Spring Boot is a powerful framework for modern web application development. In this course, we will explain step by step how to implement user authentication using JWT (Json Web Token) and how to achieve login and logout functionality. This process will also cover how to add token services to enhance security and user management features.
1. What is JWT?
JWT is an open standard based on JSON that provides a way to securely transmit information. A JWT consists of three parts: Header, Payload, Signature.
1.1 Header
The Header specifies the type of the JWT and the hashing algorithm. For example:
{
"alg": "HS256",
"typ": "JWT"
}
1.2 Payload
The Payload contains the user’s information, user ID, expiration time, etc. This part is structured in an easily readable JSON format.
1.3 Signature
The Signature is the value signed with a secret key by combining the encoded Header and Payload. This value guarantees the integrity of the token and is used by the server to validate the token.
2. Project Setup
In this tutorial, we will create a project using Spring Boot and Maven. You can set up the project using IDEs such as IntelliJ IDEA or Eclipse.
2.1 Creating a Maven Project
After creating a Maven project in Eclipse or IntelliJ IDEA, add the following dependencies to the pom.xml file.
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjsonwebtoken</artifactId>
<version>0.9.1</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>
2.2 Spring Security Configuration
Set up basic security configurations using Spring Security. Create a SecurityConfig class and add user authentication and authorization settings.
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/api/auth/**").permitAll()
.anyRequest().authenticated();
}
}
3. JWT Creation and Validation
Now we will look at how to create and validate JWTs. Create a JWTUtil class and implement the necessary methods.
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.stereotype.Component;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
@Component
public class JWTUtil {
private String secretKey = "secret";
public String generateToken(String username) {
Map<String, Object> claims = new HashMap<>();
return createToken(claims, username);
}
private String createToken(Map<String, Object> claims, String subject) {
return Jwts.builder()
.setClaims(claims)
.setSubject(subject)
.setIssuedAt(new Date(System.currentTimeMillis()))
.setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 60 * 10)) // 10 hours
.signWith(SignatureAlgorithm.HS256, secretKey)
.compact();
}
public Boolean validateToken(String token, String username) {
final String extractedUsername = extractUsername(token);
return (extractedUsername.equals(username) && !isTokenExpired(token));
}
private String extractUsername(String token) {
return extractAllClaims(token).getSubject();
}
private Claims extractAllClaims(String token) {
return Jwts.parser().setSigningKey(secretKey).parseClaimsJws(token).getBody();
}
private Boolean isTokenExpired(String token) {
return extractAllClaims(token).getExpiration().before(new Date());
}
}
4. Implementing User Authentication and Login API
Now it’s time to implement the user authentication and login API. Create an AuthController class and add the necessary methods.
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.web.bind.annotation.*;
@RestController
@RequestMapping("/api/auth")
public class AuthController {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private JWTUtil jwtUtil;
@PostMapping("/login")
public ResponseEntity<String> login(@RequestBody AuthRequest authRequest) {
authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(authRequest.getUsername(), authRequest.getPassword())
);
final String token = jwtUtil.generateToken(authRequest.getUsername());
return ResponseEntity.ok(token);
}
}
class AuthRequest {
private String username;
private String password;
// getters and setters
}
5. Implementing Logout API
The logout API is implemented by deleting the JWT token on the client side. A separate logout API is not required, but an example can be added for this part.
6. Adding Token Service
By adding a token service, manage user information and implement functionality to manage user sessions as needed. Create a TokenService class to implement this functionality.
import org.springframework.stereotype.Service;
@Service
public class TokenService {
@Autowired
private JWTUtil jwtUtil;
public String refreshToken(String token) {
if (jwtUtil.isTokenExpired(token)) {
String username = jwtUtil.extractUsername(token);
return jwtUtil.generateToken(username);
}
return token;
}
}
7. Other Considerations and Conclusion
In this course, we explored how to implement login and logout functionality using JWT and add a token service for user authentication. In real applications, additional security measures such as enhancing JWT validation, user permission management, and token storage implementation are required.
8. Conclusion
Implementing a JWT-based authentication system using Spring Boot has become an essential element in enhancing the security of modern web applications. Through this course, you should understand the basic concepts of JWT and the fundamentals of implementing an authentication system using it. Furthermore, try to gain experience in implementing and optimizing various features required for actual projects.
I hope this course helps you with your Spring Boot backend development!