introduction
With the increasing popularity of microservice architectures and distributed systems, traditional session-based authentication methods face many challenges. As a token-based authentication mechanism, JSON Web Token (JWT) has become the preferred solution for modern application authentication due to its stateless, self-contained and easy to pass across services. Spring Security, as the most popular security framework in the Java ecosystem, provides comprehensive support for JWT. This article will explore in-depth how to implement JWT-based stateless authentication in Spring Security, including core links such as token generation, verification, and renewal, to help developers build a safe and efficient identity authentication system. By adopting JWT authentication, the system can better support horizontal scaling, reduce server storage burden, and simplify the complexity of cross-service authentication.
1. Basic principles and structure of JWT
JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way to safely transmit information between parties. Each JWT consists of three parts: the header, the payload and the signature. The header describes the token type and the algorithm used. The payload contains the data to be passed (such as user ID, role, etc.), and the signature ensures the integrity and authenticity of the token. The design philosophy of JWT is that the server does not store the token status, but rather determines the validity of the token by verifying the signature and checking the built-in expiration time. This method is particularly suitable for distributed systems and microservice architectures.
// JWT structure examplepublic class JwtStructure {
// Header example (Base64URL encoding will be performed when actually used) String header = "{\n" +
" \"alg\": \"HS256\",\n" + // Signature Algorithm " \"typ\": \"JWT\"\n" + // Token type "}";
// Load example (Base64URL encoding will be performed when actually used) String payload = "{\n" +
" \"sub\": \"1234567890\",\n" + // Topic (usually user ID) " \"name\": \"John Doe\",\n" + // username " \"admin\": true,\n" + // Custom statement " \"iat\": 1516239022,\n" + // Token issuance time " \"exp\": 1516242622\n" + // Token expiration time "}";
// Pseudo-code of the signature process String signatureAlgorithm = "HMACSHA256";
String signature = HMACSHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
secret
);
// The final JWT form: String jwt = base64UrlEncode(header) + "." +
base64UrlEncode(payload) + "." +
signature;
}
2. Spring Security JWT dependency configuration
To implement JWT authentication, we need to introduce relevant dependencies first. Mainly includes Spring Security core library and libraries that handle JWT, such asjjwtorjava-jwt. In addition, you also need to add JSON processing library and Spring Boot-related dependencies. In Spring Boot projects, these dependencies can be easily managed through Maven or Gradle. After configuring the dependencies, you can further set the JWT parameters, such as keys, token validity periods, etc., which are usually defined in the application configuration file.
// Maven dependency configuration (fragment)public class Dependencies {
String mavenDependencies =
"<!-- Spring Boot Security Dependency -->\n" +
"<dependency>\n" +
" <groupId></groupId>\n" +
" <artifactId>spring-boot-starter-security</artifactId>\n" +
"</dependency>\n" +
"\n" +
"<!-- Spring Boot Web Dependency -->\n" +
"<dependency>\n" +
" <groupId></groupId>\n" +
" <artifactId>spring-boot-starter-web</artifactId>\n" +
"</dependency>\n" +
"\n" +
"<!-- JWT Dependency - JJWT -->\n" +
"<dependency>\n" +
" <groupId></groupId>\n" +
" <artifactId>jjwt-api</artifactId>\n" +
" <version>0.11.5</version>\n" +
"</dependency>\n" +
"<dependency>\n" +
" <groupId></groupId>\n" +
" <artifactId>jjwt-impl</artifactId>\n" +
" <version>0.11.5</version>\n" +
" <scope>runtime</scope>\n" +
"</dependency>\n" +
"<dependency>\n" +
" <groupId></groupId>\n" +
" <artifactId>jjwt-jackson</artifactId>\n" +
" <version>0.11.5</version>\n" +
" <scope>runtime</scope>\n" +
"</dependency>";
// Application configuration file (fragment) String applicationConfig =
"jwt:\n" +
" secret: mySecretKey123456789012345678901234567890\n" +
" expiration: 86400000 #24 hours, unit milliseconds\n" + " header: Authorization\n" +
" prefix: Bearer ";
}
3. JWT token generation and processing
The generation of JWT tokens is the core link of the authentication process. After the user has successfully passed the authentication, the system needs to create a JWT containing the user's identity and permission information and send it to the client. The token processing service is responsible for the creation, signature and verification of JWT. By reasonably encapsulating JWT operations, the security and consistency of the token can be ensured. In actual projects, JWT-related operations are usually encapsulated in a special service class, which is responsible for the generation, parsing and verification of tokens.
