SlideShare a Scribd company logo

Introduction to JWT and How to integrate with Spring Security

Bruno Henrique Rother
Bruno Henrique Rother

This presentation shows what are JSON Web Tokens, explaining about the structure, signature, encryption and how we can integrate this with Authentication/Authorization together with Spring Security. The link for the project in Github is: https://github.com/BHRother/spring-boot-security-jwt The example implements JWT + Spring Security in a Spring-Boot project.

Technology
1 of 52
Download to read offline
JSON WEB TOKENS + SPRING SECURITY Why should we use JWT and how Bruno H. Rother
What is JSON Web Token ?
What is JSON Web Token? u JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object u This information can be verified and trusted because it is digitally signed. u JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.
What is JSON Web Token? u Compact: Because of their smaller size, JWTs can be sent through a URL, POST parameter, or inside an HTTP header. Additionally, the smaller size means transmission is fast. Ex: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpva G4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ u Self-contained: The payload contains all the required information about the user, avoiding the need to query the database more than once.
When should you use JSON Web Tokens? u Authentication: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains. u Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are.
What is the JSON Web Token structure? u JSON Web Tokens consist of three parts separated by dots (.), which are: u Header u Payload u Signature Therefore, a JWT typically looks like the following. u xxxxx.yyyyy.zzzzz
What is the JSON Web Token structure? Header The header typically consists of two parts: the type of the token, which is JWT, and the hashing algorithm being used, such as HMAC SHA256 or RSA. u For example: u Then, this JSON is Base64Url encoded to form the first part of the JWT.
What is the JSON Web Token structure? Payload The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional metadata. There are three types of claims: u reserved u public u private
What is the JSON Web Token structure? Payload u Reserved claims These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Some of them are: iss (issuer), exp (expiration time), sub(subject), aud (audience), and others. Notice that the claim names are only three characters long as JWT is meant to be compact.
What is the JSON Web Token structure? Payload u Public claims These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace.
What is the JSON Web Token structure? Payload u Private claims These are the custom claims created to share information between parties that agree on using them.
What is the JSON Web Token structure? Payload u Example The payload is then Base64Url encoded to form the second part of the JSON Web Token.
What is the JSON Web Token structure? Signature To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. u The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way. u For example if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:
Putting all together The output is three Base64 strings separated by dots that can be easily passed in HTML and HTTP environments, while being more compact when compared to XML-based standards such as SAML. The following shows a JWT that has the previous header and payload encoded, and it is signed with a secret. What is the JSON Web Token structure?
u Jwt.io It is a web page where you can learn more about JWT and debug a token. You can also verify the signature. And download the libraries for different languages as: Java, JS, Node.js, Python, .NET, etc. How to test and see my JWT?
How do JSON Web Tokens work? u In authentication, when the user successfully logs in using their credentials, a JSON Web Token will be returned and must be saved locally (typically in local storage, but cookies can be also used). u Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema. The content of the header should look like the following: u This is a stateless authentication mechanism as the user state is never saved in server memory. The server's protected routes will check for a valid JWT in the Authorization header, and if it's present, the user will be allowed to access protected resources. As JWTs are self-contained, all the necessary information is there, reducing the need to query the database multiple times.
How do JSON Web Tokens work? u This allows you to fully rely on data APIs that are stateless and even make requests to downstream services. It doesn't matter which domains are serving your APIs, so Cross-Origin Resource Sharing (CORS) won't be an issue as it doesn't use cookies.
JWT Signature and Encryption u A JWT is usually complemented with a signature or encryption. These are handled in their own specs as JSON Web Signature (JWS) and JSON Web Encryption (JWE). u A signature allows a JWT to be validated against modifications. Encryption, on the other hand, makes sure the content of the JWT is only readable by certain parties.
Common JWT Signing Algorithms u Most JWTs in the wild are just signed. The most common algorithms are: u HMAC + SHA256 u RSASSA-PKCS1-v1_5 + SHA256 u ECDSA + P-256 + SHA256 The specs defines many more algorithms for signing. You can find them all in RFC 7518.
Common JWT Signing Algorithms HMAC algorithms This is probably the most common algorithm for signed JWTs. u Hash-Based Message Authentication Codes (HMACs) are a group of algorithms that provide a way of signing messages by means of a shared key. In the case of HMACs, a cryptographic hash function is used (for instance SHA256). u The strength (i.e. how hard it is to forge an HMAC) depends on the hashing algorithm being used. u The main objective in the design of the algorithm was to allow the combination of a key with a message while providing strong guarantees against tampering.
Common JWT Signing Algorithms HMAC algorithms u HMACs are used with JWTs when you want a simple way for all parties to create and validate JWTs. Any party knowing the key can create new JWTs. In other words, with shared keys, it is possible for party to impersonate another one: HMAC JWTs do not provide guarantees with regards to the creator of the JWT. Anyone knowing the key can create one. u For certain use cases, this is too permissive. This is where asymmetric algorithms come into play.
