Java Authentication and Authorization with JWT
Jul 29, 2025 am 12:07 AM
JWT is an open standard for safe transmission of information. In Java, authentication and authorization can be achieved through the JJWT library. 1. Add JJWT API, Impl and Jackson dependencies; 2. Create JwtUtil tool class to generate, parse and verify the token; 3. Write JwtFilter to intercept requests and verify the Bearer Token in the Authorization header; 4. Register Filter in Spring Boot to protect the specified path; 5. Provide a login interface to return JWT after verifying the user; 6. The protected interface obtains the user's identity and role for access control by parsing the token, and ultimately realizes a stateless and extensible security mechanism, which is suitable for distributed system applications. Pay attention to security suggestions such as key security, token expiration and HTTPS transmission.
In modern web application development, using Java to implement user authentication (authentication) and authorization is a common requirement. JWT (JSON Web Token) has become one of the mainstream solutions for implementing security authentication due to its stateless, scalable and cross-domain support. The following describes how to use JWT to complete authentication and authorization in Java applications.
What is JWT?
JWT is an open standard (RFC 7519) that is used to securely transmit information as a JSON object between parties. It is commonly used for authentication and information exchange. A JWT consists of three parts:
- Header : Contains token type and signature algorithm (such as HMAC SHA256)
- Payload : contains claims, such as user ID, role, expiration time, etc.
- Signature : Signature the first two parts to ensure that the data has not been tampered with
The format is: xxxxx.yyyyy.zzzzz
Basic Process
- User login, submit username and password
- Server verification credentials, generate JWT and return to client
- The client carries the JWT in subsequent requests (usually in the
Authorizationheader) - The server verifies the validity of the JWT and decides whether to authorize access to the resource based on the statements therein.
Use Java JWT to implement authentication and authorization
1. Add dependencies (taking Maven as an example)
Use the JJWT library to handle JWT:
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.11.5</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>0.11.5</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.11.5</version>
<scope>runtime</scope>
</dependency>Note: JJWT 0.11 supports modularity, requiring the introduction of API, Impl and Jackson support.
2. Create JWT tool class
import io.jsonwebtoken.*;
import io.jsonwebtoken.security.Keys;
import javax.crypto.SecretKey;
import java.util.Date;
public class JwtUtil {
private static final SecretKey SECRET_KEY = Keys.secretKeyFor(SignatureAlgorithm.HS256);
private static final long EXPIRATION_TIME = 86400000; // 24 hours
// Generate JWT
public static String generateToken(String username, String role) {
return Jwts.builder()
.setSubject(username)
.claim("role", role)
.setIssuedAt(new Date())
.setExpiration(new Date(System.currentTimeMillis() EXPIRATION_TIME))
.signWith(SECRET_KEY)
.compact();
}
// parse and verify JWT
public static claims parseToken(String token) {
try {
return Jwts.parserBuilder()
.setSigningKey(SECRET_KEY)
.build()
.parseClaimsJws(token)
.getBody();
} catch (ExpiredJwtException e) {
System.out.println("Token expired");
return null;
} catch (MalformedJwtException | SignatureException e) {
System.out.println("Invalid Token");
return null;
}
}
// Get username public static String getUsernameFromToken(String token) {
Claims claims = parseToken(token);
return claims != null ? claims.getSubject() : null;
}
// Get the role public static String getRoleFromToken(String token) {
Claims claims = parseToken(token);
return (String) claims.get("role");
}
// Verify whether Token is valid public static boolean isTokenValid(String token, String username) {
String tokenUsername = getUsernameFromToken(token);
return (tokenUsername != null && tokenUsername.equals(username) && parseToken(token) != null);
}
}3. Intercept requests: Implement filters (Filters)
Create a JwtFilter to intercept requests and verify JWT.
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class JwtFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
String token = httpRequest.getHeader("Authorization");
if (token != null && token.startsWith("Bearer ")) {
token = token.substring(7); // Remove "Bearer"
String username = JwtUtil.getUsernameFromToken(token);
if (username != null && JwtUtil.isTokenValid(token, username)) {
// User information can be stored in the request attribute or Security Context
httpRequest.setAttribute("currentUser", username);
httpRequest.setAttribute("role", JwtUtil.getRoleFromToken(token));
chain.doFilter(request, response);
} else {
httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
httpResponse.getWriter().write("Invalid or expired Token");
}
} else {
httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
httpResponse.getWriter().write("Missing Token");
}
}
}4. Configure Filter (taking Spring Boot as an example)
If you are using Spring Boot, you can register Filter in the configuration class:
@Bean
public FilterRegistrationBean<JwtFilter> jwtFilter() {
FilterRegistrationBean<JwtFilter> registrationBean = new FilterRegistrationBean<>();
registrationBean.setFilter(new JwtFilter());
registrationBean.addUrlPatterns("/api/secure/*"); // protected path return registrationBean;
}5. Login interface example
@PostMapping("/login")
public ResponseEntity<?> login(@RequestBody UserLoginRequest request) {
// Simplified: In fact, the database password should be checked for encryption verification if ("admin".equals(request.getUsername()) && "password".equals(request.getPassword())) {
String token = JwtUtil.generateToken(request.getUsername(), "ADMIN");
return ResponseEntity.ok().body(Map.of("token", token));
}
return ResponseEntity.status(401).body("Under username or password");
}6. Protected interface example
@GetMapping("/secure/data")
public ResponseEntity<?> getSecureData(HttpServletRequest request) {
String user = (String) request.getAttribute("currentUser");
String role = (String) request.getAttribute("role");
if ("ADMIN".equals(role)) {
return ResponseEntity.ok("Hello " user ", you have admin access!");
} else {
return ResponseEntity.status(403).body("Insufficient permission");
}
}Safety advice
- Key management : Do not hardcode keys in code, use environment variables or configuration centers
- Token expiration time : Set the expiration time reasonably. It is recommended to use short-term tokens when sensitive operations.
