jwt = authorizationHeader.substring(7);
            username = jwtUtil.extractUsername(jwt);
        }

        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
            // Validate token and set authentication
        }
        chain.doFilter(request, response);
    }
}

Step 7: Authentication Controller

Finally, implement the authentication endpoint:

package com.example.jwt.controller;

import com.example.jwt.model.User;
import com.example.jwt.security.JwtUtil;
import com.example.jwt.repository.UserRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;

@RestController
public class AuthController {

    @Autowired
    private UserRepository userRepository;

    @Autowired
    private JwtUtil jwtUtil;

    @PostMapping("/authenticate")
    public String authenticate(@RequestBody User user) {
        User existingUser = userRepository.findByUsername(user.getUsername());
        if (existingUser != null && existingUser.getPassword().equals(user.getPassword())) {
            return jwtUtil.generateToken(user.getUsername());
        }
        throw new RuntimeException("Invalid credentials");
    }
}

Conclusion

Implementing JWT authentication in a Spring Boot application enhances security while ensuring scalability and flexibility. By following this guide, you’ve built a simple yet effective JWT authentication system. Remember, always store your secret keys securely and consider using more advanced features like refresh tokens for production applications.

By leveraging the power of JWT in your applications, you can create secure, stateless authentication mechanisms that are robust and scalable. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.