By Syed Rizwan

securing-rest-apis-with-oauth2-and-jwt-in-spring-boot-applications.html

Securing REST APIs with OAuth2 and JWT in Spring Boot Applications

In today's digital landscape, securing your REST APIs is more critical than ever. As applications become more interconnected, the need for robust authentication and authorization mechanisms is paramount. One of the most effective ways to secure REST APIs is through the use of OAuth2 and JSON Web Tokens (JWT). This article will guide you through the concepts and implementation details of securing your Spring Boot applications using these technologies.

Understanding OAuth2 and JWT

What is OAuth2?

OAuth2 is an authorization framework that allows third-party applications to obtain limited access to an HTTP service on behalf of a user. It delegates user authentication to the service that hosts the user account and authorizes third-party applications to access the user's data without sharing their credentials.

What is JWT?

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure. JWTs are commonly used in authentication and information exchange scenarios.

Use Cases for OAuth2 and JWT

  • Single Sign-On (SSO): Users can log in once and gain access to multiple services.
  • API Security: Protect API endpoints from unauthorized access.
  • Microservices Architecture: Secure communication between microservices with token-based authentication.

Setting Up a Spring Boot Application

Step 1: Create a Spring Boot Project

To begin, create a new Spring Boot application using Spring Initializr (https://start.spring.io). Include the following dependencies:

  • Spring Web
  • Spring Security
  • Spring Data JPA
  • Spring Boot DevTools
  • H2 Database (for testing purposes)

Step 2: Add Required Dependencies

Open your pom.xml file and ensure you have the necessary dependencies for Spring Security and JWT:

<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt</artifactId>
    <version>0.9.1</version>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Step 3: Configure Security

Create a security configuration class to define your security settings. Here’s a basic example:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/api/auth/**").permitAll()  // Allow access to authentication endpoints
            .anyRequest().authenticated();  // Secure all other endpoints
    }
}

Step 4: Implementing JWT Utility Class

Create a utility class for generating and validating JWT tokens:

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.stereotype.Component;

import java.util.Date;
import java.util.HashMap;
import java.util.Map;

@Component
public class JwtUtil {

    private String SECRET_KEY = "your_secret_key"; // Use a secure key

    public String generateToken(String username) {
        Map<String, Object> claims = new HashMap<>();
        return createToken(claims, username);
    }

    private String createToken(Map<String, Object> claims, String subject) {
        return Jwts.builder()
                .setClaims(claims)
                .setSubject(subject)
                .setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 60 * 10)) // 10 hours
                .signWith(SignatureAlgorithm.HS256, SECRET_KEY)
                .compact();
    }

    public Boolean validateToken(String token, String username) {
        final String extractedUsername = extractUsername(token);
        return (extractedUsername.equals(username) && !isTokenExpired(token));
    }

    private String extractUsername(String token) {
        return extractAllClaims(token).getSubject();
    }

    private Claims extractAllClaims(String token) {
        return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody();
    }

    private Boolean isTokenExpired(String token) {
        return extractAllClaims(token).getExpiration().before(new Date());
    }
}

Step 5: Creating Authentication Endpoint

Create a controller to handle authentication requests:

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;

@RestController
@RequestMapping("/api/auth")
public class AuthController {

    @Autowired
    private JwtUtil jwtUtil;

    @PostMapping("/login")
    public String authenticate(@RequestBody AuthRequest request) {
        // Validate user credentials (this is just a placeholder)
        if ("user".equals(request.getUsername()) && "password".equals(request.getPassword())) {
            return jwtUtil.generateToken(request.getUsername());
        }
        throw new RuntimeException("Invalid Credentials");
    }
}

Step 6: Securing API Endpoints

To secure your endpoints, you can use a filter to validate the token in incoming requests:

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class JwtRequestFilter extends OncePerRequestFilter {

    @Autowired
    private JwtUtil jwtUtil;

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws ServletException, IOException {
        final String authorizationHeader = request.getHeader("Authorization");

        String username = null;
        String jwt = null;

        if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
            jwt = authorizationHeader.substring(7);
            username = jwtUtil.extractUsername(jwt);
        }

        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
            // Validate the token and set authentication in context
        }

        chain.doFilter(request, response);
    }
}

Conclusion

Securing REST APIs with OAuth2 and JWT in Spring Boot applications is a powerful approach to ensure that only authorized users have access to your resources. By following the steps outlined in this article, you can implement a secure authentication mechanism that protects your APIs from unauthorized access.

As you develop your application, keep in mind:

  • Always use a strong secret key for JWT signing.
  • Regularly update your dependencies to mitigate security vulnerabilities.
  • Consider using HTTPS to encrypt data in transit.

With a solid understanding of OAuth2 and JWT, you're well on your way to building secure and scalable Spring Boot applications.

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.