Fullstack Java: Securing Your APIs with JWT Tokens in Spring Boot

Security is a fundamental requirement for any fullstack Java application, especially when APIs are exposed to the internet. One of the most effective and modern approaches to API security is using JWT (JSON Web Tokens). In this blog, we’ll walk through the concept of JWT, why it’s used, and how to implement it in a Spring Boot application to secure your backend APIs.


What is JWT?

JWT (JSON Web Token) is a compact, self-contained way to securely transmit information between parties as a JSON object. It consists of three parts:

Header – contains the signing algorithm (e.g., HS256)

Payload – includes user information and claims (e.g., username, roles)

Signature – ensures the token hasn't been tampered with

Once a user is authenticated, the server generates a JWT and sends it to the client. The client stores this token (usually in local storage or cookies) and includes it in the Authorization header for subsequent requests.


Why JWT for Spring Boot APIs?

Stateless Authentication: No need to store session data on the server

Scalability: Suitable for microservices and distributed systems

Flexibility: Can include custom claims (e.g., roles, permissions)

Security: Ensures that only authenticated users access protected APIs


Steps to Secure Spring Boot APIs with JWT

1. Add Dependencies

Use Maven or Gradle to include the necessary libraries:


xml

\

<!-- Maven -->

<dependency>

    <groupId>io.jsonwebtoken</groupId>

    <artifactId>jjwt</artifactId>

    <version>0.9.1</version>

</dependency>


2. Create a JWT Utility Class

This class will generate and validate tokens.


java


public class JwtUtil {

    private final String SECRET_KEY = "your_secret";


    public String generateToken(String username) {

        return Jwts.builder()

            .setSubject(username)

            .setIssuedAt(new Date(System.currentTimeMillis()))

            .setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 60)) // 1 hour

            .signWith(SignatureAlgorithm.HS256, SECRET_KEY)

            .compact();

    }


    public String extractUsername(String token) {

        return Jwts.parser().setSigningKey(SECRET_KEY)

            .parseClaimsJws(token).getBody().getSubject();

    }


    public boolean validateToken(String token, String username) {

        return extractUsername(token).equals(username) && !isTokenExpired(token);

    }


    private boolean isTokenExpired(String token) {

        return Jwts.parser().setSigningKey(SECRET_KEY)

            .parseClaimsJws(token).getBody().getExpiration().before(new Date());

    }

}


3. Configure Security Filter

Create a filter that intercepts every request and checks for JWT validity.


java


public class JwtRequestFilter extends OncePerRequestFilter {

    @Autowired

    private JwtUtil jwtUtil;


    @Override

    protected void doFilterInternal(HttpServletRequest request,

                                    HttpServletResponse response,

                                    FilterChain filterChain)

        throws ServletException, IOException {


        final String authorizationHeader = request.getHeader("Authorization");


        String username = null;

        String jwt = null;


        if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {

            jwt = authorizationHeader.substring(7);

            username = jwtUtil.extractUsername(jwt);

        }


        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {

            if (jwtUtil.validateToken(jwt, username)) {

                UsernamePasswordAuthenticationToken authToken =

                    new UsernamePasswordAuthenticationToken(username, null, new ArrayList<>());

                SecurityContextHolder.getContext().setAuthentication(authToken);

            }

        }

        filterChain.doFilter(request, response);

    }

}


4. Secure Endpoints in Spring Security Config

java


@Override

protected void configure(HttpSecurity http) throws Exception {

    http.csrf().disable()

        .authorizeRequests()

        .antMatchers("/authenticate").permitAll()

        .anyRequest().authenticated()

        .and()

        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);


    http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);

}

Conclusion

JWT is a powerful tool for securing APIs in a Spring Boot fullstack Java application. By implementing JWT-based authentication, you ensure stateless, scalable, and secure interactions between the frontend and backend. It’s especially beneficial in RESTful and microservice architectures where session management is impractical. With the right setup, your APIs are not only functional but fortified.


Learn FullStack Java Course in Hyderabad

Read More : Fullstack Java: Using AWS S3 for File Storage in Java Applications

Read More : Fullstack Java with Docker: Containerizing Java Applications

Read More : Introduction to Fullstack Java: Combining Backend and Frontend with Spring Boot and React

Visit Our IHUB Talent Institute Hyderabad

Comments

Post a Comment

Popular posts from this blog

How to Use Tosca's Test Configuration Parameters

Tosca by Tricentis is a powerful model-based test automation tool widely used in enterprise environments for end-to-end testing. One of its most useful features is Test Configuration Parameters (TCPs), which provide flexibility and control in managing test execution. TCPs enable testers to create reusable test cases by passing dynamic values without hardcoding them. This significantly enhances test maintenance, scalability, and efficiency. In this blog, we’ll explore what Test Configuration Parameters are, how to create and use them, and the best practices to follow when working with TCPs in Tosca. What Are Test Configuration Parameters? Test Configuration Parameters are custom-defined key-value pairs that can be associated with test cases, test case folders, or execution lists in Tosca. They help manage configuration data such as environment URLs, browser types, credentials, or any other variable data that may differ across test runs. By using TCPs, you can avoid duplicating test case...
Read more

Using Hibernate ORM for Fullstack Java Data Management

In the world of fullstack Java development, managing data efficiently and seamlessly across the application is critical. One of the most powerful tools in the Java ecosystem for handling database operations is Hibernate ORM (Object-Relational Mapping). Hibernate simplifies the interaction between Java applications and relational databases, reducing boilerplate code and improving maintainability. This blog explores how Hibernate ORM works, why it’s widely used, and how it fits into the data management strategy of a fullstack Java application. What is Hibernate ORM? Hibernate ORM is an open-source Java framework that provides a powerful and flexible mechanism for mapping Java objects to database tables. It abstracts the low-level JDBC code, allowing developers to work with high-level object-oriented concepts. Instead of writing raw SQL queries, Hibernate allows developers to define database interactions using simple Java classes (also known as POJOs) and annotations or XML configurations...
Read more

Creating a Test Execution Report with Charts in Playwright

Modern test automation isn't just about running tests—it's also about presenting clear, visual feedback on test results. When working with Playwright, one of the most powerful end-to-end testing tools for modern web apps, generating detailed execution reports can help your team track progress, identify issues quickly, and make data-driven decisions. A visual report with charts brings your testing efforts to life. In this blog, we’ll walk through how to create a test execution report with charts using Playwright’s built-in capabilities along with third-party tools for enhanced visualization. Why Visual Reports Matter Plain text logs and console outputs are hard to parse at scale. A good report should answer questions like: How many tests passed or failed? What’s the overall success rate? Which tests are flaky or slow? How have test results changed over time? Visualizing this data with charts—like pie charts, bar graphs, or timelines—helps QA teams and stakeholders better underst...
Read more