Common JWT Signing Algorithms RSA and ECDSA algorithms u Both RSA and ECDSA are asymmetric encryption and digital signature algorithms. u What asymmetric algorithms bring to the table is the possibility of verifying or decrypting a message without being able to create a new one. u This is key for certain use cases.
Common JWT Signing Algorithms RSA and ECDSA algorithms u Example: Picture a big company where data generated by the sales team needs to be verified by the accounting team. u If an HMAC were to be used to sign the data, then both the sales team and the accounting team would need to know the same key. u This would allow the sales team to sign data and make it pass as if it were from the accounting team. u Although this might seem unlikely, especially in the context of a corporation, there are times when the ability to verify the creator of a signature is essential.
Common JWT Signing Algorithms RSA and ECDSA algorithms u The main difference between RSA and ECDSA lies in speed and key size. u ECDSA requires smaller keys to achieve the same level of security as RSA. This makes it a great choice for small JWTs once is faster generating keys and signatures.. u RSA, however, is usually faster than ECDSA for signature verification. u As usual, pick the one that best aligns with your requirements.
Conclusion JWTs are a convenient way of representing authentication and authorization claims for your application. u They are easy to parse, human readable and compact. But the killer features are in the JWS and JWE specs. u With JWS and JWE all claims can be conveniently signed and encrypted, while remaining compact enough to be part of every API call u Solutions such as session-ids and server-side tokens seem old and cumbersome when compared to the power of JWTs.
Spring Security
What is the Spring Security ? u Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. u Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements. u Features: u Comprehensive and extensible support for both Authentication and Authorization u Protection against attacks like session fixation, clickjacking, cross site request forgery, etc. u Servlet API integration u Optional integration with Spring Web MVC u Much more…
Fundamentals u Principal u User that performs the action u Authentication u Confirming truth of credentials u Authorization u Define access policy for principal u GrantedAuthority u Application-wide permissions granted to a principal u SecurityContext u Hold the Authentication and other security information u SecurityContextHolder u Provide access to SecurityContext
SecurityContextHolder u Provide access to SecurityContext u Strategies u ThreadLocal – only read/write in the same thread u Global
Use Case
Basic filters
Authentication u Variants u Credential-based u Two-factor or 2FA u Hardware u Mechanisms u Basic u Form u Storage u RDBMS (Relational database managementsystem) u LDAP u Custom Storage
Core Authentication service u AuthenticationManager u Handles authentication requests u AuthenticationProvider u Performs authentication u UserDetailsService u Responsible for returning an UserDetails object u UserDetails u Provides the core user information
AuthenticationManager
AuthenticationProvider
UserDetailsService
UserDetails
How to configure the Spring Security? u The first step is to secure some routes of our application. u For this demo we will expose the routes: u / and /login -> to everyone u /users -> to people whom can provide a valid JWT token. u u u Once we have updated the pom.xml file and imported the new dependencies, we are ready to start securing our routes. Ex: Maven Configuration
How to configure the Spring Security? u First of all, we want to avoid exposing /users to everyone, so we will create a configuration that restricts its access. u We will accomplish this by adding a new class called WebSecurityConfig that extends the WebSecurityConfigurerAdapter class from Spring Security.
How to configure the Spring Security? u Here, we are specifying that / and /login are permitAll(). u All other requests are authenticated and: u We are filtering login to add before the filter of users u Any other endpoint, check the present of the JWT Token
How to configure the Spring Security? u We also configure from WHERE we are getting the users, where are 2 options: u inMemoryAuthentication() – Username and password pre-defined (good for tests). u userDetailsService() – You can declare a Service class to authenticate/authorize. Needs to implement UserDetailsService interface.
Custom UserService
What about securing REST applications? u The previous examples were normally for web applications, where you redirect pages, login using page, etc. In REST, we don’t have: u Login page u Page to redirect after login u Page to redirect in failure or unauthorized u Solution: u Override AuthenticationFailureHandler to return 401 u Override AuthenticationSuccessHandler to return the JSON object / token. u Override AuthenticationEntryPoint to always return 401. u Override LogoutSuccessHandler to return 200.
Overriding the AuthenticationEntryPoint u Class extends org.springframework.security.web.AuthenticationEntryPoint, and implements only one method, which sends response error (with 401 status code) in cause of unauthorized attempt.
Overriding the AuthenticationSuccessHandler u The AuthenticationSuccessHandler is responsible of what to do after a successful authentication, by default it will redirect to an URL, but in our case we want it to send an HTTP response with data.
Overriding the AuthenticationFailureHandler u The AuthenticationFaillureHandler is responsible of what to after a failed authentication, by default it will redirect to the login page URL, but in our case we just want it to send an HTTP response with the 401 UNAUTHORIZED code.
Spring Security + JWT
What do we need? u Filter to intercept the calls, read the token and authenticate. u Authentication Provider responsible for returning the user. u Handlers for u AuthenticationFailure u AuthenticationSuccess u EntryPoint
DEMO https://github.com/BHRother/spring-boot-security-jwt
How JWT can help ? u Some Challenges: u Using asymmetric signature. u Manage the keys u If token contains personal information, encrypt before generate the token.
About Me
Thank You !

