<h1>JWT Authentication with Spring Boot 3.0</h1>

<img alt="" src="/media/blogs/jwt_boot.png" style="height:554px; width:985px" />

<ul>
	<li>We will see how to configure InMemory user and jwt authentication using latest spring boot 3.0.</li>
	<li>We will create one protected endpoint and try to secure endpoint using spring boot security.</li>
</ul>

<h2>Create new Spring Boot Project</h2>

<ul>
	<li>Go to spring initializer and create new project with dependencies</li>
	<li>add the following dependencies</li>
	<li>For Web</li>
</ul>

<pre>
<code class="language-java">&lt;dependency&gt;
 &lt;groupId&gt;org.springframework.boot&lt;/groupId&gt;
 &lt;artifactId&gt;spring-boot-starter-web&lt;/artifactId&gt;
&lt;/dependency&gt;</code></pre>

<ul>
	<li>For security</li>
</ul>

<pre>
<code>&lt;dependency&gt;
 &lt;groupId&gt;org.springframework.boot&lt;/groupId&gt;
 &lt;artifactId&gt;spring-boot-starter-security&lt;/artifactId&gt;
&lt;/dependency&gt;</code></pre>

<ul>
	<li>Lombok</li>
</ul>

<pre>
<code class="language-java">&lt;dependency&gt;
 &lt;groupId&gt;org.projectlombok&lt;/groupId&gt;
 &lt;artifactId&gt;lombok&lt;/artifactId&gt;
 &lt;optional&gt;true&lt;/optional&gt;
&lt;/dependency&gt;</code></pre>

<ul>
	<li>For JWT</li>
</ul>

<pre>
<code class="language-java"> &lt;!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt-api --&gt;
&lt;dependency&gt;
 &lt;groupId&gt;io.jsonwebtoken&lt;/groupId&gt;
 &lt;artifactId&gt;jjwt-api&lt;/artifactId&gt;
 &lt;version&gt;0.11.5&lt;/version&gt;
&lt;/dependency&gt;


 &lt;!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt-impl --&gt;
&lt;dependency&gt;
 &lt;groupId&gt;io.jsonwebtoken&lt;/groupId&gt;
 &lt;artifactId&gt;jjwt-impl&lt;/artifactId&gt;
 &lt;version&gt;0.11.5&lt;/version&gt;
 &lt;scope&gt;runtime&lt;/scope&gt;
&lt;/dependency&gt;

&lt;dependency&gt;
 &lt;groupId&gt;io.jsonwebtoken&lt;/groupId&gt;
 &lt;artifactId&gt;jjwt-jackson&lt;/artifactId&gt; &lt;!-- or jjwt-gson if Gson is preferred --&gt;
 &lt;version&gt;0.11.5&lt;/version&gt;
 &lt;scope&gt;runtime&lt;/scope&gt;
&lt;/dependency&gt;</code></pre>

&nbsp;

<h2>Create End Point to be secured</h2>

<pre>
<code class="language-java">@RestController
public class HomeController {

 Logger logger = LoggerFactory.getLogger(HomeController.class);

 @RequestMapping("/test")
 public String test() {
 this.logger.warn("This is working message");
 return "Testing message";
 }


}</code></pre>

Use can create the same that we developed in video.

<h2>Create InMemory user with UserDetailService Bean</h2>

Create UserDetailService bean and write the InMemory user implementation

Create CustomConfig class and create bean and also create two important bean PasswordEncoder and AuthenticationManager so that we can use later.

&nbsp;

<pre>
<code class="language-java">@Configuration
class MyConfig {
 @Bean
 public UserDetailsService userDetailsService() {
 UserDetails userDetails = User.builder().
 username("DURGESH")
 .password(passwordEncoder().encode("DURGESH")).roles("ADMIN").
 build();
 return new InMemoryUserDetailsManager(userDetails);
 }

 @Bean
 public PasswordEncoder passwordEncoder() {
 return new BCryptPasswordEncoder();
 }

 @Bean
 public AuthenticationManager authenticationManager(AuthenticationConfiguration builder) throws Exception {
 return builder.getAuthenticationManager();
 }
}</code></pre>

Now we can login with given username and password by default spring security provide form login .

open browser and open

<pre>
<code>http://localhost:8080/test</code></pre>

when login form is prompted just login with username and password as given .

