Spring Boot is a framework that helps you easily develop Java-based web applications. With the recent surge in demand for web applications, understanding security and authentication has become crucial. In this course, we will learn how to implement login and logout functionality using JSON Web Token (JWT) and how to validate JWT tokens through filters. Throughout this course, you will learn how to harness various features of Spring Boot to build a more secure and efficient backend application.<\/p>\n
JSON Web Token (JWT) is a JSON-based object used to securely transmit information between two entities. JWT has established itself as a standard not only for user authentication but also for claim-based information transmission. JWT consists of three components:<\/p>\n
To start a Spring Boot project, you need to begin with basic settings. You can use Spring Initializr for these settings. The choices to be made when creating the project are as follows:<\/p>\n
Once the project is created, you can open it in your IDE and add the necessary dependencies.<\/p>\n
First, we need to define the User entity. A simple User entity is a class that stores user information. This will allow us to interact with the database.<\/p>\n
package com.example.demo.entity;\n\nimport javax.persistence.Entity;\nimport javax.persistence.GeneratedValue;\nimport javax.persistence.GenerationType;\nimport javax.persistence.Id;\n\n@Entity\npublic class User {\n @Id\n @GeneratedValue(strategy = GenerationType.IDENTITY)\n private Long id;\n private String username;\n private String password;\n \n \/\/ Getters and Setters\n}\n<\/code><\/pre>\nRepositories are needed to perform CRUD operations between entities and the database.<\/p>\n
package com.example.demo.repository;\n\nimport com.example.demo.entity.User;\nimport org.springframework.data.jpa.repository.JpaRepository;\n\npublic interface UserRepository extends JpaRepository<User, Long> {\n User findByUsername(String username);\n}\n<\/code><\/pre>\n5. Creating Service Class<\/h2>\n
A service class is needed to handle business logic. This class implements functionalities such as user registration and login.<\/p>\n
package com.example.demo.service;\n\nimport com.example.demo.entity.User;\nimport com.example.demo.repository.UserRepository;\nimport org.springframework.beans.factory.annotation.Autowired;\nimport org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;\nimport org.springframework.stereotype.Service;\n\n@Service\npublic class UserService {\n @Autowired\n private UserRepository userRepository;\n\n @Autowired\n private BCryptPasswordEncoder passwordEncoder;\n \n public User register(User user) {\n user.setPassword(passwordEncoder.encode(user.getPassword()));\n return userRepository.save(user);\n }\n \n public User findUserByUsername(String username) {\n return userRepository.findByUsername(username);\n }\n}\n<\/code><\/pre>\n6. Security Configuration and JWT Creation<\/h2>\n
You can enhance the application’s security using Spring Security. To do this, you need to create a SecurityConfig class and add a class to generate JWT tokens.<\/p>\n
package com.example.demo.config;\n\nimport com.example.demo.security.JwtAuthenticationFilter;\nimport org.springframework.beans.factory.annotation.Autowired;\nimport org.springframework.context.annotation.Bean;\nimport org.springframework.context.annotation.Configuration;\nimport org.springframework.security.authentication.AuthenticationManager;\nimport org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\nimport org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;\nimport org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;\nimport org.springframework.security.config.annotation.web.configuration.EnableGlobalMethodSecurity;\nimport org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;\nimport org.springframework.security.crypto.password.PasswordEncoder;\nimport org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;\n\n@Configuration\n@EnableWebSecurity\n@EnableGlobalMethodSecurity(prePostEnabled = true)\npublic class SecurityConfig extends WebSecurityConfigurerAdapter {\n \n @Autowired\n private JwtAuthenticationFilter jwtAuthenticationFilter;\n\n @Override\n protected void configure(HttpSecurity http) throws Exception {\n http.csrf().disable()\n .authorizeRequests()\n .antMatchers(\"\/api\/auth\/**\").permitAll()\n .anyRequest().authenticated()\n .and()\n .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);\n }\n\n @Bean\n public PasswordEncoder passwordEncoder() {\n return new BCryptPasswordEncoder();\n }\n}\n<\/code><\/pre>\n7. Implementing JWT Creation and Verification<\/h2>\n
Upon logging in, a JWT is generated based on the user’s information and sent to the client. To accomplish this, we create a JWT utility class to handle token generation and verification tasks.<\/p>\n
