Use Spring Security and JWT to implement secure authentication and authorization of REST API in Java, suitable for stateless and scalable architectures such as microservices, mobile applications and single-page applications; 2. First add Spring Boot Web, Spring Security and JJW dependencies in pom.xml; 3. Create User and LoginRequest model classes for user information and login requests; 4. Write JwtUtil tool class to generate, parse and verify JWT, note that the key should be configured through environment variables rather than hard coded; 5. Configure SecurityConfig class to disable CSRF, set stateless session policies, release the authentication interface, and register JWT filters; 6. Implement the JwtRequestFilter filter to extract and verify JWT from the Authorization header, and set the authentication context if it is valid; 7. Create an AuthController to provide an /authenticate login interface, and return the JWT token after verifying the credentials; 8. Define protected API endpoints such as /secured, which can only be accessed if the request carries a valid Bearer Token; 9. Best practices include using HTTPS, secure storage tokens, setting a short expiration time and coordinating with refresh tokens, prioritizing the use of RS256 algorithm, verifying token declarations, and limiting the frequency of login interfaces to prevent brute-force cracking. By placing the API properly and following security specifications, this solution ensures the statelessness, security and high scalability of the API.
Securing REST APIs in Java using Spring Security and JWT is a common requirement for modern web applications, especially when building stateless, scalable backends. Here's a practical guide to implementing secure authentication and authorization with Spring Security and JSON Web Tokens (JWT).
Why Use Spring Security JWT?
Spring Security provides a powerful and customized framework for handling authentication and authorization in Java applications. When combined with JWT, it enables stateless authentication , meaning the server doesn't need to store session data. Instead, each request includes a signed token that proves the user's identity.
This is ideal for:
- Microservices architectures
- Mobile and single-page applications (SPAs)
- APIs that need to scale horizontally
Step 1: Set Up Dependencies
Add the required dependencies in your pom.xml (for Maven):
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.11.5</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>0.11.5</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.11.5</version>
<scope>runtime</scope>
</dependency>
</dependencies>Step 2: Create User Model and Authentication Request
Define a simple user model and login DTO:
public class User {
private String username;
private String password;
// constructors, getters, setters
} public class LoginRequest {
private String username;
private String password;
// getters and setters
}Step 3: Generate and Validate JWT
Create a utility class to generate and parse tokens:
@Component
public class JwtUtil {
private String SECRET_KEY = "your-secret-key"; // Use environment variable or keystore in production
public String generateToken(UserDetails userDetails) {
return Jwts.builder()
.setSubject(userDetails.getUsername())
.setIssuedAt(new Date())
.setExpiration(new Date(System.currentTimeMillis() 1000 * 60 * 60 * 10)) // 10 hours
.signWith(SignatureAlgorithm.HS256, SECRET_KEY)
.compact();
}
public Boolean validateToken(String token, UserDetails userDetails) {
final String username = extractUsername(token);
return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
}
public String extractUsername(String token) {
return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody().getSubject();
}
private Boolean isTokenExpired(String token) {
return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody().getExpiration().before(new Date());
}
}? Security Tip : Never hardcode the secret key. Use
@Value("${jwt.secret}")with environment variables or a secure key management system.
Step 4: Configure Spring Security
Create a security configuration class:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private JwtRequestFilter jwtRequestFilter;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration config) throws Exception {
return config.getAuthenticationManager();
}
@Bean
protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeHttpRequests(auth -> auth
.requestMatchers("/authenticate").permitAll()
.anyRequest().authenticated()
)
.sessionManagement(sess -> sess.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
}Step 5: Implement JWT Filter
Create a filter to intercept incoming requests and validate the JWT:
@Component
public class JwtRequestFilter extends OncePerRequestFilter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private JwtUtil jwtUtil;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
final String authorizationHeader = request.getHeader("Authorization");
String username = null;
String jwt = null;
if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
jwt = authorizationHeader.substring(7);
username = jwtUtil.extractUsername(jwt);
}
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
if (jwtUtil.validateToken(jwt, userDetails)) {
UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(
userDetails, null, userDetails.getAuthorities());
authToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authToken);
}
}
chain.doFilter(request, response);
}
}Step 6: Create Authentication Endpoint
Expose an endpoint to generate a token upon login:
@RestController
public class AuthController {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private JwtUtil jwtUtil;
@PostMapping("/authenticate")
public ResponseEntity<?> createAuthenticationToken(@RequestBody LoginRequest loginRequest) throws Exception {
try {
authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(loginRequest.getUsername(), loginRequest.getPassword())
);
} catch (BadCredentialsException e) {
throw new Exception("Incorrect username or password", e);
}
final UserDetails userDetails = userDetailsService.loadUserByUsername(loginRequest.getUsername());
final String jwt = jwtUtil.generateToken(userDetails);
return ResponseEntity.ok(new JwtResponse(jwt));
}
}And the response DTO:
public class JwtResponse {
private String token;
public JwtResponse(String token) {
this.token = token;
}
// getter
}Step 7: Test the Secured API
Now, any endpoint other than /authenticate requires a valid JWT:
@RestController
public class DemoController {
@GetMapping("/secured")
public String securedEndpoint() {
return "Hello, you're authenticated!";
}
} To access /secured , include the header:
Authorization: Bearer <your-jwt-token>
Best Practices & Security Tips
- ? Use HTTPS in production
- ? Store JWTs securely on the client (avoid
localStorageif possible; preferhttpOnlycookies for web apps) - ? Set short expiration times and implement refresh tokens
- ? Use strong secrets or RSA keys (RS256 instead of HS256 for better key separation)
- ? Validate issuer, audience, and claims in production
- ? Rate-limit authentication endpoints to prevent brute force attacks
Conclusion
Spring Security with JWT gives you a robust foundation for securing REST APIs in Java. While the setup involves several components—filters, token generation, and configuration—the pattern is reusable and fits well with modern application architectures.