<hr />
<h3>JWT Authentication Flow</h3>

<img alt="" src="/media/blogs/jwt_flow.jpg" style="height:609px; width:863px" />

&nbsp;

<h3>Steps to implement jwt token:</h3>

1)&nbsp; Make sure&nbsp;<code>spring-boot-starter-security</code> is there in pom.xml

2)&nbsp; Create Class&nbsp;<code>JWTAthenticationEntryPoint</code>&nbsp;that implement&nbsp;<code>AuthenticationEntryPoint</code>. Method of this class is called whenever as exception is thrown due to unauthenticated user trying to access the resource that required authentication.

<pre>
<code class="language-java">@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {
 @Override
 public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
 PrintWriter writer = response.getWriter();
 writer.println("Access Denied !! " + authException.getMessage());
 }
}</code></pre>

3)&nbsp; Create <code>JWTHelper </code>&nbsp;class This class contains method related to perform operations with jwt token like generateToken, validateToken etc.

<pre>
<code class="language-java">@Component
public class JwtHelper {

 //requirement :
 public static final long JWT_TOKEN_VALIDITY = 5 * 60 * 60;

 // public static final long JWT_TOKEN_VALIDITY = 60;
 private String secret = "afafasfafafasfasfasfafacasdasfasxASFACASDFACASDFASFASFDAFASFASDAADSCSDFADCVSGCFVADXCcadwavfsfarvf";

 //retrieve username from jwt token
 public String getUsernameFromToken(String token) {
 return getClaimFromToken(token, Claims::getSubject);
 }

 //retrieve expiration date from jwt token
 public Date getExpirationDateFromToken(String token) {
 return getClaimFromToken(token, Claims::getExpiration);
 }

 public &lt;T&gt; T getClaimFromToken(String token, Function&lt;Claims, T&gt; claimsResolver) {
 final Claims claims = getAllClaimsFromToken(token);
 return claimsResolver.apply(claims);
 }

 //for retrieveing any information from token we will need the secret key
 private Claims getAllClaimsFromToken(String token) {
 return Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();
 }

 //check if the token has expired
 private Boolean isTokenExpired(String token) {
 final Date expiration = getExpirationDateFromToken(token);
 return expiration.before(new Date());
 }

 //generate token for user
 public String generateToken(UserDetails userDetails) {
 Map&lt;String, Object&gt; claims = new HashMap&lt;&gt;();
 return doGenerateToken(claims, userDetails.getUsername());
 }

 //while creating the token -
 //1. Define claims of the token, like Issuer, Expiration, Subject, and the ID
 //2. Sign the JWT using the HS512 algorithm and secret key.
 //3. According to JWS Compact Serialization(https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-3.1)
 // compaction of the JWT to a URL-safe string
 private String doGenerateToken(Map&lt;String, Object&gt; claims, String subject) {

 return Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(new Date(System.currentTimeMillis()))
 .setExpiration(new Date(System.currentTimeMillis() + JWT_TOKEN_VALIDITY * 1000))
 .signWith(SignatureAlgorithm.HS512, secret).compact();
 }

 //validate token
 public Boolean validateToken(String token, UserDetails userDetails) {
 final String username = getUsernameFromToken(token);
 return (username.equals(userDetails.getUsername()) &amp;&amp; !isTokenExpired(token));
 }


}</code></pre>

4)&nbsp;Create&nbsp;<code>JWTAuthenticationFilter</code>&nbsp;that extends&nbsp;<code>OncePerRequestFilter</code>&nbsp;and override method and write the logic to check the token that is comming in header. We have to write 5 important logic

<ol>
	<li style="list-style-type:none">
	<ol>
		<li>Get Token from request</li>
		<li>Validate Token</li>
		<li>GetUsername from token</li>
		<li>Load user associated with this token</li>
		<li>set authentication</li>
	</ol>
	</li>
</ol>

<pre>
<code class="language-java">@Component
public class JwtAuthenticationFilter extends OncePerRequestFilter {

 private Logger logger = LoggerFactory.getLogger(OncePerRequestFilter.class);
 @Autowired
 private JwtHelper jwtHelper;


 @Autowired
 private UserDetailsService userDetailsService;

 @Override
 protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {

// try {
// Thread.sleep(500);
// } catch (InterruptedException e) {
// throw new RuntimeException(e);
// }
 //Authorization

