JWT Authorization on Spring Boot App

Most of the modern Webservices uses JSON Web Tokens(JWT) for Authorization between services.JWT uses the "Bearer Authentication" http authentication scheme to authorize the Bearer of the token, in our scenario its a different service. The Http requests which are authorized uses this technique will have a header

Authorization: Bearer <token>

In this article, we will see, how and where the JWT is validated on your Spring boot application.

Spring Security is a framework that focuses on authentication and authorization, so we add Spring security as a dependency on your Spring Boot application.

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
    <version>${version}</version>
</dependency>

Servlet Filter is an interface used to intercept the HTTP requests and responses.

1. Filters are used to manipulate or pre-process the requests before reaching a servlet.
2. Multiple Filters can be chained to execute in any custom order to do different manipulations.
3. Filters can be applied to all the servlet url's or to any specific servlet url.

As you might have already guessed, this is the place where we want to validate the JWT token, because we need to authorize before it reaches the servlet. The implementing classes of Filter interface are GenericFilterBean,OncePerRequestFilter & ResourceUrlEncodingFilter.

public class JwtAuthorizationFilter extends GenericFilterBean {

    @Override
    public void doFilter(final ServletRequest request, 
              final ServletResponse response, 
              final FilterChain filterChain)
              throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse)response;
        // Checking for the Authorization Header
        final String authorizationHeader = req.getHeader("Authorization");
        if (Objects.isNull(authorizationHeader)) {
            throw new AccessDeniedException(
                 "JWT Authorization Header not found");
        }

         //Extracting the token from the header.
        final String token = authorizationHeader.substring(7);
        if (!Objects.isNull(token)) {
            //Based on JWT algorithm,verify the Jwt.
            //JWTVerifier to verify the token and return the principal
        }
        //Pass on to the next filter in the chain.
        filterChain.doFilter(request, response);
    }
    
}

Now we know, where the JWT is authorized we will see how and where the Filters are injected in the Spring Boot application. WebSecurityConfigurerAdapter is where we can enable customizations for WebSecurity, and this is where we can chain all the filters in any order of your needs. We can also include Filters for Authentication, RequestResponseLogging, Filtering Specific Transactions etc.

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private JwtAuthorizationFilter jwtAuthorizationFilter;

    public WebSecurityConfig() {
        super(true);
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {

     http.csrf().disable()
      .anonymous().and()
            .addFilter(jwtAuthorizationFilter);
    
    }

}

This provides a simple example of how and where the Authorization of JWT tokens in your endpoints are authorized and Spring Security plays a critical role in customizing the web security for your applications.