Spring Security Basic IntroductionCross-Site Request Forgery (CSRF)Cross-Site Scripting (XSS) SQL InjectionInternal Working of Spring Security BasicInternal Working of Spring Security AdvanceConfiguring SecurityFilterChainUnderstanding JWTJWT Creation and VerificationSignup and Login using JWTAuthenticating requests using JWT Part 1Authenticating requests using JWT Part 2Spring Security Exception Handling

    Spring Boot HandBook

    Authenticating requests using JWT Part 1

    Introduction :#

    JWT (JSON Web Token) is a popular method for securely transmitting information between parties as a JSON object. It is commonly used for authenticating and authorizing requests in web applications. Here's an overview of how JWT authentication works:

    How JWT Authentication Works:#

    1. User SignUp:
    2. User Login:
    3. Token Generation:
    4. Token Structure:
    5. Client-Side Storage:
    6. Authenticated Requests:
    7. Token Validation:
    8. Token Expiration:
    9. Security Considerations:

    Example Workflow#

    1. User SignUp:

      1. POST /signUp
         
    2. User Login:

      1. POST /login
      2. Response: JWT
         
    3. Access Protected Resource:

      1. GET /user/profile
      2. Header: Authorization: Bearer <JWT>
         
    4. Server Validates JWT:

      1. If valid, the server processes the request and returns the requested resource.
      2. If invalid, the server responds with a 401 Unauthorized error.
         

    Using JWT For Authentication:#

    Using JWT For Authentication

    Login Workflow with JWT:#

    Login Workflow with JWT

    Authentication Workflow with JWT:#

    Authentication Workflow with JWT

    JWTAuthFilter Control Flow:#

    JWTAuthFilter Control Flow

    Implementation in Code:#

    1. How to authenticate future requests that come into the server
    2. How to authenticate all the requests that contain a token
    3. The provided token is valid or not
    4. If it is valid then how to pass the authentication object inside the spring security context holder so that it is available to all the controllers.

    let's break down each step:

    • Authenticate Future Requests with JWT

    When a user logs in, they receive a JWT. This token is included in the Authorization header of every subsequent request. The server must then authenticate each request using this JWT.
     

    • Authenticate Requests that Contain a Token

    You need to intercept every request and check if it has a valid JWT token. If it does, the server will authenticate the user based on the token.
     

    • Check if the Token is Valid

    The server will validate the JWT token by checking its signature, expiration date, and possibly other claims.
     

    • Pass the Authentication Object to Spring Security Context Holder

    If the token is valid, you'll create an Authentication object and store it in the SecurityContextHolder, which makes the authenticated user available throughout the application (e.g., in controllers).

    Conclusion#

    This article explains how to authenticate requests using JWT in web applications, including user signup, login, token generation, and validation. It highlights the process of securely storing JWT on the client side and authenticating requests through Spring Security. Implementing these steps ensures secure access to protected resources.

    Last updated on Jan 14, 2025

    Previous
    Signup and Login using JWT
    Next
    Authenticating requests using JWT Part 2