JWT Authentication in Spring Boot

JWT Authentication in Spring Boot

When building secure APIs with Spring Boot, you often need to authenticate users. One popular and modern method is using JWT (JSON Web Tokens).

In this guide, we’ll explain how JWT authentication works in Spring Boot—and how to implement it step by step.

What is JWT?

JWT (JSON Web Token) is a compact, secure way to represent information between two parties.

It’s used to verify users without needing to store session data on the server.

A JWT contains three parts:

HEADER.PAYLOAD.SIGNATURE

Example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiJ1c2VyMSIsImlhdCI6MTY3Njg0.
qwerty-signature-example

๐Ÿ” Why Use JWT in Spring Boot?

  • Stateless: No need to store sessions

  • Scalable: Works well in distributed systems (e.g., microservices)

  • Fast: No database call needed for every request

  • Secure: Signed with a secret key

⚙️ How JWT Authentication Works

  1. User Logs In with username and password

  2. Server authenticates and generates a JWT

  3. Client stores JWT (usually in localStorage or cookies)

  4. Client sends JWT in the Authorization header with each request

  5. Server verifies the JWT and grants access

๐Ÿ› ️ Step-by-Step: Implementing JWT in Spring Boot

๐Ÿ”ธ 1. Add Required Dependencies

In your pom.xml (Maven):

<dependency>
  <groupId>io.jsonwebtoken</groupId>
  <artifactId>jjwt</artifactId>
  <version>0.9.1</version>
</dependency>

Spring Boot also needs:

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-security</artifactId>
</dependency>

๐Ÿ”ธ 2. Create a JWT Utility Class

@Component
public class JwtUtil {
    private final String SECRET_KEY = "mysecret";

    public String generateToken(String username) {
        return Jwts.builder()
                .setSubject(username)
                .setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 60)) // 1 hour
                .signWith(SignatureAlgorithm.HS256, SECRET_KEY)
                .compact();
    }

    public String extractUsername(String token) {
        return Jwts.parser()
                   .setSigningKey(SECRET_KEY)
                   .parseClaimsJws(token)
                   .getBody()
                   .getSubject();
    }

    public boolean validateToken(String token, UserDetails userDetails) {
        String username = extractUsername(token);
        return (username.equals(userDetails.getUsername()));
    }
}

๐Ÿ”ธ 3. Create Authentication Controller

@RestController
public class AuthController {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private JwtUtil jwtUtil;

    @Autowired
    private UserDetailsService userDetailsService;

    @PostMapping("/authenticate")
    public ResponseEntity<?> createToken(@RequestBody AuthRequest authRequest) throws Exception {
        try {
            authenticationManager.authenticate(
                    new UsernamePasswordAuthenticationToken(
                            authRequest.getUsername(), authRequest.getPassword())
            );
        } catch (BadCredentialsException e) {
            throw new Exception("Invalid credentials", e);
        }

        final UserDetails userDetails = userDetailsService
                .loadUserByUsername(authRequest.getUsername());

        final String jwt = jwtUtil.generateToken(userDetails.getUsername());

        return ResponseEntity.ok(new AuthResponse(jwt));
    }
}

๐Ÿ”ธ 4. Create Request and Response Models

@Data
public class AuthRequest {
    private String username;
    private String password;
}

@Data
@AllArgsConstructor
public class AuthResponse {
    private String jwt;
}

๐Ÿ”ธ 5. JWT Filter (To Check Token in Every Request)

@Component
public class JwtFilter extends OncePerRequestFilter {

    @Autowired
    private JwtUtil jwtUtil;

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain filterChain)
            throws ServletException, IOException {

        final String authHeader = request.getHeader("Authorization");

        String username = null;
        String jwt = null;

        if (authHeader != null && authHeader.startsWith("Bearer ")) {
            jwt = authHeader.substring(7);
            username = jwtUtil.extractUsername(jwt);
        }

        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
            UserDetails userDetails = userDetailsService.loadUserByUsername(username);
            if (jwtUtil.validateToken(jwt, userDetails)) {
                UsernamePasswordAuthenticationToken authToken =
                        new UsernamePasswordAuthenticationToken(
                                userDetails, null, userDetails.getAuthorities());

