Scribd
Upload
5 views8 pages

JWT SpringBoot (ConceptAndCoding)

The document discusses JWT (Json Web Token) authentication as a stateless method for user authentication in Spring Boot applications. It outlines the structure of a JWT, including its header, payload, and signature, and details the steps for user creation, token generation, validation, and refreshing. Additionally, it emphasizes the need for custom implementations due to varying application requirements and provides a high-level overview of the authentication flow within the Spring Security framework.

Uploaded by

sanjeevkumar.explore
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
5 views8 pages

JWT SpringBoot (ConceptAndCoding)

The document discusses JWT (Json Web Token) authentication as a stateless method for user authentication in Spring Boot applications. It outlines the structure of a JWT, including its header, payload, and signature, and details the steps for user creation, token generation, validation, and refreshing. Additionally, it emphasizes the need for custom implementations due to varying application requirements and provides a high-level overview of the authentication flow within the Spring Security framework.

Uploaded by

sanjeevkumar.explore
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

9/12/25, 11:46 AM OneNote

SpringBoot Security - Part5 (JWT Authentication)


Tuesday, 1 April 2025 12:41 PM

JWT(Json Web Token) Authentication

• It’s a Stateless Authentication method.


○ Stateless authentication means, server do not maintain the user authentication state (aka
Session).
• As mentioned in previous video, JWT has 3 parts
○ [Link]

• Header: Metadata about the token, including the algorithm used (HMAC, RSA etc.)
• Payload: Contains claims (user details like userId, role, expiry time)
• Signature: Ensures token integrity (prevents tampering).
Any change in payload like role from "user" to "admin" recalculated signature will
not match the original.

Sample token:

eyJhbGciOiJSUzI1NiIsInR5cCI6Ik.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9l.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV
(truncated
_a … )

Steps we will follow:

1. User Creation 2. Token Generation 3. Token Validation 4. Refresh Token

"/api/user-register" API "/generate-token" API When User try to access "/refresh-token" API
any resource, it will pass back
We have to create User In this, User will pass its the We need to provide the
(with username, password Username and password. JWT, we will validate the functionality to the user
and Role) If details matched, we will generate token, to Refresh its JWT token.
JWT token and return the same If JWT token is valid, we will
Authenticate the user and let
the
user access the resources.

JWT Authentication implementation in Spring boot:

1st: User Creation (dynamically)

We have already seen its implementation in

[Link] Security - Part5 %28JWT Authentication%5C%29%7C73159efb-94ad-c14f-9099-b3511c01ee78%2F%29&wdorigin=NavigationUrl 1/8


9/12/25, 11:46 AM OneNote

2nd: Token Generation

• Spring boot do not provide any default implementation for JWT Authentication.
• Because different application can have different requirement regarding:
Payload (some need to put only username, some need to put Id etc. )

Signing Algorithm (some want RSA, some want HMAC etc. )


• Token Refreshing Strategy (some might need it, some don't)

Now, the onus comes to engineer to implement the JWT functionality, that’s why there is no
1 solution for it. Different engineers, different ways to implement.

But we will try to stick to Security Framework only to implement the JWT
functionality.

Quick recap of the Architecture:

8. 9. 10.

1.
Security
Filter Chain

2.

Security Filter Chain


<<Interface>> <<Interface>
SecurityFilter 3. Pass the
4. Delegates >
Create1"Authentication" Object
"Authentication" Authentication (raw password is hashed during registration and also
request to to AuthenticationProvider PasswordEncoder during validation, first raw password is hashed and then
AuthenticationManager compared)
5. Return back
Security Filter N 6. Return back
fully "Authentication"
response
<<Interface>
fully "Authentication"
DaoAuthenticationProvider >
response
UserDetailsService
7. Store in (handles username/Password)
Default Implementation
SecurityContextHolder
InMemoryUserDetailsManage
Fully "Authentication" Object
ProviderManager Authentication Provider N r
(manage username/password in Memory)

JdbcUserDetailsManager
DB
(manage username/password in DB)

Notice one behavior in above


flow:

• Security filter creates "Authentication" Object, with data coming from request like
username/password or Session-ID or Token etc. But it does not know, which Authentication
Provider can handle it.

• Authentication Manager has a list of Authentication Provider. It calls Support Method of each
AuthenticationProvider and pass the "Authentication" object and checks, if they can handle the
request.