Recommended

Jwt Security
Jwt SecurityJwt Security
Jwt Security
Seid Yassin
 
JSON Web Token
JSON Web TokenJSON Web Token
JSON Web Token
Deddy Setyadi
 
Json web token
Json web tokenJson web token
Json web token
Mayank Patel
 
JSON WEB TOKEN
JSON WEB TOKENJSON WEB TOKEN
JSON WEB TOKEN
Knoldus Inc.
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWT
Prashant Walke
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
AkshaeyBhosale
 
JSON Web Tokens
JSON Web TokensJSON Web Tokens
JSON Web Tokens
Ivan Rosolen
 
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
 

Recommended

Jwt Security
Jwt SecurityJwt Security
Jwt Security
Seid Yassin
 
JSON Web Token
JSON Web TokenJSON Web Token
JSON Web Token
Deddy Setyadi
 
Json web token
Json web tokenJson web token
Json web token
Mayank Patel
 
JSON WEB TOKEN
JSON WEB TOKENJSON WEB TOKEN
JSON WEB TOKEN
Knoldus Inc.
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWT
Prashant Walke
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
AkshaeyBhosale
 
JSON Web Tokens
JSON Web TokensJSON Web Tokens
JSON Web Tokens
Ivan Rosolen
 
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
Jesus Perez Franco
 
Spring security
Spring securitySpring security
Spring security
Saurabh Sharma
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
Spring Security
Spring SecuritySpring Security
Spring Security
Sumit Gole
 
Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication
Mediacurrent
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOP
Dzmitry Naskou
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASP
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
Stormpath
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring Boot
Purbarun Chakrabarti
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST API
Aniruddh Bhilvare
 
jQuery
jQueryjQuery
jQuery
Dileep Mishra
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
Tomcat
TomcatTomcat
TomcatVenkat Pinagadi
 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introduction
Rasheed Waraich
 
Json web tokens
Json web tokensJson web tokens
Json web tokens
ElieHannouch
 
Landscape
LandscapeLandscape
Landscape
Amit Gupta
 

More Related Content

What's hot

Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
Jesus Perez Franco
 
Spring security
Spring securitySpring security
Spring security
Saurabh Sharma
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
Spring Security
Spring SecuritySpring Security
Spring Security
Sumit Gole
 
Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication
Mediacurrent
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOP
Dzmitry Naskou
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASP
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
Stormpath
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring Boot
Purbarun Chakrabarti
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST API
Aniruddh Bhilvare
 
jQuery
jQueryjQuery
jQuery
Dileep Mishra
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introduction
Rasheed Waraich
 

What's hot (20)

Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
 
Spring security
Spring securitySpring security
Spring security
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOP
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring Boot
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST API
 
jQuery
jQueryjQuery
jQuery
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
Tomcat
TomcatTomcat
Tomcat
 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introduction
 

Similar to Introduction to JWT and How to integrate with Spring Security

Json web tokens
Json web tokensJson web tokens
Json web tokens
ElieHannouch
 
Landscape
LandscapeLandscape
Landscape
Amit Gupta
 
Landscape
LandscapeLandscape
Landscape
Amit Gupta
 
5 easy steps to understanding json web tokens (jwt)
5 easy steps to understanding json web tokens (jwt)5 easy steps to understanding json web tokens (jwt)
5 easy steps to understanding json web tokens (jwt)
Amit Gupta
 
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
Uniface
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flash
Evan J Johnson (Not a CISSP)
 
Jwt the complete guide to json web tokens
Jwt the complete guide to json web tokensJwt the complete guide to json web tokens
Jwt the complete guide to json web tokens
remayssat
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
Angular - Chapter 9 - Authentication and Authorization
Angular - Chapter 9 - Authentication and AuthorizationAngular - Chapter 9 - Authentication and Authorization
Angular - Chapter 9 - Authentication and Authorization
WebStackAcademy
 
How Does Signing & Validating a JSON Web Tokens Work
How Does Signing & Validating a JSON Web Tokens WorkHow Does Signing & Validating a JSON Web Tokens Work
How Does Signing & Validating a JSON Web Tokens Work
Rohit Jacob Mathew
 
Ciphers
CiphersCiphers
Ciphers
Ahtesham Husain Shaikh
 
Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security Engineering
Md. Hasan Basri (Angel)
 
KinomaJS on Microcontroller
KinomaJS on MicrocontrollerKinomaJS on Microcontroller
KinomaJS on MicrocontrollerRyuji Ishiguro
 
Ethereum vs fabric vs corda
Ethereum vs fabric vs cordaEthereum vs fabric vs corda
Ethereum vs fabric vs corda
Jean-Christophe Busnel
 
API
APIAPI
API
Masters Academy
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
Brian Ritchie
 
Jwt with flask slide deck - alan swenson
Jwt with flask slide deck - alan swensonJwt with flask slide deck - alan swenson
Jwt with flask slide deck - alan swenson
Jeffrey Clark
 
Uport a blockchain platform for self-sovereign identity
Uport a blockchain platform for self-sovereign identityUport a blockchain platform for self-sovereign identity
Uport a blockchain platform for self-sovereign identity
Ian Beckett
 
Ssl https
Ssl httpsSsl https
Ssl https
Andrada Boldis
 

Similar to Introduction to JWT and How to integrate with Spring Security (20)

