JWT to Secure REST API with Spring Boot

jwt flow
JWT Working Flow

 To Secure your Rest services and the way to handle users Authentication/Authorization, First Approach is sending basic HTTP auth headers (username/password) for every request, but that would require to keep those credentials in memory and the service would have to check those credentials .So this’s not the best way.
This is why REST services typically use a token system. A standard token system returns a 'token' (just a long unique string of random characters, for example a GUID) on successful login. The client in turn then sends this token in every request’s Authorization header. The service, on every request, 'rehydrates' its context by looking up the context on the server side. This context can be stored in a DB, retrieved from a Redis cache or simply stored in memory in a hash table. The downside of this approach is that for every REST method you will need to do this lookup in the database or cache.
And then comes JSON Web Tokens, or JWT in short. JSON Web Tokens are tokens that are not only unique to a user but also contain whatever information you need for that user, the so called claims. The most basic claim is the 'subject' (basically a unique user ID) but the tokens can be extended to include any information you want. Examples would be api access rights or user roles; you can simply add a 'roles' array with the 'user' and 'admin' rights to the claims when a user logs in. These claims can then be retrieved from the JWT whenever the client sends the JWT to the server.
Obviously this token is not just plain text; that would make it trivial for a client to add an 'admin' claim to it’s set. JWT’s are either encrypted with a secure key (only known to the server) or signed. The most common approach when you use JWTs is by signing them. This 'signed' bit of the JWT is called the JWS, JSON Web Signature. You use this approach when there is only information in the token that you want the client to be able to read. The base-64 encoded content is signed but not encrypted.
Another approach is by using JWE, JSON Web Encryption. With JSON Web Encryption you use an industry standard encryption method to encrypt the contents of your token. Only the server can create and decrypt the token so this means the client can’t read or alter the contents since it doesn’t know the secret.
When a user logs in with a correct password, he receives a token that looks like:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJzaGFua2FyLnVtYTM1QGdtYWlsLmNvbSIsInJvbGVzIjoidXNlciIsImlhdCI6MTUwOTEwMTUxNX0.dKL8ZTOyrbFDM0uqpbgR2-fTRcL-2bIgrd4CsmyumYI
This 'token' is then used on subsequent API calls from the client to the server. The standard approach here is to send an Authorization header with a "Bearer" token. The header would thus be: 

authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJzaGFua2FyLnVtYTM1QGdtYWlsLmNvbSIsInJvbGVzIjoidXNlciIsImlhdCI6MTUwOTEwMTUxNX0.dKL8ZTOyrbFDM0uqpbgR2-fTRcL-2bIgrd4CsmyumYI


Folder Structure:


UserController.java




SecureController.java



JwtFilter.java




Find the complete Project on github JWT using Spring.


Comments

Post a Comment

Popular posts from this blog

JIT Compiler

Image
The Just-In-Time (JIT) compiler is a component of the Java Runtime Environment that improves the performance of Java applications at run time. Java programs consists of classes, which contain platform neutral bytecode that can be interpreted by a JVM on many different computer architectures. At run time, the JVM loads the class files, determines the semantics of each individual bytecode, and performs the appropriate computation. The additional processor and memory usage during interpretation means that a Java application performs more slowly than a native application. The JIT compiler helps improve the performance of Java programs by compiling bytecode into native machine code at run time.  Nothing in the JVM affects performance more than the compiler, and choosing a compiler is one of the first decisions made when running a Java application whether you are a Java developer or an end-user. The JIT compiler is enabled by default, and is activated when a Java method is c
Read more

Authentication using One Time Password (OTP)

Image
The point of two-factor authentication is to prevent attackers from getting access to your account. Two-factor authentication requires that two tokens be provided for proof of ownership of the account. The first token is something that we're all familiar with- a username and a password. The second token is a bit more elusive, however. It should be something you have, and only you. No one else should be able to come into possession with the same token. The same should be true for usernames and passwords, but we've seen how easily broken a single-factor authentication system is.  The traditional way of just memorizing the password to validate one’s identity is not enough and web sites and applications are now expecting one to possess email Id or a smartphone to communicate with another short-lived randomized password, One Time Password (OTP) , as one more factor to the authentication. The first approach in the implementation of the two factor authenticati
Read more