JWT based authentication with Spring Security + Spring Boot

Mahesh Kumar Gutam
4 min readApr 21, 2021

--

Spring Boot JWT Security Demo

About
This is a simple demo for showcasing the usage of JWT (JSON Web Token) (https://jwt.io/) using Spring Security (https://spring.io/projects/spring-security) with Spring Boot (https://spring.io/projects/spring-boot)

Requirements
This demo is built with Spring boot 2.4.4.

Build Instructions
Just start the application with the Spring Boot maven plugin

mvn spring-boot:run

The application will be running at [Localhost](http://localhost:8080/spring-boot-jwt-security).

You can use the H2-Console for exploring the database under [H2-Console](http://localhost:8080/spring-boot-jwt-security/h2-console):

H2 console

Backend Details
There are three user accounts present to demonstrate the different levels of access to the endpoints in
the API and the different authorization exceptions:

Admin — admin:admin
User — user:user
Operator — operator:operator

This demo consists of seven endpoint(s):

POST — /oauth/token — token generation api with unrestricted access(A valid username and password should be passed in the request body for attaining JWT token with specific Authority)

POST — /api/v1/user — User adding API with unrestricted access(A valid username, password and Role should be passed in the request body)

GET — api/v1/vehicle — returns all the vehicle information for an authenticated user (a valid JWT token must be present in the request header). Any user can with authority (‘ROLE_USER’, ‘ROLE_ADMIN’, ‘ROLE_OPERATOR’) can access this API

GET — api/v1/vehicle/{vehicleId} — returns specific vehicle information with id for an authenticated user (a valid JWT token must be present in the request header). Any user can with authority (‘ROLE_USER’, ‘ROLE_ADMIN’, ‘ROLE_OPERATOR’) can access this API

POST — /api/v1/vehicle — Saves the given vehicle information to the database for an authenticated user (a valid JWT token must be present in the request header). Only Users with ‘ROLE_USER’ and ‘ROLE_ADMIN’ authorities can perform this action.

PUT — /api/v1/vehicle — Updates the given vehicle information to the database for an authenticated user (a valid JWT token must be present in the request header). Only Users with ‘ROLE_USER’ and ‘ROLE_ADMIN’ authorities can perform this action.

DELETE — /api/v1/vehicle/{vehicleID} — deletes the specific vehicle information with id from the database for an authenticated user (a valid JWT token must be present in the request header). Only Users with ‘ROLE_ADMIN’ authority can perform this action.

Token generation:

https://github.com/MaheshIare/spring-boot-jwt-security/img/token-generation.PNG?raw=true

Invalid Token scenario:

https://github.com/MaheshIare/spring-boot-jwt-security/img/invalid-token.PNG?raw=true

Expired Token scenario:

https://github.com/MaheshIare/spring-boot-jwt-security/img/expired-token.PNG?raw=true

Valid Token scenario:

### Generating password hashes for new users

I’m using [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) to encode passwords. Your can generate your hashes with this simple
tool: [Bcrypt Generator](https://www.bcrypt-generator.com)

### Database configuration

Actually, this demo is using an embedded H2 database that is automatically configured by Spring Boot. If you want to connect to another database you have to specify the connection in the *application. properties* in the resource directory. Here is the sample configuration for the demo:

### H2 Data source config ###
spring.datasource.url=jdbc:h2:mem:default
spring.datasource.driverClassName=org.h2.Driver
spring.datasource.username=sa
spring.datasource.password=sa
spring.jpa.database-platform=org.hibernate.dialect.H2Dialect
spring.datasource.initialization-mode=always
spring.jpa.hibernate.ddl-auto=none
### Enabling the H2 console ###
spring.h2.console.enabled=true

### Swagger Integration
I have integrated the application with Springfox Swagger UI [3.0.0](http://springfox.github.io/springfox/docs/current/). Once the
application is up and running we can simply go to this link [Swagger-UI](http://localhost:8080/spring-boot-jwt-security/swagger-ui/) and perform the above-mentioned operations.

Swagger UI:

https://github.com/MaheshIare/spring-boot-jwt-security/img/swagger-ui.PNG?raw=true

## Codebase: [spring-boot-jwt-security]

## Questions
If you have project-related questions please create a ticket with your question here [Create Issue](https://github.com/MaheshIare/spring-boot-jwt-security/issues)

## Author

**Mahesh Kumar Gutam**

* [Github](https://github.com/MaheshIare)

## Feedback
Please feel free to send me some feedback or questions!

--

--

Mahesh Kumar Gutam
Mahesh Kumar Gutam

Written by Mahesh Kumar Gutam

Software Engineer with more than 8 years of Experience into Java/J2EE Technologies.

No responses yet