With proper key management and token handling, this approach keeps your APIs secure, stateless, and scalable.
Basically just wire up the filter, protect your endpoints, and validate tokens on each request — and you're good to go.
The above is the detailed content of Securing REST APIs in Java with Spring Security and JWT. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
What is the `enum` type in Java?
Jul 02, 2025 am 01:31 AM
Enums in Java are special classes that represent fixed number of constant values. 1. Use the enum keyword definition; 2. Each enum value is a public static final instance of the enum type; 3. It can include fields, constructors and methods to add behavior to each constant; 4. It can be used in switch statements, supports direct comparison, and provides built-in methods such as name(), ordinal(), values() and valueOf(); 5. Enumeration can improve the type safety, readability and flexibility of the code, and is suitable for limited collection scenarios such as status codes, colors or week.
What is the interface segregation principle?
Jul 02, 2025 am 01:24 AM
Interface Isolation Principle (ISP) requires that clients not rely on unused interfaces. The core is to replace large and complete interfaces with multiple small and refined interfaces. Violations of this principle include: an unimplemented exception was thrown when the class implements an interface, a large number of invalid methods are implemented, and irrelevant functions are forcibly classified into the same interface. Application methods include: dividing interfaces according to common methods, using split interfaces according to clients, and using combinations instead of multi-interface implementations if necessary. For example, split the Machine interfaces containing printing, scanning, and fax methods into Printer, Scanner, and FaxMachine. Rules can be relaxed appropriately when using all methods on small projects or all clients.
Asynchronous Programming Techniques in Modern Java
Jul 07, 2025 am 02:24 AM
Java supports asynchronous programming including the use of CompletableFuture, responsive streams (such as ProjectReactor), and virtual threads in Java19. 1.CompletableFuture improves code readability and maintenance through chain calls, and supports task orchestration and exception handling; 2. ProjectReactor provides Mono and Flux types to implement responsive programming, with backpressure mechanism and rich operators; 3. Virtual threads reduce concurrency costs, are suitable for I/O-intensive tasks, and are lighter and easier to expand than traditional platform threads. Each method has applicable scenarios, and appropriate tools should be selected according to your needs and mixed models should be avoided to maintain simplicity
Differences Between Callable and Runnable in Java
Jul 04, 2025 am 02:50 AM
There are three main differences between Callable and Runnable in Java. First, the callable method can return the result, suitable for tasks that need to return values, such as Callable; while the run() method of Runnable has no return value, suitable for tasks that do not need to return, such as logging. Second, Callable allows to throw checked exceptions to facilitate error transmission; while Runnable must handle exceptions internally. Third, Runnable can be directly passed to Thread or ExecutorService, while Callable can only be submitted to ExecutorService and returns the Future object to
Best Practices for Using Enums in Java
Jul 07, 2025 am 02:35 AM
In Java, enums are suitable for representing fixed constant sets. Best practices include: 1. Use enum to represent fixed state or options to improve type safety and readability; 2. Add properties and methods to enums to enhance flexibility, such as defining fields, constructors, helper methods, etc.; 3. Use EnumMap and EnumSet to improve performance and type safety because they are more efficient based on arrays; 4. Avoid abuse of enums, such as dynamic values, frequent changes or complex logic scenarios, which should be replaced by other methods. Correct use of enum can improve code quality and reduce errors, but you need to pay attention to its applicable boundaries.
Understanding Java NIO and Its Advantages
Jul 08, 2025 am 02:55 AM
JavaNIO is a new IOAPI introduced by Java 1.4. 1) is aimed at buffers and channels, 2) contains Buffer, Channel and Selector core components, 3) supports non-blocking mode, and 4) handles concurrent connections more efficiently than traditional IO. Its advantages are reflected in: 1) Non-blocking IO reduces thread overhead, 2) Buffer improves data transmission efficiency, 3) Selector realizes multiplexing, and 4) Memory mapping speeds up file reading and writing. Note when using: 1) The flip/clear operation of the Buffer is easy to be confused, 2) Incomplete data needs to be processed manually without blocking, 3) Selector registration must be canceled in time, 4) NIO is not suitable for all scenarios.
Exploring Different Synchronization Mechanisms in Java
Jul 04, 2025 am 02:53 AM
Javaprovidesmultiplesynchronizationtoolsforthreadsafety.1.synchronizedblocksensuremutualexclusionbylockingmethodsorspecificcodesections.2.ReentrantLockoffersadvancedcontrol,includingtryLockandfairnesspolicies.3.Conditionvariablesallowthreadstowaitfor
How Java ClassLoaders Work Internally
Jul 06, 2025 am 02:53 AM
Java's class loading mechanism is implemented through ClassLoader, and its core workflow is divided into three stages: loading, linking and initialization. During the loading phase, ClassLoader dynamically reads the bytecode of the class and creates Class objects; links include verifying the correctness of the class, allocating memory to static variables, and parsing symbol references; initialization performs static code blocks and static variable assignments. Class loading adopts the parent delegation model, and prioritizes the parent class loader to find classes, and try Bootstrap, Extension, and ApplicationClassLoader in turn to ensure that the core class library is safe and avoids duplicate loading. Developers can customize ClassLoader, such as URLClassL
