Sat. Dec 7th, 2019

Host your Website

Read and learn

FatCow Web Hosting $1.00/mo* Trust your web hosting to the #1 web host provider, GoDaddy!

Spring Boot + Spring Security + JWT from scratch – Java Brains

1 min read



In this tutorial, we’ll be creating a brand new Spring Boot and Spring Security project and implement JWT based authentication and authorization. We’ll create an endpoint that can authenticate and return a JWT. And then we’ll wire in some code to check incoming requests for JWT in the Authorization header and authorize requests with valid JWT.

Java Brains website: https://javabrains.io

#JavaBrains #BrainBytes #HowTo #SpringSecurity #Spring #SpringBoot #JWT #Java #Tutorial

37 thoughts on “Spring Boot + Spring Security + JWT from scratch – Java Brains

  1. Important note: In the video, I provide the JWT secret as a constant variable in the Java class. As you might imagine, please don't do that in a real application!

    It's not a good idea to check in passwords / secret keys in your code. You should get that from a setting / property file that's in a more secure location and not in your source code repository.
    (Thanks to Olivier for pointing this out in the comments)

  2. Thanks sir, It's really very worth to watch complete video. Thanks for helping us over the years & years. Please keep posting such an outstanding videos for us.

  3. Awesome, this tutorial was super helpful, could you please create a new one with JWT + LDAP?
    I've been trying to find good resources about that combination but there isn't anything with the quality your videos have.
    Thanks!

  4. Awesome video on JWT. can you point me to bitbucket/repo for this app? I tried but getting this: "{"timestamp":"2019-10-29T02:22:41.617+0000","status":500,"error":"Internal Server Error","message":"Base64-encoded key bytes may only be specified for HMAC signatures. If using RSA or Elliptic Curve, use the signWith(SignatureAlgorithm, Key) method instead.","path":"/authenticate"}"

  5. Hi Kaushik,

    Great post once again.
    A design question:

    As long as the jwt is valid, the jwt could deliver all the data relevant for a valid authentication, username and authorities set.

    To be GDPR compliant only when an email is required the userdetailservice could be used for retrieving that specific detail.
    In spring boot 2.2 only the username and granted authories are needed as a minimum.
    In your solution for every jwt the userdetails are requested and overrules the claims, for example when a user is locked during the validity of the jwt request will fail because the user is locked.
    In the rfc of jwt nothing is mentioned on this topic.
    What were your thoughts on this when you wrote the code?

  6. signwith() is deprecated

    // old will not work
    private static final String SECURITY_KEY = "security";

    // singwith(key) will work.
    private Key key = Keys.secretKeyFor(SignatureAlgorithm.HS256);

    this will work

  7. Please, for those who watch this, you must make sure to not hard code any sensitive information (like passwords, or private key) in your code. This is a very dangerous practice and a vulnerabilitym even more if you use Git and commit code (even if you erase hard coded infos, it is always possible to go back and find it with Git). The use of environment variables is one of the solution to solve the problem.

  8. Really nice video, I am just confused about something; what's the point of implementing the JWT since Spring Security already handles the authorization mechanism? Anybody have an idea here?

Comments are closed.

Copyright © All rights reserved. | Newsphere by AF themes.