Integrating JWT with Spring Security – Part 1

Introduction

I’m a big fan of Spring framework. It makes my life easier and makes coding fun. A very cool part of Spring framework is the Spring security. It’s an extensible and customizable access control and authentication framework for Spring based applications. Especially for web applications, it is essential to use a well maintained and mature security framework since it frequently audited by the community (or by its maintainers) against security flaws and designed to prevent well-known security attacks.

Spring security provides easy to use mechanisms to restrict access to specific resources, built-in authentication providers to check authentication data from different sources (like SQL database, LDAP, JAAS etc.), login-logout handlers and much more. If you are interested you can look at Spring Security reference documentation to get more detail.

JWT on the other side is a relatively new technology to establish JSON based single sign-on (SSO) mechanism.

“JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.” – https://jwt.io/

I first came across with JWT about 1 year ago and find it very cool, since it simple to use, simple to understand and quite effective. Click here to see what JWT capable of.

Motivation

In our new projects, we wanted to use microservice architecture at least apply some of the microservice patterns. My wish was to use both Spring framework and JWT to enable single sign-on across distributed microservices with a single authentication provider service. Spring ecosystem already provides wide variety tools and libraries for microservice implementation and orchestration. But unfortunately, I missed the JWT integration in Spring Security framework, which enables me to create JWT tokens after a successful login or provide mechanisms to verify JWT tokens attached to requests to authenticate users automatically.

But unfortunately, I missed the JWT integration in Spring Security framework, which enables me to create JWT tokens after a successful login or provide mechanisms to verify JWT tokens attached to requests to authenticate users automatically.

Thus I decided to implement my own JWT integration for Spring Security and make it free and open source.

You can fork the code on Github. I’m open to any suggestion and also for contributions. Please don’t hesitate to contact me via this form or open a ticket here.

In the second part of this article, I will tell you about the initial steps of the development, what I’ve learned from my research about JWT and Security, and some integral decisions I’ve made.

3 Comments

    • Selim Ok Reply

      Actually, I saw this project at my first research but it seems to me too complicated. I think it’s a part of spring-oauth project and cannot be used without OAuth providers.

      I expected a JWT integration, which is easy to configure and customize, like http basic authentication support of spring. With login and loguot handler, and a common authentication filter which checks JWT tokens and so on.

      I the second part of this article I will try to explain my expectation from a JWT integration.

      Thanks for your feedback.

Leave a reply