Spring Boot Jwt

JWT auth service using Spring Boot, Spring Security and MySQL
Alternatives To Spring Boot Jwt
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
a day ago38apache-2.0Java
mall项目是一套电商系统,包括前台商城系统及后台管理系统,基于SpringBoot+MyBatis实现,采用Docker容器化部署。 前台商城系统包含首页门户、商品推荐、商品搜索、商品展示、购物车、订单流程、会员中心、客户服务、帮助中心等模块。 后台管理系统包含商品管理、订单管理、会员管理、促销管理、运营管理、内容管理、统计报表、财务管理、权限管理、设置等模块。
a month ago4apache-2.0Java
eladmin jpa 版本:项目基于 Spring Boot 2.6.4、 Jpa、 Spring Security、Redis、Vue的前后端分离的后台管理系统,项目采用分模块开发方式, 权限控制采用 RBAC,支持数据字典与数据权限管理,支持一键生成前后端代码,支持动态路由
Spring Cloud Platform6,041
5 months ago14otherJava
🔥🔥🔥国内首个Spring Cloud微服务化RBAC的管理平台,核心采用Spring Boot 2.4、Spring Cloud 2020.0.0 & Alibaba,前端采用d2-admin中台框架。 🔝 🔝 记得上边点个star 关注更新
Lamp Cloud5,097
11 days ago3apache-2.0Java
lamp-cloud 基于Jdk11 + SpringCloud + SpringBoot 开发的微服务中后台快速开发平台,专注于多租户(SaaS架构)解决方案,亦可作为普通项目(非SaaS架构)的基础开发框架使用,目前已实现插拔式数据库隔离、SCHEMA隔离、字段隔离 等租户隔离方案。
Spring Boot In Action4,465
9 months ago25Java
Spring Boot 系列实战合集
Awesome Spring Boot4,169
4 months ago12
Spring Boot Resources
Microservices Platform4,111
4 months ago10apache-2.0Java
3 months ago8gpl-3.0Java
基于Spring Boot 2.x的一站式前后端分离快速开发平台XBoot 微信小程序+Uniapp 前端:Vue+iView Admin 后端:Spring Boot 2.x/Spring Security/JWT/JPA+Mybatis-Plus/Redis/Elasticsearch/Activiti 分布式限流/同步锁/验证码/SnowFlake雪花算法ID 动态权限 数据权限 工作流 代码生成 定时任务 社交账号 短信登录 单点登录 OAuth2开放平台 客服机器人 数据大屏 暗黑模式
7 days ago3agpl-3.0Java
商城 JAVA电商商城 多语言商城 uniapp商城 微服务商城
a year ago50apache-2.0Java
Guns基于SpringBoot 2,致力于做更简洁的后台管理系统,完美整合springmvc + shiro + mybatis-plus + beetl!Guns项目代码简洁,注释丰富,上手容易,同时Guns包含许多基础模块(用户管理,角色管理,部门管理,字典管理等10个模块),可以直接作为一个后台管理系统的脚手架!
Alternatives To Spring Boot Jwt
Select To Compare

Alternative Project Comparisons

Spring Boot JWT


Please help this repo with a ⭐️ if you find it useful! 😊

File structure

 ├── src/main/java/
 │   └── murraco
 │       ├── configuration
 │       │   └── SwaggerConfig.java
 │       │
 │       ├── controller
 │       │   └── UserController.java
 │       │
 │       ├── dto
 │       │   ├── UserDataDTO.java
 │       │   └── UserResponseDTO.java
 │       │
 │       ├── exception
 │       │   ├── CustomException.java
 │       │   └── GlobalExceptionController.java
 │       │
 │       ├── model
 │       │   ├── AppUserRole.java
 │       │   └── AppUser.java
 │       │
 │       ├── repository
 │       │   └── UserRepository.java
 │       │
 │       ├── security
 │       │   ├── JwtTokenFilter.java
 │       │   ├── JwtTokenFilterConfigurer.java
 │       │   ├── JwtTokenProvider.java
 │       │   ├── MyUserDetails.java
 │       │   └── WebSecurityConfig.java
 │       │
 │       ├── service
 │       │   └── UserService.java
 │       │
 │       └── JwtAuthServiceApp.java
 ├── src/main/resources/
 │   └── application.yml
 ├── .gitignore
 ├── mvnw/mvnw.cmd
 ├── README.md
 └── pom.xml

Introduction (https://jwt.io)

Just to throw some background in, we have a wonderful introduction, courtesy of jwt.io! Let’s take a look:

What is JSON Web Token?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.