Json web tokens
Json web tokensJson web tokens
Json web tokens
 
Landscape
LandscapeLandscape
Landscape
 
Landscape
LandscapeLandscape
Landscape
 
5 easy steps to understanding json web tokens (jwt)
5 easy steps to understanding json web tokens (jwt)5 easy steps to understanding json web tokens (jwt)
5 easy steps to understanding json web tokens (jwt)
 
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flash
 
Jwt the complete guide to json web tokens
Jwt the complete guide to json web tokensJwt the complete guide to json web tokens
Jwt the complete guide to json web tokens
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Angular - Chapter 9 - Authentication and Authorization
Angular - Chapter 9 - Authentication and AuthorizationAngular - Chapter 9 - Authentication and Authorization
Angular - Chapter 9 - Authentication and Authorization
 
How Does Signing & Validating a JSON Web Tokens Work
How Does Signing & Validating a JSON Web Tokens WorkHow Does Signing & Validating a JSON Web Tokens Work
How Does Signing & Validating a JSON Web Tokens Work
 
Ciphers
CiphersCiphers
Ciphers
 
Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security Engineering
 
KinomaJS on Microcontroller
KinomaJS on MicrocontrollerKinomaJS on Microcontroller
KinomaJS on Microcontroller
 
Ethereum vs fabric vs corda
Ethereum vs fabric vs cordaEthereum vs fabric vs corda
Ethereum vs fabric vs corda
 
API
APIAPI
API
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
 
Jwt with flask slide deck - alan swenson
Jwt with flask slide deck - alan swensonJwt with flask slide deck - alan swenson
Jwt with flask slide deck - alan swenson
 
Uport a blockchain platform for self-sovereign identity
Uport a blockchain platform for self-sovereign identityUport a blockchain platform for self-sovereign identity
Uport a blockchain platform for self-sovereign identity
 
