Last updated: March 08, 2021
Securing a REST API with Spring Security and JWT
Spring Security is the de facto standard for securing Spring Boot applications. JSON Web Token (JWT) is a good choice for protecting a REST API - the following article will show the minimal steps to setup a Spring Boot application with JWT.
The concept of JWT
As a first step, a client must authenticates itself using a username and password, receiving a signed token (JWT) in exchange. This token is stored locally at the client and is passed to the server with every further request, typically in the header. Since the token is signed using a key that only the server knows, the token and thus the client can be validated safely.
This approach makes the whole process stateless and very suitable for REST APIs, since no data about the state of the client (e.g. a session) needs to be stored. The username and the expiration date of the token are stored in the payload.
Example Payload of a JSON Web Token
Spring Security does not provide direct support for JWT, so a number of additions to our
Spring Boot application are necessary. In our
we need to add the following two dependencies. Using the
java-jwt library, we
will later generate and validate the tokens.
Adding new dependencies
The following controller defines the first step from a client's perspective: an endpoint for authentication to obtain a valid token. To keep the code snippet short, the constructor with the field assignments is omitted.
Authentication endpoint defined in our RestController
The request is validated and then passed to the authenticationManager for authentication. If successful, the JSON web token is generated and returned. There are no further details in the response, since the token itself should contain all relevant information.
As referenced in our controller, the
JwtTokenService is responsible for
generating and validating the token. We store the secret used for these tasks in our
JwtTokenService encapsulating token handling
We also provide an implementation of the UserDetailsService that is accessed by the
AuthenticationManager - which we configure later. We access a database using
but any other source can be used here. We only assign the role
ROLE_USER by default,
although further roles and permissions could be added at this point as well.
Implementation of UserDetailsService
Authentication of the requests
To authenticate the requests going to our REST API, we need to define
JwtRequestFilter. This filter ensures that a valid token is passed in the header
and will store the
UserDetails in the
SecurityContext for the duration
of the request.
JwtRequestFilter to validate tokens
Example JWT submitted as a header
Spring Security config
This leads us to the heart of the matter, the configuration of Spring Security, which brings together all the previous components.
Spring Security Configuration
JwtUserDetailsService is to be used by the
along with a
PasswordEncoder based on BCrypt. The
exposed as a bean, so it can be used at other parts of our application as well, for example when
registering a user and creating the hash from his password.
antMatchers("/authenticate").permitAll() our authentication endpoint is
freely accessible, but because of
anyRequest().hasRole(USER) the role
required for all other request. Spring Security automatically adds the ROLE_ prefix, so only
the short form is passed here.
SessionCreationPolicy.STATELESS is used to specify that Spring Security does not create
or access a session. Also
JwtRequestFilter is added at a proper position in our filter chain,
SecurityContext can be updated before the role is actually checked.
With this minimal setup, our application is secured using Spring Security and JWT. It can be
extended according to our own requirements, for example to define the required role directly
at our endpoints with
In the professional plan of Bootify, a Spring Boot application with JWT setup can be generated using a table of the self-defined database schema. Get your runnable Spring Boot application with advanced features in minutes!