Let's explain some concepts of this definition further.

Compact: Because of their smaller size, JWTs can be sent through a URL, POST parameter, or inside an HTTP header. Additionally, the smaller size means transmission is fast.

Self-contained: The payload contains all the required information about the user, avoiding the need to query the database more than once.

When should you use JSON Web Tokens?

Here are some scenarios where JSON Web Tokens are useful:

Authentication: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.

Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn't been tampered with.

What is the JSON Web Token structure?

JSON Web Tokens consist of three parts separated by dots (.), which are:

  1. Header
  2. Payload
  3. Signature

Therefore, a JWT typically looks like the following.


Let's break down the different parts.


The header typically consists of two parts: the type of the token, which is JWT, and the hashing algorithm being used, such as HMAC SHA256 or RSA.

For example:

  "alg": "HS256",
  "typ": "JWT"

Then, this JSON is Base64Url encoded to form the first part of the JWT.


The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional metadata. There are three types of claims: reserved, public, and private claims.

  • Reserved claims: These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Some of them are: iss (issuer), exp (expiration time), sub (subject), aud (audience), and others.

Notice that the claim names are only three characters long as JWT is meant to be compact.

  • Public claims: These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace.

  • Private claims: These are the custom claims created to share information between parties that agree on using them.

An example of payload could be:

  "sub": "1234567890",
  "name": "John Doe",
  "admin": true

The payload is then Base64Url encoded to form the second part of the JSON Web Token.


To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

For example if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:

  base64UrlEncode(header) + "." +

The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way. Putting all together

The output is three Base64 strings separated by dots that can be easily passed in HTML and HTTP environments, while being more compact when compared to XML-based standards such as SAML.

The following shows a JWT that has the previous header and payload encoded, and it is signed with a secret. Encoded JWT

How do JSON Web Tokens work?

In authentication, when the user successfully logs in using their credentials, a JSON Web Token will be returned and must be saved locally (typically in local storage, but cookies can be also used), instead of the traditional approach of creating a session in the server and returning a cookie.

Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema. The content of the header should look like the following:

Authorization: Bearer <token>

This is a stateless authentication mechanism as the user state is never saved in server memory. The server's protected routes will check for a valid JWT in the Authorization header, and if it's present, the user will be allowed to access protected resources. As JWTs are self-contained, all the necessary information is there, reducing the need to query the database multiple times.

This allows you to fully rely on data APIs that are stateless and even make requests to downstream services. It doesn't matter which domains are serving your APIs, so Cross-Origin Resource Sharing (CORS) won't be an issue as it doesn't use cookies.

The following diagram shows this process:

JWT Authentication Summary

Token based authentication schema's became immensely popular in recent times, as they provide important benefits when compared to sessions/cookies:

  • CORS
  • No need for CSRF protection
  • Better integration with mobile
  • Reduced load on authorization server
  • No need for distributed session store

Some trade-offs have to be made with this approach:

  • More vulnerable to XSS attacks
  • Access token can contain outdated authorization claims (e.g when some of the user privileges are revoked)
  • Access tokens can grow in size in case of increased number of claims
  • File download API can be tricky to implement
  • True statelessness and revocation are mutually exclusive

JWT Authentication flow is very simple

  1. User obtains Refresh and Access tokens by providing credentials to the Authorization server
  2. User sends Access token with each request to access protected API resource
  3. Access token is signed and contains user identity (e.g. user id) and authorization claims.

It's important to note that authorization claims will be included with the Access token. Why is this important? Well, let's say that authorization claims (e.g user privileges in the database) are changed during the life time of Access token. Those changes will not become effective until new Access token is issued. In most cases this is not big issue, because Access tokens are short-lived. Otherwise go with the opaque token pattern.

Implementation Details

Let's see how can we implement the JWT token based authentication using Java and Spring, while trying to reuse the Spring security default behavior where we can. The Spring Security framework comes with plug-in classes that already deal with authorization mechanisms such as: session cookies, HTTP Basic, and HTTP Digest. Nevertheless, it lacks from native support for JWT, and we need to get our hands dirty to make it work.