 String requestHeader = request.getHeader("Authorization");
 //Bearer 2352345235sdfrsfgsdfsdf
 logger.info(" Header : {}", requestHeader);
 String username = null;
 String token = null;
 if (requestHeader != null &amp;&amp; requestHeader.startsWith("Bearer")) {
 //looking good
 token = requestHeader.substring(7);
 try {

 username = this.jwtHelper.getUsernameFromToken(token);

 } catch (IllegalArgumentException e) {
 logger.info("Illegal Argument while fetching the username !!");
 e.printStackTrace();
 } catch (ExpiredJwtException e) {
 logger.info("Given jwt token is expired !!");
 e.printStackTrace();
 } catch (MalformedJwtException e) {
 logger.info("Some changed has done in token !! Invalid Token");
 e.printStackTrace();
 } catch (Exception e) {
 e.printStackTrace();

 }


 } else {
 logger.info("Invalid Header Value !! ");
 }


 //
 if (username != null &amp;&amp; SecurityContextHolder.getContext().getAuthentication() == null) {


 //fetch user detail from username
 UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
 Boolean validateToken = this.jwtHelper.validateToken(token, userDetails);
 if (validateToken) {

 //set the authentication
 UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
 authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
 SecurityContextHolder.getContext().setAuthentication(authentication);


 } else {
 logger.info("Validation fails !!");
 }


 }

 filterChain.doFilter(request, response);


 }
}</code></pre>

5) Configure spring security in configuration file:

<pre>
<code class="language-java">@Configuration
public class SecurityConfig {


 @Autowired
 private JwtAuthenticationEntryPoint point;
 @Autowired
 private JwtAuthenticationFilter filter;

 @Bean
 public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

 http.csrf(csrf -&gt; csrf.disable())
 .authorizeRequests().
 requestMatchers("/test").authenticated().requestMatchers("/auth/login").permitAll()
 .anyRequest()
 .authenticated()
 .and().exceptionHandling(ex -&gt; ex.authenticationEntryPoint(point))
 .sessionManagement(session -&gt; session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
 http.addFilterBefore(filter, UsernamePasswordAuthenticationFilter.class);
 return http.build();
 }


}</code></pre>

6) Create JWTRequest and JWTResponse to receive request data and send Login success response.

7)&nbsp; Create login api to accept username and password and return token if username and password is correct.

<pre>
<code class="language-java">@RestController
@RequestMapping("/auth")
public class AuthController {

 @Autowired
 private UserDetailsService userDetailsService;

 @Autowired
 private AuthenticationManager manager;


 @Autowired
 private JwtHelper helper;

 private Logger logger = LoggerFactory.getLogger(AuthController.class);


 @PostMapping("/login")
 public ResponseEntity&lt;JwtResponse&gt; login(@RequestBody JwtRequest request) {

 this.doAuthenticate(request.getEmail(), request.getPassword());


 UserDetails userDetails = userDetailsService.loadUserByUsername(request.getEmail());
 String token = this.helper.generateToken(userDetails);

 JwtResponse response = JwtResponse.builder()
 .jwtToken(token)
 .username(userDetails.getUsername()).build();
 return new ResponseEntity&lt;&gt;(response, HttpStatus.OK);
 }

 private void doAuthenticate(String email, String password) {

 UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(email, password);
 try {
 manager.authenticate(authentication);


 } catch (BadCredentialsException e) {
 throw new BadCredentialsException(" Invalid Username or Password !!");
 }

 }

 @ExceptionHandler(BadCredentialsException.class)
 public String exceptionHandler() {
 return "Credentials Invalid !!";
 }

}
</code></pre>

8) Test Application.

&nbsp;

To watch video click here&nbsp;<a href="https://www.youtube.com/embed/q2l91Ffc_8U" target="_blank">Youtube Video</a>

&nbsp;

&nbsp;

In this blog we will learn about how to use JWT authentication with Spring Boot  3.1

LCWD

Home

Blogs

Premium Courses

Free Courses

About

Contact

LCWD

Jwt Authentication with Spring Boot 3.1

Categories

Trending Blogs

Help Others, Please Share

Learn Code With Durgesh

!! Happy Coding !!

Products

Contact

Get In Touch