JCH
Java Community | Help. Code. Learn.3mo ago
PleaseBugMeNot | Engineer

How to secure apis using JWT in Spring Boot?

Hello experts, Hope you are doing great. I'm making simple RESTful Web Service using Spring Boot. CRUD apis already implemented, and I have to make authentication and authorization part using Spring Security and JWT. I'd like to get detailed implementation for this. Any documents or sample projects that using latest version of Spring Security and JJWT will be big helps. All the best.
9 Replies
JavaBot
JavaBot3mo ago
This post has been reserved for your question.
Hey @PleaseBugMeNot | Engineer! Please use /close or the Close Post button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically closed after 300 minutes of inactivity.
TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here. 💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived. If your question was not answered yet, feel free to re-open this post or create a new one. In case your post is not getting any attention, you can try to use /help ping. Warning: abusing this will result in moderative actions taken against you.
galdino
galdino2mo ago
https://github.com/Rapter1990/rolepermissionexample?tab=readme-ov-file You are welcome!
GitHub
GitHub - Rapter1990/rolepermissionexample: Spring Boot with Spring ...
Spring Boot with Spring Security (Role Permission) (Spring Boot, Java 21, Spring Security, Docker, Maven, JUnit Test, Integration Test, Test Container, MySql, Github Actions, Spring Open Api) - Rap...
Toerktumlare
Toerktumlare2mo ago
"and I have to make authentication and authorization part using Spring Security and JWT." This is a very general description. Im going to first explain to you the bad way of doing things. This is the way, most people that have never written security do it. They google spring boot and jwt, find some tutorial that builds a custom JWTFilter and then copies the code in the tutorial. This is not the way to write security, and when someone does this you can imediatly tell that they have no idea how security works. Now im going to explain to you why this is bad. Spring security is a security framework. It contains pre implemented authentication and authorization mechanisms, that are based on RFC. Basically standards. Some of the standards that spring security implements are: - BASIC - FORM Login - SAML - Certificate x509 - Oauth2 Do you see that im not mentioning JWT? Well thats because JWT is not an authentication standard. A JWT is a token format. Its just something that you can present to a server, like the drivers license in your pocket. The project posted above is such a project, its implementing some home made JWTFilter, that he has taken from some tutorial on the internet. That filter he has written is not anywhere to be found in spring security. In fact spring security themselfes explicitly speaks against it. What he has implemented is called a password grant type which basically means you send username and password to server and the server responds with a token. This is bad because of several reasons. - if I steal the password i can just send it and get as many tokens as i like - if I do phising on the user so i lure the user to enter their username and password and i pass it to the server i will get the token - there is no way to invalidate created tokens unless you invalidate all tokens handed out to all users - you can easy DDoS the application by just flooding it with bogus tokens - The user themselves cant logout their account or all devices - If the user wants to for instance change their password, tokens will not be invalidated, so if token is stole, when you change password nothing will happen they are still logged in. - No way of storing tokens properly in the browser, local storage can be read by any open tab in your browser. that is why Oauth2 themselves strictly prohibits this type of authentication and is to be removed in the next Oauth2 specification update https://oauth.net/2/grant-types/password/ If you honestly want to build security, and learn it the correct way i would suggest the following. - Read the spring security docs - Implement BASIC authentication - Then try implementing FormLogin - Try out Spring Security Oauth2Login and implement login against github or google - Set up your own auth server, like spring authorization server, or Keycloak - Implement Authorization Code Flow with Pkce using the BFF-pattern (Backend for frontend) using the Oauth2 tools in spring - Implement a resource server that accepts JWTs. And for the love of god, dont use the github project that was posted previously, as that app is incredibly insecure.
JavaBot
JavaBot2mo ago
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived. If your question was not answered yet, feel free to re-open this post or create a new one. In case your post is not getting any attention, you can try to use /help ping. Warning: abusing this will result in moderative actions taken against you.
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived. If your question was not answered yet, feel free to re-open this post or create a new one. In case your post is not getting any attention, you can try to use /help ping. Warning: abusing this will result in moderative actions taken against you.
galdino
galdino2mo ago
Come on, bro... We should start from somewhere, right? You are over engineering the "learning of things". They said "I'm making simple RESTful Web Service"... Simple, right? Everything you said seems like they are going to implement the Google's service login. They could learn some concepts in the above project. After that, they could improve their security layer. Baby steps, dude... Baby steps.
Toerktumlare
Toerktumlare2mo ago
I listed the steps you should be learning security incrementally. And also to be able identify what is bad security. Its worse if you implement bad security thinking its ”good security”. I prefer people learning correct from the start. Then blindly just googling something. See this as a learning experience, and follow the steps i wrote above.
galdino
galdino2mo ago
I disagree, bro... The loooooong steps you wrote seems like a "specification document of something". So boring for those making "simple RESTful web services".
Toerktumlare
Toerktumlare2mo ago
Well im not really here to discuss facts that the security community already has agreed upon. If you personally choose to build unsafe applications that is your choice. But please do not teach those practices to others. Im provide assistance and help to people that ask, and im answering this persons question. Have a nice day.
JavaBot
JavaBot2mo ago
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived. If your question was not answered yet, feel free to re-open this post or create a new one. In case your post is not getting any attention, you can try to use /help ping. Warning: abusing this will result in moderative actions taken against you.
Want results from more Discord servers?
Add your server