@Service
public class JwtTokenProvider {
@Value("${}")
private String jwtSecret;
@Value("${}")
private long jwtExpiration;
@Autowired
private UserDetailsService userDetailsService;
// Generate tokens public String generateToken(Authentication authentication) {
UserDetails userDetails = (UserDetails) ();
Date now = new Date();
Date expiryDate = new Date(() + jwtExpiration);
return ()
.setSubject(())
.setIssuedAt(now)
.setExpiration(expiryDate)
// Add user role information .claim("roles", ().stream()
.map(GrantedAuthority::getAuthority)
.collect(()))
// Additional custom statements can be added .claim("additional", "custom value")
// Sign JWT using HS512 algorithm and key .signWith((()), SignatureAlgorithm.HS512)
.compact();
}
// Get username from token public String getUsernameFromToken(String token) {
Claims claims = ()
.setSigningKey((()))
.build()
.parseClaimsJws(token)
.getBody();
return ();
}
// Get all declarations in the token public Claims getAllClaimsFromToken(String token) {
return ()
.setSigningKey((()))
.build()
.parseClaimsJws(token)
.getBody();
}
// Verify token public boolean validateToken(String token) {
try {
()
.setSigningKey((()))
.build()
.parseClaimsJws(token);
return true;
} catch (MalformedJwtException | ExpiredJwtException | UnsupportedJwtException | IllegalArgumentException e) {
//Catch various JWT exceptions and record logs return false;
}
}
// parse authentication information from token public Authentication getAuthentication(String token) {
String username = getUsernameFromToken(token);
UserDetails userDetails = (username);
return new UsernamePasswordAuthenticationToken(userDetails, "", ());
}
}
4. Spring Security configuration and filter implementation
Integrating JWT certification in Spring Security requires custom security configurations and filters. First, you need to create a JWT authentication filter, intercept the request and verify the validity of the JWT. Secondly, configure security rules to define which URLs need authentication and which can be accessed anonymously. Finally, disable session management because JWT is stateless and does not require maintenance of sessions on the server side. Through these configurations, JWT authentication mechanisms can be seamlessly integrated into the Spring Security framework.
// JWT certification filter@Component
public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Autowired
private JwtTokenProvider tokenProvider;
@Value("${}")
private String tokenHeader;
@Value("${}")
private String tokenPrefix;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
try {
// Extract JWT from request String jwt = getJwtFromRequest(request);
// Verify that JWT exists and is valid if ((jwt) && (jwt)) {
// Get user authentication information from JWT Authentication authentication = (jwt);
// Set authentication information to Spring Security context ().setAuthentication(authentication);
}
} catch (Exception ex) {
// Record exceptions when parsing JWT, but do not interrupt the filter chain ("Could not set user authentication in security context", ex);
}
// Continue to execute the filter chain (request, response);
}
// Extract JWT from request header private String getJwtFromRequest(HttpServletRequest request) {
String bearerToken = (tokenHeader);
if ((bearerToken) && (tokenPrefix)) {
return (());
}
return null;
}
}
// Spring Security Configuration@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig {
@Autowired
private JwtAuthenticationFilter jwtAuthenticationFilter;
@Autowired
private UserDetailsService userDetailsService;
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
// Disable CSRF protection because JWT is stateless .csrf().disable()
//Configure exception handling .exceptionHandling()
.authenticationEntryPoint((request, response, authException) -> {
(MediaType.APPLICATION_JSON_VALUE);
(HttpServletResponse.SC_UNAUTHORIZED);
().write("{\"error\":\"Unauthorized\",\"message\":\"" +
() + "\"}");
})
.and()
// Disable session management, use JWT without session .sessionManagement()
.sessionCreationPolicy()
.and()
// Configure request authorization .authorizeRequests()
// Allow everyone to access the login and registration interface .antMatchers("/api/auth/**").permitAll()
// Allow everyone to access static resources .antMatchers("/static/**").permitAll()
// All other requests require authentication .anyRequest().authenticated();
// Add JWT filter (jwtAuthenticationFilter, );
return ();
}
@Bean
public AuthenticationManager authenticationManager(
AuthenticationConfiguration authConfig) throws Exception {
return ();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
5. Authentication controller and login process implementation
In order to implement the complete JWT authentication process, it is necessary to create an authentication controller to handle the login request. The controller receives user credentials, verifies the identity and generates a JWT token and returns it to the client. In addition, it can also realize functions such as refresh tokens and logout. In front-end and back-end separate architectures, the controller usually returns a response in JSON format, containing tokens and basic user information.