package com.example.demo.security;\n\nimport io.jsonwebtoken.Claims;\nimport io.jsonwebtoken.Jwts;\nimport io.jsonwebtoken.SignatureAlgorithm;\nimport org.springframework.stereotype.Component;\n\nimport java.util.Date;\nimport java.util.HashMap;\nimport java.util.Map;\n\n@Component\npublic class JwtUtil {\n \n private final String SECRET_KEY = \"secret_key\";\n private final long EXPIRATION_TIME = 86400000; \/\/ 1 day\n\n public String generateToken(String username) {\n Map<String, Object> claims = new HashMap<>();\n return createToken(claims, username);\n }\n\n private String createToken(Map<String, Object> claims, String subject) {\n return Jwts.builder()\n .setClaims(claims)\n .setSubject(subject)\n .setIssuedAt(new Date(System.currentTimeMillis()))\n .setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))\n .signWith(SignatureAlgorithm.HS256, SECRET_KEY)\n .compact();\n }\n\n public boolean validateToken(String token, String username) {\n final String extractedUsername = extractUsername(token);\n return (extractedUsername.equals(username) && !isTokenExpired(token));\n }\n\n private boolean isTokenExpired(String token) {\n return extractExpiration(token).before(new Date());\n }\n\n private Date extractExpiration(String token) {\n return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody().getExpiration();\n }\n\n public String extractUsername(String token) {\n return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody().getSubject();\n }\n}\n<\/code><\/pre>\n8. Implementing Login and Logout Functionality<\/h2>\n
Now, when a user logs in, they receive a JWT, and during logout, the client deletes the token. Below is an example of the login API.<\/p>\n
package com.example.demo.controller;\n\nimport com.example.demo.entity.User;\nimport com.example.demo.security.JwtUtil;\nimport com.example.demo.service.UserService;\nimport org.springframework.beans.factory.annotation.Autowired;\nimport org.springframework.http.ResponseEntity;\nimport org.springframework.web.bind.annotation.*;\n\n@RestController\n@RequestMapping(\"\/api\/auth\")\npublic class AuthController {\n\n @Autowired\n private UserService userService;\n\n @Autowired\n private JwtUtil jwtUtil;\n\n @PostMapping(\"\/login\")\n public ResponseEntity<String> login(@RequestBody User user) {\n User foundUser = userService.findUserByUsername(user.getUsername());\n if (foundUser != null && passwordEncoder.matches(user.getPassword(), foundUser.getPassword())) {\n return ResponseEntity.ok(jwtUtil.generateToken(foundUser.getUsername()));\n }\n return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body(\"Invalid credentials\");\n }\n\n @PostMapping(\"\/logout\")\n public ResponseEntity<String> logout() {\n \/\/ The logout functionality is to be implemented on the client-side.\n return ResponseEntity.ok(\"Successfully logged out.\");\n }\n}\n<\/code><\/pre>\n9. Implementing JWT Filter<\/h2>\n
It is necessary to implement a JWT filter to validate JWT on all requests and handle authentication. To do this, we create the JwtAuthenticationFilter class.<\/p>\n
package com.example.demo.security;\n\nimport io.jsonwebtoken.ExpiredJwtException;\nimport org.springframework.beans.factory.annotation.Autowired;\nimport org.springframework.security.authentication.UsernamePasswordAuthenticationToken;\nimport org.springframework.security.core.Authentication;\nimport org.springframework.security.core.context.SecurityContextHolder;\nimport org.springframework.web.filter.OncePerRequestFilter;\n\nimport javax.servlet.FilterChain;\nimport javax.servlet.ServletException;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\nimport java.io.IOException;\n\npublic class JwtAuthenticationFilter extends OncePerRequestFilter {\n\n @Autowired\n private JwtUtil jwtUtil;\n\n @Autowired\n private UserDetailsService userDetailsService;\n\n @Override\n protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)\n throws ServletException, IOException {\n\n String authorizationHeader = request.getHeader(\"Authorization\");\n\n String username = null;\n String jwt = null;\n\n if (authorizationHeader != null && authorizationHeader.startsWith(\"Bearer \")) {\n jwt = authorizationHeader.substring(7);\n try {\n username = jwtUtil.extractUsername(jwt);\n } catch (ExpiredJwtException e) {\n System.out.println(\"JWT is expired\");\n }\n\n if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {\n UserDetails userDetails = userDetailsService.loadUserByUsername(username);\n if (jwtUtil.validateToken(jwt, userDetails.getUsername())) {\n UsernamePasswordAuthenticationToken authenticationToken = \n new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());\n SecurityContextHolder.getContext().setAuthentication(authenticationToken);\n }\n }\n }\n filterChain.doFilter(request, response);\n }\n}\n<\/code><\/pre>\n10. Conclusion<\/h2>\n
In this lecture, we learned how to implement login and logout functionality using JWT with Spring Boot. We also explored how to generate and verify JWT tokens and how to enhance application security using Spring Security. Through this course, you will have a foundation for handling authentication and authorization in backend applications more securely. Additionally, you will be able to leverage various features of Spring Boot to develop efficient and secure web applications.<\/p>\n
11. References<\/h2>\n