Unit 6
Unit 6Unit 6
Unit 6
 
Ssl https
Ssl httpsSsl https
Ssl https
 

Recently uploaded

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 

Introduction to JWT and How to integrate with Spring Security

  • 1. JSON WEB TOKENS + SPRING SECURITY Why should we use JWT and how Bruno H. Rother
  • 2. What is JSON Web Token ?
  • 3. What is JSON Web Token? u JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object u This information can be verified and trusted because it is digitally signed. u JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.
  • 4. What is JSON Web Token? u Compact: Because of their smaller size, JWTs can be sent through a URL, POST parameter, or inside an HTTP header. Additionally, the smaller size means transmission is fast. Ex: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpva G4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ u Self-contained: The payload contains all the required information about the user, avoiding the need to query the database more than once.
  • 5. When should you use JSON Web Tokens? u Authentication: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains. u Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are.
  • 6. What is the JSON Web Token structure? u JSON Web Tokens consist of three parts separated by dots (.), which are: u Header u Payload u Signature Therefore, a JWT typically looks like the following. u xxxxx.yyyyy.zzzzz
  • 7. What is the JSON Web Token structure? Header The header typically consists of two parts: the type of the token, which is JWT, and the hashing algorithm being used, such as HMAC SHA256 or RSA. u For example: u Then, this JSON is Base64Url encoded to form the first part of the JWT.
  • 8. What is the JSON Web Token structure? Payload The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional metadata. There are three types of claims: u reserved u public u private
  • 9. What is the JSON Web Token structure? Payload u Reserved claims These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Some of them are: iss (issuer), exp (expiration time), sub(subject), aud (audience), and others. Notice that the claim names are only three characters long as JWT is meant to be compact.
  • 10. What is the JSON Web Token structure? Payload u Public claims These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace.
  • 11. What is the JSON Web Token structure? Payload u Private claims These are the custom claims created to share information between parties that agree on using them.
  • 12. What is the JSON Web Token structure? Payload u Example The payload is then Base64Url encoded to form the second part of the JSON Web Token.
  • 13. What is the JSON Web Token structure? Signature To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. u The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way. u For example if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:
  • 14. Putting all together The output is three Base64 strings separated by dots that can be easily passed in HTML and HTTP environments, while being more compact when compared to XML-based standards such as SAML. The following shows a JWT that has the previous header and payload encoded, and it is signed with a secret. What is the JSON Web Token structure?
  • 15. u Jwt.io It is a web page where you can learn more about JWT and debug a token. You can also verify the signature. And download the libraries for different languages as: Java, JS, Node.js, Python, .NET, etc. How to test and see my JWT?
  • 16. How do JSON Web Tokens work? u In authentication, when the user successfully logs in using their credentials, a JSON Web Token will be returned and must be saved locally (typically in local storage, but cookies can be also used). u Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema. The content of the header should look like the following: u This is a stateless authentication mechanism as the user state is never saved in server memory. The server's protected routes will check for a valid JWT in the Authorization header, and if it's present, the user will be allowed to access protected resources. As JWTs are self-contained, all the necessary information is there, reducing the need to query the database multiple times.
  • 17. How do JSON Web Tokens work? u This allows you to fully rely on data APIs that are stateless and even make requests to downstream services. It doesn't matter which domains are serving your APIs, so Cross-Origin Resource Sharing (CORS) won't be an issue as it doesn't use cookies.
  • 18. JWT Signature and Encryption u A JWT is usually complemented with a signature or encryption. These are handled in their own specs as JSON Web Signature (JWS) and JSON Web Encryption (JWE). u A signature allows a JWT to be validated against modifications. Encryption, on the other hand, makes sure the content of the JWT is only readable by certain parties.
  • 19. Common JWT Signing Algorithms u Most JWTs in the wild are just signed. The most common algorithms are: u HMAC + SHA256 u RSASSA-PKCS1-v1_5 + SHA256 u ECDSA + P-256 + SHA256 The specs defines many more algorithms for signing. You can find them all in RFC 7518.
  • 20. Common JWT Signing Algorithms HMAC algorithms This is probably the most common algorithm for signed JWTs. u Hash-Based Message Authentication Codes (HMACs) are a group of algorithms that provide a way of signing messages by means of a shared key. In the case of HMACs, a cryptographic hash function is used (for instance SHA256). u The strength (i.e. how hard it is to forge an HMAC) depends on the hashing algorithm being used. u The main objective in the design of the algorithm was to allow the combination of a key with a message while providing strong guarantees against tampering.
  • 21. Common JWT Signing Algorithms HMAC algorithms u HMACs are used with JWTs when you want a simple way for all parties to create and validate JWTs. Any party knowing the key can create new JWTs. In other words, with shared keys, it is possible for party to impersonate another one: HMAC JWTs do not provide guarantees with regards to the creator of the JWT. Anyone knowing the key can create one. u For certain use cases, this is too permissive. This is where asymmetric algorithms come into play.
