Implementing JWT Token for secure authentication

Implementing JWT (JSON Web Token) in Java typically involves creating a secure authentication mechanism for your web applications. Below is a basic guide to implement JWT using Java, Spring MVC, and jjwt (a popular Java JWT library).

The lifecycle of a JSON Web Token (JWT) typically involves several stages, from creation to expiration and validation. JWTs are widely used for securely transmitting information between parties in the form of a signed and optionally encrypted token. Here’s an overview of the typical lifecycle: Token Creation
Authentication: When a user logs in, they typically provide credentials (e.g., username and password).
Server Validation: The server validates these credentials (e.g., checks the database for the user’s password).
JWT Creation: If the credentials are correct, the server generates a JWT. The token contains:
Header: Describes the signing algorithm (e.g., HS256, RS256) and token type (JWT).
Payload: Contains the claims. Claims are pieces of information (e.g., user ID, expiration time) that are encoded in the token.
Signature: The header and payload are signed with a secret key (HMAC) or a private key (RSA or ECDSA) to ensure integrity.

 
Download Jar file: jjwt-api-0.10.5.jar

To create a A143mk.JWTAPIConfig, we first need to define a package that will be handled in the configuration.
Create classes name in the A143mk.JWTAPIConfig package. 

1. JwtRequestFilter package a143mk.JWTAPIConfig; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.web.filter.OncePerRequestFilter; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import java.io.IOException; @SuppressWarnings("unused") @WebFilter(urlPatterns = "/api/*") public class JwtRequestFilter extends OncePerRequestFilter { private JwtUtil jwtUtil = new JwtUtil(); @Override protected void doFilterInternal(HttpServletRequest request, javax.servlet.http.HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { final String token = request.getHeader("Authorization"); if (token != null && token.startsWith("Bearer ")) { String username = jwtUtil.extractUsername(token.substring(7)); if (username != null && jwtUtil.validateToken(token, username)) { // Set user authentication here } } filterChain.doFilter(request, response); } }
2.JwtUtil package a143mk.JWTAPIConfig; import io.jsonwebtoken.Claims; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; import io.jsonwebtoken.security.Keys; import java.security.Key; import java.util.Date; public class JwtUtil { private String secretKey = "a143mkJWT3API"; // use a more secure key in production! // private Key secretKey = Keys.secretKeyFor(SignatureAlgorithm.HS256); // Generate token public String generateToken(String username) { return Jwts.builder() .setSubject(username) .setIssuedAt(new Date()) .setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 60)) // Token expires in 1 hour .signWith(SignatureAlgorithm.HS256, secretKey) .compact(); } // Extract username from token public String extractUsername(String token) { return extractClaims(token).getSubject(); } // Extract claims (payload) private Claims extractClaims(String token) { return Jwts.parser() .setSigningKey(secretKey) .parseClaimsJws(token) .getBody(); } // Validate token public boolean validateToken(String token, String username) { return (username.equals(extractUsername(token)) && !isTokenExpired(token)); } // Check if token is expired private boolean isTokenExpired(String token) { return extractClaims(token).getExpiration().before(new Date()); } }
3. SecurityConfig package a143mk.JWTAPIConfig; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() // Disable CSRF .authorizeRequests() .antMatchers("/api/authenticate").permitAll() // Allow unauthenticated access to login endpoint .anyRequest().authenticated() // All other requests require authentication .and() .addFilterBefore(new JwtRequestFilter(), UsernamePasswordAuthenticationFilter.class); // Add JWT filter } }
4. AuthRequest/PayloderBeanClass package a143mk.JWTAPIConfig; public class AuthRequest { private String username; private String password; public String getUsername() { return username; } public void setUsername(String username) { this.username = username; } public String getPassword() { return password; } public void setPassword(String password) { this.password = password; } }
Create a Controller class create a simple controller name is AuthController an endpoint is accessed.
package a143mk.JWTAPIController; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.directwebremoting.export.Data; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RestController; import a143mk.JWTAPIConfig.AuthRequest; import a143mk.JWTAPIConfig.JwtUtil; import a143mk.service.InterTransferOutWardService; @RestController public class AuthController { private static final Logger logger = LogManager.getLogger(AuthController.class); private JwtUtil jwtUtil = new JwtUtil(); @Autowired InterTransferOutWardService interOutward; @PostMapping("/api/authenticate") public String createToken(@RequestBody AuthRequest authRequest) { String token=jwtUtil.generateToken(authRequest.getUsername()); logger.info("DATE_Time:"+new Data()+" Token Ganrate: "+token ); interOutward.tokenSave(token); return jwtUtil.generateToken(authRequest.getUsername()); } }
Steps to Test JWT Token in Postman:
Obtain the JWT Token: First, you need to obtain the JWT token from your authentication endpoint. Typically, this is done by making a POST request to your login endpoint with the correct user credentials (username, password, etc.). 

Result :