Correct way to make secured CRUD API with spring security and JWT Tokens

Question

I work on a CRUD API project using spring security framework and I want to implement authorization verification using JWT tokens.

Let's say I have 3 endpoints:

Authentication controller where user can sign up or sign in if he has an account
A dummy get that returns a string to make sure authorization works
One where I can update information about the current user

My user would be like this

public class UserEntity {

    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;

    private String username;
    private String password;
    private String favoriteAnimal;
}

In my 3rd endpoint I would like to update the favorite animal of my user.

@PostMapping("/update")
public ResponseEntity<String> updatePet(@RequestBody UserDTO user) {
    return new ResponseEntity<>(UserSevices.updateUserInfo, HttpStatus.OK);
}

What would be the correct way to make sure that the user calling this endpoint is the correct one with the JWT token?

I have my AuthorizationFilter extending OncePerRequestFilter and implementing doFilterInternal()

@Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain filterChain) throws ServletException, IOException {
        String token = getJWTFromRequest(request);
        if(StringUtils.hasText(token) && tokenGenerator.validateToken(token)) {
            String username = tokenGenerator.getUsernameFromJWT(token);

            UserDetails userDetails = customUserDetailsService.loadUserByUsername(username);
            UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(userDetails, null,
                    userDetails.getAuthorities());
            authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
            SecurityContextHolder.getContext().setAuthentication(authenticationToken);
        }
        filterChain.doFilter(request, response);
    }

We agree that when I will call the endpoint the user request will go through this filter? Is this filter correct?

Now in my service if I want to fetch the user by id how can I get the id?

I have to create a token with an ID key? The token is generate and given to the user when he first logs in.

I am sorry if it is a bit confusing but I have not been able to find information online.

I use the jjwt library for token

https://github.com/Tandolf/spring-security-jwt-demo dont write ccustom code for handling JWTs use the built in features of spring security — Toerktumlare, Feb 17 '23 at 19:09
I tried to follow your implementation but calling the /token endpoint returns a null token — Leo El, Feb 18 '23 at 08:19
You onviously have done something wrong, but since you have posted nothing of your code or implementation i dont understand what you think i should do about it? Guess? — Toerktumlare, Feb 18 '23 at 11:16

score 0 · Answer 1 · edited Feb 18 '23 at 10:26

0

There is a good tutorial regarding to this topic:

Spring Boot JWT - How to Secure your REST APIs with Spring Security and Json Web Tokens

I also suggest to check the updates regarding to WebSercurityConfigurerAdapter on the following link.

edited Feb 18 '23 at 10:26

dur

15,689
25
79
125

answered Feb 17 '23 at 18:21

Murat Yıldız

11,299
6
63
63

Correct way to make secured CRUD API with spring security and JWT Tokens

1 Answers1