@RestController
@RequestMapping("/api/auth")
public class AuthController {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private JwtTokenProvider tokenProvider;
@PostMapping("/login")
public ResponseEntity<?> authenticateUser(@Valid @RequestBody LoginRequest loginRequest) {
try {
// Verify user credentials Authentication authentication = (
new UsernamePasswordAuthenticationToken(
(),
()
)
);
// Set authentication information to security context ().setAuthentication(authentication);
// Generate JWT token String jwt = (authentication);
// Get user details UserDetails userDetails = (UserDetails) ();
List<String> roles = ().stream()
.map(GrantedAuthority::getAuthority)
.collect(());
// Build and return the response JwtAuthResponse response = new JwtAuthResponse();
(jwt);
(());
(roles);
return (response);
} catch (BadCredentialsException e) {
return ()
.body(new ErrorResponse("Invalid username or password"));
}
}
// Endpoint used to refresh the token @PostMapping("/refresh")
public ResponseEntity<?> refreshToken(@RequestBody TokenRefreshRequest request) {
// Verify the refresh token (a special refresh token should be used in the actual project) String requestRefreshToken = ();
try {
// Verify the validity of the refresh token (simplified example) if (!(requestRefreshToken)) {
return ()
.body(new ErrorResponse("Invalid refresh token"));
}
// Get user information from refresh token String username = (requestRefreshToken);
// Create a new authentication object UserDetails userDetails = (username);
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
userDetails, null, ());
// Generate a new access token String newAccessToken = (authentication);
return (new JwtAuthResponse(newAccessToken, username, null));
} catch (Exception e) {
return (HttpStatus.INTERNAL_SERVER_ERROR)
.body(new ErrorResponse("Could not refresh token"));
}
}
}
// Login request DTOclass LoginRequest {
private String username;
private String password;
// getters and setters
}
// JWT authentication response DTOclass JwtAuthResponse {
private String token;
private String type = "Bearer";
private String username;
private List<String> roles;
// constructors, getters and setters
}
Summarize
Stateless authentication based on JWT provides an efficient and flexible security mechanism for modern applications. Through the combination of Spring Security and JWT, a certification system that is both compliant with standards and is easy to maintain can be implemented. The stateless nature of JWT makes it particularly suitable for microservices and distributed environments, without storing session state on the server side, greatly reducing the burden on the server, and supporting horizontal system expansion. During the implementation process, the key links include the generation and verification of JWT tokens, the configuration of security filters, the design of authentication processes, etc. Through the implementation method introduced in this article, developers can build a safe and reliable JWT authentication system to meet the authentication needs of modern applications. It should be noted that although JWT provides many advantages, there are some limitations, such as difficulty in token revocation, token size limitation, etc. In actual projects, appropriate certification mechanisms should be selected according to specific needs, and security best practices should be followed to ensure the safety and reliability of the system. With the continuous evolution of application architecture, token-based stateless authentication will continue to play an important role and become the basis for building a secure distributed system.
This is the end of this article about SpringSecurity JWT token-based stateless authentication implementation. For more relevant SpringSecurity JWT token stateless authentication content, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!