This demo is currently using an H2 database called test_db so you can run it quickly and out-of-the-box without much configuration. If you want to connect to a different database you have to specify the connection in the application.yml file inside the resource directory. Note that hibernate.hbm2ddl.auto=create-drop will drop and create a clean database each time we deploy (you may want to change it if you are using this in a real project). Here's the example from the project, see how easily you can swap comments on the url and dialect properties to use your own MySQL database:

    url: jdbc:h2:mem:test_db;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE
    # url: jdbc:mysql://localhost:3306/user_db
    username: root
    password: root
    max-wait: 20000
    max-active: 50
    max-idle: 20
    min-idle: 15
      ddl-auto: create-drop
        dialect: org.hibernate.dialect.H2Dialect
        # dialect: org.hibernate.dialect.MySQL8Dialect
        format_sql: true
          new_generator_mappings: false

Core Code

  1. JwtTokenFilter
  2. JwtTokenFilterConfigurer
  3. JwtTokenProvider
  4. MyUserDetails
  5. WebSecurityConfig


The JwtTokenFilter filter is applied to each API (/**) with exception of the signin token endpoint (/users/signin) and singup endpoint (/users/signup).

This filter has the following responsibilities:

  1. Check for access token in Authorization header. If Access token is found in the header, delegate authentication to JwtTokenProvider otherwise throw authentication exception
  2. Invokes success or failure strategies based on the outcome of authentication process performed by JwtTokenProvider

Please ensure that chain.doFilter(request, response) is invoked upon successful authentication. You want processing of the request to advance to the next filter, because very last one filter FilterSecurityInterceptor#doFilter is responsible to actually invoke method in your controller that is handling requested API resource.

String token = jwtTokenProvider.resolveToken((HttpServletRequest) req);
if (token != null && jwtTokenProvider.validateToken(token)) {
  Authentication auth = jwtTokenProvider.getAuthentication(token);
filterChain.doFilter(req, res);


Adds the JwtTokenFilter to the DefaultSecurityFilterChain of spring boot security.

JwtTokenFilter customFilter = new JwtTokenFilter(jwtTokenProvider);
http.addFilterBefore(customFilter, UsernamePasswordAuthenticationFilter.class);


The JwtTokenProvider has the following responsibilities:

  1. Verify the access token's signature
  2. Extract identity and authorization claims from Access token and use them to create UserContext
  3. If Access token is malformed, expired or simply if token is not signed with the appropriate signing key Authentication exception will be thrown


Implements UserDetailsService in order to define our own custom loadUserbyUsername function. The UserDetailsService interface is used to retrieve user-related data. It has one method named loadUserByUsername which finds a user entity based on the username and can be overridden to customize the process of finding the user.

It is used by the DaoAuthenticationProvider to load details about the user during authentication.


The WebSecurityConfig class extends WebSecurityConfigurerAdapter to provide custom security configuration.

Following beans are configured and instantiated in this class:

  1. JwtTokenFilter
  2. PasswordEncoder

Also, inside WebSecurityConfig#configure(HttpSecurity http) method we'll configure patterns to define protected/unprotected API endpoints. Please note that we have disabled CSRF protection because we are not using Cookies.

// Disable CSRF (cross site request forgery)

// No session will be created or used by spring security

// Entry points
  // Disallow everything else..

// If a user try to access a resource without having enough permissions

// Apply JWT
http.apply(new JwtTokenFilterConfigurer(jwtTokenProvider));

// Optional, if you want to test the API from a browser
// http.httpBasic();

How to use this code?

  1. Make sure you have Java 8 and Maven installed

  2. Fork this repository and clone it

$ git clone https://github.com/<your-user>/spring-boot-jwt
  1. Navigate into the folder
$ cd spring-boot-jwt
  1. Install dependencies
$ mvn install
  1. Run the project
$ mvn spring-boot:run
  1. Navigate to http://localhost:8080/swagger-ui.html in your browser to check everything is working correctly. You can change the default port in the application.yml file
  port: 8080
  1. Make a GET request to /users/me to check you're not authenticated. You should receive a response with a 403 with an Access Denied message since you haven't set your valid JWT token yet
$ curl -X GET http://localhost:8080/users/me
  1. Make a POST request to /users/signin with the default admin user we programatically created to get a valid JWT token
$ curl -X POST 'http://localhost:8080/users/signin?username=admin&password=admin'
  1. Add the JWT token as a Header parameter and make the initial GET request to /users/me again
$ curl -X GET http://localhost:8080/users/me -H 'Authorization: Bearer <JWT_TOKEN>'
  1. And that's it, congrats! You should get a similar response to this one, meaning that you're now authenticated
  "id": 1,
  "username": "admin",
  "email": "[email protected]",
  "roles": [


  • Report issues
  • Open pull request with improvements
  • Spread the word
  • Reach out to me directly at [email protected]
Popular Jwt Projects
Popular Spring Boot Projects
Popular Security Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Spring Boot
Jwt Authentication
Spring Security