                SecurityContextHolder.getContext().setAuthentication(authToken);
            }
        }

        filterChain.doFilter(request, response);
    }
}

๐Ÿ”ธ 6. Spring Security Configuration

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private JwtFilter jwtFilter;

    @Autowired
    private UserDetailsService userDetailsService;

    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests().antMatchers("/authenticate").permitAll()
            .anyRequest().authenticated();

        http.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService);
    }
}

๐Ÿงช How to Use

  1. Call POST /authenticate with username and password

  2. Get the JWT token in the response

  3. Use this token in the Authorization header of all future API calls:

Authorization: Bearer your.jwt.token

๐Ÿ“Œ Benefits of JWT in Spring Boot

FeatureBenefit
Stateless AuthNo need to manage sessions
LightweightJWT is a small, compact token
ScalableWorks well in microservices
SecureCan be signed and encrypted

Final Thoughts

JWT is a powerful way to secure your Spring Boot APIs.
With just one token, you can authorize users across multiple endpoints—without sessions or cookies.

It’s fast, clean, and ideal for modern REST APIs and mobile apps. 


Read More 

Comments

Post a Comment

Popular posts from this blog

What is WebDriver in Selenium? Explained with Java

What is WebDriver in Selenium? Explained with Java Selenium is one of the most popular tools for automating web applications . At the heart of Selenium lies something called WebDriver —but what is it, and how does it work? In this blog, we’ll explain: What Selenium WebDriver is Why it's important How it works And how to use it in Java , step by step ✅ What Is Selenium WebDriver? Selenium WebDriver is an open-source tool used to automate browser actions , just like a real user. With WebDriver, you can write code to: Open a browser Click buttons Fill out forms Check page content Navigate between pages Test if your web app works correctly It controls the browser directly , making it faster and more reliable than older Selenium versions (like Selenium RC). ๐ŸŒ Supported Browsers Selenium WebDriver can automate: Chrome Firefox Safari Edge Opera Headless browsers (no UI) ๐Ÿง  How WebDriver Works WebDriver works by using a b...
Read more

Tosca System Requirements and Installation Guide (Step-by-Step)

Tosca System Requirements and Installation Guide (Step-by-Step) Tricentis Tosca is a powerful test automation tool. Before installing it, you need to make sure your system meets certain requirements. This guide will walk you through: System Requirements Prerequisites Step-by-Step Installation Activation and First Launch ✅ 1. System Requirements for Tosca (as of 2025) ๐Ÿ–ฅ️ Operating System Windows 10 (64-bit) Windows 11 (64-bit) Windows Server 2016 / 2019 / 2022 ❗ Tosca does not support Mac OS or Linux natively. ๐Ÿ“ฆ Software Requirements .NET Framework 4.8 or later Microsoft Visual C++ Redistributables (2015–2022) Microsoft Office (for Excel integration, optional) Admin rights for installation ๐Ÿงช Browser Support (for testing web apps) Google Chrome (latest) Microsoft Edge (Chromium-based) Mozilla Firefox (limited support) Tosca also supports browser automation through TBox and XScan engines. ๐Ÿ› ️ 2. Prerequisites Before...
Read more

Why Choose Python for Full-Stack Web Development

Why Choose Python for Full-Stack Web Development? In today’s digital era, full-stack development is one of the most in-demand skills. Full-stack developers handle both the front-end and back-end of web applications, and choosing the right programming language plays a crucial role in efficiency, speed, and scalability. Python has emerged as a favorite among full-stack developers—and for good reason. Let’s dive into why Python is a top choice for full-stack web development. 1. Easy to Learn and Use Python’s syntax is simple and readable, making it easy for beginners to pick up and start building. It feels more like writing English than coding. This simplicity reduces development time and allows developers to focus more on solving problems than worrying about language complexities. Example: print ( "Hello, world!" ) This is all it takes to print a message in Python! 2. Strong Framework Support Python offers powerful web frameworks like: Django – A high-level frame...
Read more