- Refresh token : can improve user experience with the refresh token mechanism
- HTTPS : Ensure the transport layer security and prevent the token from being stolen
- Avoid sensitive information : Do not store sensitive data such as passwords in JWT payload
Summarize
Using JWT to implement authentication and authorization in Java is not complicated, the core is:
- Generate token after login successfully
- Client carries Token request
- The server verifies the token through Filter and extracts user information
- Implement authorization control according to role
This mechanism is suitable for distributed and microservice architectures, avoiding the overhead of server storage sessions.
Basically all this is it, not complicated but it is easy to ignore details, such as exception handling and key security.
The above is the detailed content of Java Authentication and Authorization with JWT. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
A Developer's Guide to Maven for Java Project Management
Jul 30, 2025 am 02:41 AM
Maven is a standard tool for Java project management and construction. The answer lies in the fact that it uses pom.xml to standardize project structure, dependency management, construction lifecycle automation and plug-in extensions; 1. Use pom.xml to define groupId, artifactId, version and dependencies; 2. Master core commands such as mvnclean, compile, test, package, install and deploy; 3. Use dependencyManagement and exclusions to manage dependency versions and conflicts; 4. Organize large applications through multi-module project structure and are managed uniformly by the parent POM; 5.
Building RESTful APIs in Java with Jakarta EE
Jul 30, 2025 am 03:05 AM
SetupaMaven/GradleprojectwithJAX-RSdependencieslikeJersey;2.CreateaRESTresourceusingannotationssuchas@Pathand@GET;3.ConfiguretheapplicationviaApplicationsubclassorweb.xml;4.AddJacksonforJSONbindingbyincludingjersey-media-json-jackson;5.DeploytoaJakar
How to use Java MessageDigest for hashing (MD5, SHA-256)?
Jul 30, 2025 am 02:58 AM
To generate hash values using Java, it can be implemented through the MessageDigest class. 1. Get an instance of the specified algorithm, such as MD5 or SHA-256; 2. Call the .update() method to pass in the data to be encrypted; 3. Call the .digest() method to obtain a hash byte array; 4. Convert the byte array into a hexadecimal string for reading; for inputs such as large files, read in chunks and call .update() multiple times; it is recommended to use SHA-256 instead of MD5 or SHA-1 to ensure security.
Developing a Blockchain Application in Java
Jul 30, 2025 am 12:43 AM
Understand the core components of blockchain, including blocks, hashs, chain structures, consensus mechanisms and immutability; 2. Create a Block class that contains data, timestamps, previous hash and Nonce, and implement SHA-256 hash calculation and proof of work mining; 3. Build a Blockchain class to manage block lists, initialize the Genesis block, add new blocks and verify the integrity of the chain; 4. Write the main test blockchain, add transaction data blocks in turn and output chain status; 5. Optional enhancement functions include transaction support, P2P network, digital signature, RESTAPI and data persistence; 6. You can use Java blockchain libraries such as HyperledgerFabric, Web3J or Corda for production-level opening
python property decorator example
Jul 30, 2025 am 02:17 AM
@property decorator is used to convert methods into properties to implement the reading, setting and deletion control of properties. 1. Basic usage: define read-only attributes through @property, such as area calculated based on radius and accessed directly; 2. Advanced usage: use @name.setter and @name.deleter to implement attribute assignment verification and deletion operations; 3. Practical application: perform data verification in setters, such as BankAccount to ensure that the balance is not negative; 4. Naming specification: internal variables are prefixed, property method names are consistent with attributes, and unified access control is used to improve code security and maintainability.
css dark mode toggle example
Jul 30, 2025 am 05:28 AM
First, use JavaScript to obtain the user system preferences and locally stored theme settings, and initialize the page theme; 1. The HTML structure contains a button to trigger topic switching; 2. CSS uses: root to define bright theme variables, .dark-mode class defines dark theme variables, and applies these variables through var(); 3. JavaScript detects prefers-color-scheme and reads localStorage to determine the initial theme; 4. Switch the dark-mode class on the html element when clicking the button, and saves the current state to localStorage; 5. All color changes are accompanied by 0.3 seconds transition animation to enhance the user
css dropdown menu example
Jul 30, 2025 am 05:36 AM
Yes, a common CSS drop-down menu can be implemented through pure HTML and CSS without JavaScript. 1. Use nested ul and li to build a menu structure; 2. Use the:hover pseudo-class to control the display and hiding of pull-down content; 3. Set position:relative for parent li, and the submenu is positioned using position:absolute; 4. The submenu defaults to display:none, which becomes display:block when hovered; 5. Multi-level pull-down can be achieved through nesting, combined with transition, and add fade-in animations, and adapted to mobile terminals with media queries. The entire solution is simple and does not require JavaScript support, which is suitable for large
python get mac address example
Jul 30, 2025 am 02:59 AM
Use the uuid module to obtain the MAC address of the first network card of the machine across the platform, without the need for a third-party library, and convert it into a standard format through uuid.getnode(); 2. Use subprocess to call system commands such as ipconfig or ifconfig, and combine it with regular extraction of all network card MAC addresses, which is suitable for scenarios where multiple network card information needs to be obtained; 3. Use the third-party library getmac, call get_mac_address() after installation to obtain the MAC, which supports query by interface or IP, but requires additional dependencies; in summary, if no external library is needed, the uuid method is recommended. If you need to flexibly obtain multi-network card information, you can use the subprocess solution to allow you to install the dependency getma.
