5

I'm working on a java spring security application and I want to implement sateless authentication with Json Web Token(JWT).

In case of ajax requests, there is not any problem and I can send generated token inside request header in this format:

Authorization: Bearer jwtHeader.jwtPayload.jwtSignature

The problem is sending GET requests with clicking <a> tags. Suppose I have a /my-orders url that responsible for getting a normal html page and I want to secure it for just authenticated users. When a user click on a link or paste an api get url directly in browser address bar, his request always fails, because there is no jwt token in the get request.

Is there any way for sending jwt with browser get requests?

hamed
  • 7,939
  • 15
  • 60
  • 114

2 Answers2

1

Using XMLHttpRequest you can add Http header to a GET request, but you cannot add a http header to an anchor tag GET request.

ntulsi
  • 76
  • 1
  • 13
0

Add jwt as query parameter in every link of your tags.

e.g My Orders

<a href="/my-orders?jwt=eyJhbGNiJ9.eyJzdWIiOiIwIsH0.KsKmQOZM-jcy4l_7NFsrWn">My Orders</a>

and in the backend expect the jwt in the query parameter of get or post request.

Nikhil
  • 1,021
  • 12
  • 13
  • Thank you for your response. But in your solution, I need to open the url and validate jwt token **manually** and this means I ignore spring security rules. – hamed May 16 '19 at 09:27
  • i don't think you need to do it manually. Try to look at implementation of BearerTokenExtractor class and its extractToken method. There you will see it is looking for a parameter with name "access_token". – Nikhil May 22 '19 at 04:40