[Link] (framework code)

[Link] (framework
[Link] Security - Part5 %28JWT Authentication%5C%29%7C73159efb-94ad-c14f-9099-b3511c01ee78%2F%29&wdorigin=NavigationUrl 2/8
9/12/25, 11:46 AM OneNote

code)

Iterating over the list of Authentication


Providers
Calls "support" method and checks, if given Authentication Provider
can handles the incoming Authentication request.

If yes, then only it calls its "authentication" method.

We just need to enhance this functionality for JWT


implementation:

8. 9. 10.

1.
Security
Filter Chain

2.

Security Filter Chain

Custom SecurityFilter <<Interface>> <<Interface>


3. Pass the >
4. Delegates
Creates "Custom Authentication" "Authentication"
Authentication (raw password is hashed during registration and also
Object request to to AuthenticationProvider PasswordEncoder during validation, first raw password is hashed and then
AuthenticationManager compared)
5. Return back
Security Filter N 6. Return back
fully "Authentication"
response <<Interface>
fully "Authentication"
response DaoAuthenticationProvider >
UserDetailsService
7. Store in (handles username/Password)
Default Implementation
SecurityContextHolder
InMemoryUserDetailsManage
Fully "Authentication" Object
ProviderManager Custom Authentication Provider r
(manage username/password in Memory)

Update
List<AuthenticationProvider>
JdbcUserDetailsManager
list DB
(manage username/password in DB)
It will iterate over the list of Authentication Provider
and calls Support method, to see to which Provider it
need to invoke.

1. Add our Custom Filter.

2. This Custom Filter creates an object of Custom Authentication Object.

3. Create new Custom Authentication Provider and also update Authentication Manager's "AuthenticationProvider"
List and add our Custom Authentication Provider in it.

4. Now Authentication Manager get the custom Authentication Object, it will check all the providers to see, which can
handle it and only our CustomAuthencationProvider will return true and thus Authentication Manager will pass the
request to our provider.

Lets, code for Token generation


part.

• First, we need to add JWT dependencies.


• In Token Generation part, user passes username/password in request and we have to match it against the
stored username and password.
• This functionality is similar to DaoAuthenticationProvider, so we will try to use that.
• And if username/password is matched, we have to generate the token.

[Link]

[Link] Security - Part5 %28JWT Authentication%5C%29%7C73159efb-94ad-c14f-9099-b3511c01ee78%2F%29&wdorigin=NavigationUrl 3/8


9/12/25, 11:46 AM OneNote

I am specifically using this


Authentication object, so
that
DaoAuthenticationProvider
can handle it.

3rd: Token Validation

• Now, if user try to access any restricted resource. They need to pass the Token in the Authorization Header
like below:

[Link] Security - Part5 %28JWT Authentication%5C%29%7C73159efb-94ad-c14f-9099-b3511c01ee78%2F%29&wdorigin=NavigationUrl 4/8


9/12/25, 11:46 AM OneNote

[Link] Security - Part5 %28JWT Authentication%5C%29%7C73159efb-94ad-c14f-9099-b3511c01ee78%2F%29&wdorigin=NavigationUrl 5/8


9/12/25, 11:46 AM OneNote

When tried to add Invalid Token:

4th: Refresh Token

• Generally access tokens are short lived.


• Once access token get expired, Refresh token (generally long lived) is used to obtain
new access token, without requiring user to log in again.

[Link] Security - Part5 %28JWT Authentication%5C%29%7C73159efb-94ad-c14f-9099-b3511c01ee78%2F%29&wdorigin=NavigationUrl 6/8


9/12/25, 11:46 AM OneNote

In Header, new access token is set, after api call is


success.

Authorization:

• Works exactly the same as form and basic Authentication.


• AuthorizationFilter gets invokes, which matches the ROLE required for the API and role present
for the user.

[Link] Security - Part5 %28JWT Authentication%5C%29%7C73159efb-94ad-c14f-9099-b3511c01ee78%2F%29&wdorigin=NavigationUrl 7/8


9/12/25, 11:46 AM OneNote

As "/api/users" API needs role ROLE_USER but user has ROLE_ADMIN. So Mismatch
happens

[Link] Security - Part5 %28JWT Authentication%5C%29%7C73159efb-94ad-c14f-9099-b3511c01ee78%2F%29&wdorigin=NavigationUrl 8/8

You might also like