April 28, 2020

#JWT: Part 3 - Spring Boot project with Spring Security and JWT Example

We will develop a Spring boot project with Spring security and JWt from scratch.

Objectives:
1). Create an API which will authenticate the user details and generate JWT token.
2). Functionality which will verify each request for the valid JWT.

Create a Spring Starter Project with following details:
1. Artifact: spring-security-jwt
2. Java Version: 8
3. Maven
4. Dependencies: spring-boot-starter-web, spring-security-test

Let's create a controller class with name HelloResource. This class will have only one API hello(), which just returns the Hello World message. This API will be put behind the authentication wall, only the user who are authenticated will be authorized to access this API.


After this we will create SecurityConfigurer and MyUserDetailsService


Now start the spring boot application and try to access 'http://localhost:8080/hello/' from URL. It will ask you to enter user credentials, enter the user name and password configured in MyUserDetailsService (which in our case is admin, admin). Once you enter the user name and password, you will be able to access /hello web-service.

Till now we have created a simple spring security project, working without JWT.

Now we will add a couple of dependencies in our pom.xml. io.jsonwebtoken is for creating and validating JWT. If you are using Java 9, you need to add javax.xml.bind as well.

Now we will create a JWTUtil class, which will contain all the methods related to JWT.
After this we need to create an authentication endpoint, which accepts user id and password and return JWT as response.

The client will store this JWT and send it while calling other API's. To check this we need to expose an API, which will extract the JWT from header and validate it.

Create POJO's for request and response:




We will now add an end-point '/authenticate' in HelloResource which will return the JWT, name of the method is createAuthenticationToken().

The problem is we cannot call the /authenticate directly because Spring security is putting an authentication around all the web-services. We need to tell the Spring security if someone tries to access /authenticate allow them to access it directly. For this we need override configure() modify in SecurityConfigurer, which takes HttpSecurity.

Now restart the application, and open postman and access the authenticate service.

URL: http://localhost:8080/authenticate
Input:
{
"username":"admin",
"password":"admin"
}

You will notice JWT token is generated in the output.

The client need to store this jwt and pass it while calling any subsequent request.

Now we need to modify our code and intercept all the incoming request. From the request we will extract JWT from the header, validate it and set in execution context. We can do this by using the filters.

Let's create a new filter with name JWTRequestFilter

We need to add the filter in SecurityConfigurer.

Restart the application, go to postman, generate the jwt by calling /authenticate. Now access the http://localhost:8080/hello by passing jwt in the header.

GIT URL: Spring Boot project with Spring Security and JWT Example

ALSO CHECK: Posts Related To Spring Security
-K Himaanshu Shuklaa..

No comments:

Post a Comment