0

I have this filter to read the token from the http header and set the security context :

public class AuthorizationFilter extends OncePerRequestFilter {
   
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws ServletException, IOException {

        final String requestTokenHeader = request.getHeader("Authorization");            
        String username = null;
        String jwtToken = null;

        if (requestTokenHeader != null) {
            jwtToken = requestTokenHeader.substring(7);
            try {
                username = tokenService.getUsernameFromToken(jwtToken);
            } catch (IllegalArgumentException e) {
                log.error("Unable to get JWT Token");
            } catch (ExpiredJwtException e) {
                log.error("JWT Token has expired");
            }
        }

        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {

            UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);

            boolean isTokenValid = tokenService.validateToken(jwtToken, userDetails);

            if (isTokenValid) {

                UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
                        userDetails, null, userDetails.getAuthorities());
                usernamePasswordAuthenticationToken
                        .setDetails(new WebAuthenticationDetailsSource().buildDetails(request));

                SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
            }
        }
        chain.doFilter(request, response);
    }

Is there any default implementation that I can just config and use in spring boot security that reads the Authorization header and checks the token expiry date and then fill the needed info like user and roles in SecurityContext based on the token claims? since it seems like a very common functionality for user authorization , I thought maybe I didn't have to implement this part myself!

Fahimeh Rahmatipoor
  • 93
  • 1
  • 10
  • https://thomasandolf.medium.com/spring-security-jwts-getting-started-ebdb4e4f1dd1 – Toerktumlare Sep 07 '22 at 11:28
  • take a look at [official spring-boot spring-secutiry sample](https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/jwt/login). idea is to use default filter, expose encoder and decoder as beans. token creation example is [here](https://github.com/spring-projects/spring-security-samples/blob/main/servlet/spring-boot/java/jwt/login/src/main/java/example/web/TokenController.java) – Andrei Titov Sep 07 '22 at 14:13
  • also think about storing roles (or scopes/permissions) in JWT itself as it's a self-contained security token. then when using Spring's JWT support you'll only need to provide a `JwtAuthenticationConverter` with a claim name where you store roles – Andrei Titov Sep 07 '22 at 14:19

0 Answers0