How to use JWT token in Java Spring Boot?

Jay 121 Published: 11/04/2024

How to use JWT token in Java Spring Boot?

I'm happy to help!

In a Java Spring Boot application, you can use the JSON Web Token (JWT) to authenticate and authorize requests. Here's a step-by-step guide on how to use JWT tokens:

Step 1: Choose a Library

You'll need a library to handle JWT generation, verification, and token parsing. Popular options include:

jwt-simple (SimpleJSON) jjwt (Java JSON Web Token)

For this example, we'll use jjwt.

Step 2: Configure Dependencies

In your pom.xml file (if you're using Maven) or build.gradle file (if you're using Gradle), add the required dependencies:


com.auth0

jjwt

0.9.1

dependencies {

implementation 'com.auth0:jjwt:0.9.1'

}

Step 3: Create a JWT Token

To generate a JWT token, you'll need to create a TokenService class:

@Service

public class TokenService {

private static final String SECRET_KEY = "your-secret-key";

private static final String ISSUER = "your-issuer";

public String generateToken(User user) {

// Create a claims object with the user's information

Claims claims = Jwts.claims().setSubject(user.getUsername())

.setExpiration(Date.from(Instant.now().plus(Duration.ofDays(7))));

// Sign the token with the secret key

String token = Jwts.builder().setClaims(claims).setIssuedAt(new Date()).setExpiration(new Date())

.signWith(SignatureAlgorithm.HS256, SECRET_KEY)

.compact();

return token;

}

}

In this example, we're creating a User object and extracting the username. We're then generating a JWT token with the user's information, expiration date (7 days), and signing it with the secret key using HMAC SHA-256.

Step 4: Verify the JWT Token

To verify the JWT token, create another service class:

@Service

public class TokenVerificationService {

public boolean verifyToken(String token) {

try {

Jws claim = Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token);

return true;

} catch (Exception e) {

return false;

}

}

}

This service attempts to parse and verify the JWT token using the same secret key. If the token is valid, it returns true; otherwise, it returns false.

Step 5: Integrate with Spring Security

To integrate your JWT token generation and verification with Spring Security, you'll need to create a custom Authentication Provider:

@Configuration

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired

private TokenService tokenService;

@Autowired

private TokenVerificationService tokenVerificationService;

@Override

protected void configure(HttpSecurity http) throws Exception {

// Custom authentication provider for JWT tokens

http.oauth2Login()

.and()

.oauth2AuthorizedGrantTypes("jwt")

.oauth2AuthenticationProvider(new JwtAuthenticationProvider(tokenService, tokenVerificationService));

}

}

In this example, we're creating a custom JwtAuthenticationProvider that uses our TokenService and TokenVerificationService to authenticate and authorize requests.

Step 6: Use JWT Tokens in Your Controllers

Finally, you can use the JWT tokens in your controllers to secure your endpoints:

@RestController

public class MyController {

@Autowired

private TokenVerificationService tokenVerificationService;

@GetMapping("/protected-endpoint")

public String protectedEndpoint(@RequestHeader("Authorization") String token) {

if (!tokenVerificationService.verifyToken(token)) {

return "Unauthorized";

}

// Authorized, proceed with your logic

}

}

In this example, we're using the @RequestHeader annotation to retrieve the JWT token from the Authorization header. We then verify the token using our custom TokenVerificationService. If the token is valid, we authorize the request and proceed with our logic.

That's it! You've successfully implemented JWT tokens in your Java Spring Boot application.

Remember to handle errors properly, log exceptions, and consider implementing rate limiting or IP blocking to prevent abuse.

jjwt vs java-jwt

I'll respond in English for now.

jjwt and Java-JWT are two popular libraries used for JSON Web Tokens (JWT) authentication and validation in Java. While they share similar goals, there are key differences between the two.

JJWT (Java JWT)

JJWT is a lightweight, open-source library specifically designed to work with Java 8 and later versions. It provides an easy-to-use API for generating, verifying, and decoding JWTs. JJWT supports various encryption algorithms, including HS256, RS256, ES256, and none (for no encryption).

One of the notable features of JJWT is its focus on performance and scalability. The library uses Java 8's Nashorn JavaScript engine to speed up JSON processing, making it suitable for high-traffic applications.

Java-JWT

Java-JWT is another popular library for working with JWTs in Java. It provides a more comprehensive set of features compared to JJWT, including support for multiple encryption algorithms (HS256, RS256, ES256), token validation, and caching.

One of the main advantages of Java-JWT is its flexibility. The library allows developers to customize many aspects of the JWT generation and verification process, such as setting custom claims, using different encryption algorithms, and configuring token expiration times.

Key differences

Performance: JJWT is designed with performance in mind and uses Nashorn JavaScript engine for JSON processing, making it faster than Java-JWT. Features: Java-JWT offers more advanced features like token validation, caching, and customization options compared to JJWT's simpler, lightweight approach. Support: Both libraries support multiple encryption algorithms, but Java-JWT has a wider range of supported algorithms.

Choosing the right library

When deciding between jjwt and Java-JWT, consider your specific requirements:

If you need a lightweight, high-performance library for simple JWT generation and verification, jjwt might be the better choice. If you require more advanced features like token validation, caching, or customization options, Java-JWT could be the more suitable option.

Ultimately, both libraries are well-maintained and can help you implement reliable JSON Web Token authentication in your Java applications.