Uncategories JWT Authentication in Java

JWT Authentication in Java

April 21, 2025

 

JWT Authentication in Java

Introduction to JWT Authentication

In the world of modern web applications, ensuring secure communication and user authentication is vital. One of the most widely used mechanisms for achieving secure authentication in web applications is JSON Web Token (JWT). JWT is a compact, URL-safe means of representing claims between two parties, typically a client and a server. This token format is used to securely transmit information, like user credentials, between parties.

In this post, we'll walk through the concept of JWT, how it works, and how you can implement JWT-based authentication in Java.

What is JWT?

JWT (JSON Web Token) is a token format used for securely transmitting information between parties. A JWT typically consists of three parts:

  1. Header: Contains metadata about the token, including the signing algorithm (e.g., HMAC SHA256 or RSA).

  2. Payload: Contains the claims, which are the pieces of information being transmitted. These can include user identity, expiration time, and roles.

  3. Signature: Used to verify the authenticity of the token. It’s generated using a secret key, and it ensures the data hasn't been tampered with.

A typical JWT looks like this:

<Header>.<Payload>.<Signature>

How Does JWT Authentication Work?

JWT authentication follows a simple process:

  1. User Login: The user provides their credentials (usually a username and password) to the server.

  2. JWT Creation: If the credentials are valid, the server generates a JWT with user-specific information (e.g., username, roles) in the payload. The token is signed with a secret key.

  3. Token Transmission: The server sends the JWT to the client, typically in the response header or body.

  4. Client Storage: The client stores the JWT (commonly in local storage or session storage in the browser).

  5. Authenticated Requests: For subsequent requests, the client sends the JWT back to the server in the Authorization header (using the Bearer scheme).

  6. Token Verification: The server verifies the token’s signature using the secret key to ensure the authenticity of the request and user identity.

JWT Authentication Flow in Java

Step 1: Add Dependencies

To get started with JWT authentication in Java, you'll need the following dependencies. In this case, we will use the jjwt library, which is a popular library for working with JWTs in Java.

Add the following to your pom.xml if you're using Maven:

<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt</artifactId>
    <version>0.11.5</version>
</dependency>

If you’re using Gradle, add this to your build.gradle:

implementation 'io.jsonwebtoken:jjwt:0.11.5'

Step 2: Generate JWT Token

Next, let's look at how to create a JWT in Java. We will create a method that generates a JWT with a username and expiration date.

import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.util.Date;

public class JWTUtil {
    private String secretKey = "mySecretKey";

    public String generateToken(String username) {
        return Jwts.builder()
                .setSubject(username)
                .setIssuedAt(new Date())
                .setExpiration(new Date(System.currentTimeMillis() + 600000))  // 10 minutes
                .signWith(SignatureAlgorithm.HS256, secretKey)
                .compact();
    }
}

Step 3: Validate JWT Token

To validate the JWT, we will need to parse it and check the signature to ensure its authenticity.

import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.Claims;

public class JWTUtil {

    private String secretKey = "mySecretKey";

    public Claims validateToken(String token) {
        return Jwts.parser()
                .setSigningKey(secretKey)
                .parseClaimsJws(token)
                .getBody();
    }
}

Step 4: Create a Filter for JWT Authentication

In a typical web application, you would want to filter out requests that don't contain a valid JWT token. This can be done with a filter, such as the following:

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

public class JWTFilter implements Filter {
    private JWTUtil jwtUtil = new JWTUtil();

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {}

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        String token = ((HttpServletRequest) request).getHeader("Authorization");

        if (token != null && token.startsWith("Bearer ")) {
            try {
                String jwtToken = token.substring(7);
                Claims claims = jwtUtil.validateToken(jwtToken);
                // Set user details or roles in request
                request.setAttribute("user", claims.getSubject());
            } catch (Exception e) {
                response.getWriter().write("Invalid token.");
                return;
            }
        }

        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {}
}

Step 5: Securing Your APIs

Once the JWT authentication mechanism is set up, you can secure your APIs by using the filter. For example, in a Spring Boot application, you would add the filter to your configuration:

import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilterBefore(new JWTFilter(), UsernamePasswordAuthenticationFilter.class)
            .authorizeRequests()
            .antMatchers("/secure/**").authenticated()
            .anyRequest().permitAll();
    }
}

Step 6: Testing JWT Authentication

Now that you have set up JWT-based authentication in your application, you can test it by sending requests with the JWT token in the Authorization header:

Authorization: Bearer <JWT Token>

Benefits of Using JWT Authentication

  1. Stateless: JWTs are self-contained and do not require server-side sessions. This reduces the need for server storage.

  2. Compact: JWTs are small and can be easily transmitted in URLs, POST parameters, or headers.

  3. Scalable: Because they are stateless, JWTs are ideal for distributed and microservice architectures.

  4. Security: With proper signing and validation, JWTs ensure the integrity of the transmitted data.

Conclusion

JWT is a powerful tool for implementing authentication in Java applications. By using JWTs, developers can build secure, scalable, and stateless applications. The implementation in Java is straightforward, thanks to libraries like jjwt. With JWT authentication in place, you can ensure that only authenticated users can access certain resources in your application.

Next
« Prev Post
Previous
Next Post »
Subscribe to: Post Comments (Atom)