Menu

JWT in Spring Security and it’s Advantage

JWT in Spring Security and it’s Advantage

JWT (JSON Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. In the context of Spring Security, JWT is commonly used for securing APIs by transmitting information about the authenticated user or other claims as a JSON object. This token is digitally signed, ensuring its integrity and authenticity.

Spring Security

How JWT Works in Spring Security

1. Authentication

When a user logs in, Spring Security validates the credentials and generates a JWT, which is then sent back to the client.

2. Token-Based Authentication

On subsequent requests, the client includes the JWT in the Authorization header. Spring Security checks this token to authenticate and authorize the request.

3. Statelessness

JWT allows the server to remain stateless, as the token itself contains all the necessary information. The server does not need to maintain session state.

Advantages of JWT

1. Stateless

JWT tokens are self-contained, meaning they carry all the necessary information about the user and claims. This eliminates the need to store session information on the server, making it easier to scale the application.

2. Compact

JWT tokens are small in size, typically in the form of a Base64-encoded string, which makes them easy to transmit in HTTP headers.

3. Secure:

JWT can be signed using a secret or a public/private key pair, ensuring that the token has not been tampered with.

4. Interoperability

Since JWT is a standard format, it can be used across different platforms and programming languages, making it highly interoperable.

Java Example

Example
Here’s an example of how JWT can be implemented in a Spring Boot application using Spring Security.

```java
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Date;

public class JwtAuthenticationFilter extends UsernamePasswordAuthenticationFilter {

    private final AuthenticationManager authenticationManager;
    private final String secretKey;

    public JwtAuthenticationFilter(AuthenticationManager authenticationManager, String secretKey) {
        this.authenticationManager = authenticationManager;
        this.secretKey = secretKey;
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        // Extract username and password from request
        String username = request.getParameter("username");
        String password = request.getParameter("password");

        UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(username, password);

        return authenticationManager.authenticate(authenticationToken);
    }

    @Override
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException {
        String token = Jwts.builder()
                .setSubject(authResult.getName())
                .setExpiration(new Date(System.currentTimeMillis() + 864_000_000)) // Token validity 10 days
                .signWith(SignatureAlgorithm.HS512, secretKey)
                .compact();

        response.addHeader("Authorization", "Bearer " + token);
    }
}
```

Explanation of the Code

  1. JwtAuthenticationFilter: This filter extends UsernamePasswordAuthenticationFilter and handles the process of authentication and JWT generation.
  2. attemptAuthentication: This method extracts the username and password from the request, creates an Authentication object, and passes it to the AuthenticationManager for validation.
  3. successfulAuthentication: Upon successful authentication, this method generates a JWT using the Jwts.builder() and signs it with a secret key. The token is then added to the Authorization header in the response.
  4. Token Expiration: The token has an expiration time, after which it becomes invalid.

Homepage

Readmore