  • 22. Common JWT Signing Algorithms RSA and ECDSA algorithms u Both RSA and ECDSA are asymmetric encryption and digital signature algorithms. u What asymmetric algorithms bring to the table is the possibility of verifying or decrypting a message without being able to create a new one. u This is key for certain use cases.
  • 23. Common JWT Signing Algorithms RSA and ECDSA algorithms u Example: Picture a big company where data generated by the sales team needs to be verified by the accounting team. u If an HMAC were to be used to sign the data, then both the sales team and the accounting team would need to know the same key. u This would allow the sales team to sign data and make it pass as if it were from the accounting team. u Although this might seem unlikely, especially in the context of a corporation, there are times when the ability to verify the creator of a signature is essential.
  • 24. Common JWT Signing Algorithms RSA and ECDSA algorithms u The main difference between RSA and ECDSA lies in speed and key size. u ECDSA requires smaller keys to achieve the same level of security as RSA. This makes it a great choice for small JWTs once is faster generating keys and signatures.. u RSA, however, is usually faster than ECDSA for signature verification. u As usual, pick the one that best aligns with your requirements.
  • 25. Conclusion JWTs are a convenient way of representing authentication and authorization claims for your application. u They are easy to parse, human readable and compact. But the killer features are in the JWS and JWE specs. u With JWS and JWE all claims can be conveniently signed and encrypted, while remaining compact enough to be part of every API call u Solutions such as session-ids and server-side tokens seem old and cumbersome when compared to the power of JWTs.
  • 27. What is the Spring Security ? u Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. u Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements. u Features: u Comprehensive and extensible support for both Authentication and Authorization u Protection against attacks like session fixation, clickjacking, cross site request forgery, etc. u Servlet API integration u Optional integration with Spring Web MVC u Much more…
  • 28. Fundamentals u Principal u User that performs the action u Authentication u Confirming truth of credentials u Authorization u Define access policy for principal u GrantedAuthority u Application-wide permissions granted to a principal u SecurityContext u Hold the Authentication and other security information u SecurityContextHolder u Provide access to SecurityContext
  • 29. SecurityContextHolder u Provide access to SecurityContext u Strategies u ThreadLocal – only read/write in the same thread u Global
  • 32. Authentication u Variants u Credential-based u Two-factor or 2FA u Hardware u Mechanisms u Basic u Form u Storage u RDBMS (Relational database managementsystem) u LDAP u Custom Storage
  • 33. Core Authentication service u AuthenticationManager u Handles authentication requests u AuthenticationProvider u Performs authentication u UserDetailsService u Responsible for returning an UserDetails object u UserDetails u Provides the core user information
  • 38. How to configure the Spring Security? u The first step is to secure some routes of our application. u For this demo we will expose the routes: u / and /login -> to everyone u /users -> to people whom can provide a valid JWT token. u u u Once we have updated the pom.xml file and imported the new dependencies, we are ready to start securing our routes. Ex: Maven Configuration
  • 39. How to configure the Spring Security? u First of all, we want to avoid exposing /users to everyone, so we will create a configuration that restricts its access. u We will accomplish this by adding a new class called WebSecurityConfig that extends the WebSecurityConfigurerAdapter class from Spring Security.
  • 40. How to configure the Spring Security? u Here, we are specifying that / and /login are permitAll(). u All other requests are authenticated and: u We are filtering login to add before the filter of users u Any other endpoint, check the present of the JWT Token
  • 41. How to configure the Spring Security? u We also configure from WHERE we are getting the users, where are 2 options: u inMemoryAuthentication() – Username and password pre-defined (good for tests). u userDetailsService() – You can declare a Service class to authenticate/authorize. Needs to implement UserDetailsService interface.
  • 43. What about securing REST applications? u The previous examples were normally for web applications, where you redirect pages, login using page, etc. In REST, we don’t have: u Login page u Page to redirect after login u Page to redirect in failure or unauthorized u Solution: u Override AuthenticationFailureHandler to return 401 u Override AuthenticationSuccessHandler to return the JSON object / token. u Override AuthenticationEntryPoint to always return 401. u Override LogoutSuccessHandler to return 200.
  • 44. Overriding the AuthenticationEntryPoint u Class extends org.springframework.security.web.AuthenticationEntryPoint, and implements only one method, which sends response error (with 401 status code) in cause of unauthorized attempt.
  • 45. Overriding the AuthenticationSuccessHandler u The AuthenticationSuccessHandler is responsible of what to do after a successful authentication, by default it will redirect to an URL, but in our case we want it to send an HTTP response with data.
  • 46. Overriding the AuthenticationFailureHandler u The AuthenticationFaillureHandler is responsible of what to after a failed authentication, by default it will redirect to the login page URL, but in our case we just want it to send an HTTP response with the 401 UNAUTHORIZED code.
  • 48. What do we need? u Filter to intercept the calls, read the token and authenticate. u Authentication Provider responsible for returning the user. u Handlers for u AuthenticationFailure u AuthenticationSuccess u EntryPoint
  • 50. How JWT can help ? u Some Challenges: u Using asymmetric signature. u Manage the keys u If token contains personal information, encrypt before generate the token.