Spring Boot Security Jwt

1---2name: spring-boot-security-jwt3description: Provides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.4allowed-tools: Read, Write, Edit, Bash, Glob, Grep5---6 7# Spring Boot JWT Security8 9JWT authentication and authorization patterns for Spring Boot 3.5.x using Spring Security 6.x and JJWT. Covers token generation, validation, refresh strategies, RBAC/ABAC, and OAuth2 integration.10 11## Overview12 13This skill provides implementation patterns for stateless JWT authentication in Spring Boot applications. It covers the complete authentication flow including token generation with JJWT 0.12.6, Bearer/cookie-based authentication, refresh token rotation, and method-level authorization with `@PreAuthorize` expressions.14 15Key capabilities:16- Access and refresh token generation with configurable expiration17- Bearer token and HttpOnly cookie authentication strategies18- Integration with Spring Data JPA and OAuth2 providers19- RBAC with role/permission-based `@PreAuthorize` rules20- Token revocation and blacklisting for logout/rotation21 22## When to Use23 24Activate when user requests involve:25- "Implement JWT authentication", "secure REST API with tokens"26- "Spring Security 6.x configuration", "SecurityFilterChain setup"27- "Role-based access control", "RBAC", `` `@PreAuthorize` ``28- "Refresh token", "token rotation", "token revocation"29- "OAuth2 integration", "social login", "Google/GitHub auth"30- "Stateless authentication", "SPA backend security"31- "JWT filter", "OncePerRequestFilter", "Bearer token"32- "Cookie-based JWT", "HttpOnly cookie"33- "Permission-based access control", "custom PermissionEvaluator"34 35## Quick Reference36 37### Dependencies (JJWT 0.12.6)38 39| Artifact | Scope |40|----------|-------|41| `spring-boot-starter-security` | compile |42| `spring-boot-starter-oauth2-resource-server` | compile |43| `io.jsonwebtoken:jjwt-api:0.12.6` | compile |44| `io.jsonwebtoken:jjwt-impl:0.12.6` | runtime |45| `io.jsonwebtoken:jjwt-jackson:0.12.6` | runtime |46| `spring-security-test` | test |47 48See [references/jwt-quick-reference.md](references/jwt-quick-reference.md) for Maven and Gradle snippets.49 50### Key Configuration Properties51 52| Property | Example Value | Notes |53|----------|--------------|-------|54| `jwt.secret` | `${JWT_SECRET}` | Min 256 bits, never hardcode |55| `jwt.access-token-expiration` | `900000` | 15 min in milliseconds |56| `jwt.refresh-token-expiration` | `604800000` | 7 days in milliseconds |57| `jwt.issuer` | `my-app` | Validated on every token |58| `jwt.cookie-name` | `jwt-token` | For cookie-based auth |59| `jwt.cookie-http-only` | `true` | Always true in production |60| `jwt.cookie-secure` | `true` | Always true with HTTPS |61 62### Authorization Annotations63 64| Annotation | Example |65|-----------|---------|66| `@PreAuthorize("hasRole('ADMIN')")` | Role check |67| `@PreAuthorize("hasAuthority('USER_READ')")` | Permission check |68| `@PreAuthorize("hasPermission(#id, 'Doc', 'READ')")` | Domain object check |69| `@PreAuthorize("@myService.canAccess(#id)")` | Spring bean check |70 71## Instructions72 73### Step 1 — Add Dependencies74 75Include `spring-boot-starter-security`, `spring-boot-starter-oauth2-resource-server`, and the three JJWT artifacts in your build file. See [references/jwt-quick-reference.md](references/jwt-quick-reference.md) for exact Maven/Gradle snippets.76 77### Step 2 — Configure application.yml78 79```yaml80jwt:81  secret: ${JWT_SECRET:change-me-min-32-chars-in-production}82  access-token-expiration: 90000083  refresh-token-expiration: 60480000084  issuer: my-app85  cookie-name: jwt-token86  cookie-http-only: true87  cookie-secure: false   # true in production88```89 90See [references/jwt-complete-configuration.md](references/jwt-complete-configuration.md) for the full properties reference.91 92### Step 3 — Implement JwtService93 94Core operations: generate access token, generate refresh token, extract username, validate token.95 96```java97@Service98public class JwtService {99 100    public String generateAccessToken(UserDetails userDetails) {101        return Jwts.builder()102            .subject(userDetails.getUsername())103            .issuer(issuer)104            .issuedAt(new Date())105            .expiration(new Date(System.currentTimeMillis() + accessTokenExpiration))106            .claim("authorities", getAuthorities(userDetails))107            .signWith(getSigningKey())108            .compact();109    }110 111    public boolean isTokenValid(String token, UserDetails userDetails) {112        try {113            String username = extractUsername(token);114            return username.equals(userDetails.getUsername()) && !isTokenExpired(token);115        } catch (JwtException e) {116            return false;117        }118    }119}120```121 122See [references/jwt-complete-configuration.md](references/jwt-complete-configuration.md) for the complete JwtService including key management and claim extraction.123 124### Step 4 — Create JwtAuthenticationFilter125 126Extend `OncePerRequestFilter` to extract a JWT from the `Authorization: Bearer` header (or HttpOnly cookie), validate it, and set the `SecurityContext`.127 128```java129@Component130public class JwtAuthenticationFilter extends OncePerRequestFilter {131 132    @Override133    protected void doFilterInternal(HttpServletRequest request,134            HttpServletResponse response, FilterChain chain)135            throws ServletException, IOException {136        String authHeader = request.getHeader("Authorization");137        if (authHeader == null || !authHeader.startsWith("Bearer ")) {138            chain.doFilter(request, response);139            return;140        }141        String jwt = authHeader.substring(7);142        String username = jwtService.extractUsername(jwt);143        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {144            UserDetails userDetails = userDetailsService.loadUserByUsername(username);145            if (jwtService.isTokenValid(jwt, userDetails)) {146                UsernamePasswordAuthenticationToken authToken =147                    new UsernamePasswordAuthenticationToken(148                        userDetails, null, userDetails.getAuthorities());149                authToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));150                SecurityContextHolder.getContext().setAuthentication(authToken);151            }152        }153        chain.doFilter(request, response);154    }155}156```157 158See [references/configuration.md](references/configuration.md) for the cookie-based variant.159 160### Step 5 — Configure SecurityFilterChain161 162```java163@Configuration164@EnableWebSecurity165@EnableMethodSecurity166public class SecurityConfig {167 168    @Bean169    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {170        return http171            .csrf(AbstractHttpConfigurer::disable)172            .sessionManagement(s -> s.sessionCreationPolicy(SessionCreationPolicy.STATELESS))173            .authorizeHttpRequests(auth -> auth174                .requestMatchers("/api/auth/**", "/swagger-ui/**").permitAll()175                .anyRequest().authenticated()176            )177            .authenticationProvider(authenticationProvider)178            .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class)179            .build();180    }181}182```183 184See [references/jwt-complete-configuration.md](references/jwt-complete-configuration.md) for CORS, logout handler, and OAuth2 login integration.185 186### Step 6 — Create Authentication Endpoints187 188Expose `/register`, `/authenticate`, `/refresh`, and `/logout` via `@RestController`. Return `accessToken` + `refreshToken` in the response body (and optionally set an HttpOnly cookie).189 190See [references/examples.md](references/examples.md) for the complete `AuthenticationController` and `AuthenticationService`.191 192### Step 7 — Implement Refresh Token Strategy193 194Store refresh tokens in the database with `user_id`, `expiry_date`, `revoked`, and `expired` columns. On `/refresh`, verify the stored token, revoke it, and issue a new pair (token rotation).195 196See [references/token-management.md](references/token-management.md) for `RefreshToken` entity, rotation logic, and Redis-based blacklisting.197 198### Step 8 — Add Authorization Rules199 200Use `@EnableMethodSecurity` and `@PreAuthorize` annotations for fine-grained control:201 202```java203@PreAuthorize("hasRole('ADMIN')")204public Page<UserResponse> getAllUsers(Pageable pageable) { ... }205 206@PreAuthorize("hasPermission(#documentId, 'Document', 'READ')")207public Document getDocument(Long documentId) { ... }208```209 210See [references/authorization-patterns.md](references/authorization-patterns.md) for RBAC entity model, `PermissionEvaluator`, and ABAC patterns.211 212### Step 9 — Write Security Tests213 214```java215@SpringBootTest216@AutoConfigureMockMvc217class AuthControllerTest {218 219    @Test220    void shouldDenyAccessWithoutToken() throws Exception {221        mockMvc.perform(get("/api/orders"))222            .andExpect(status().isUnauthorized());223    }224 225    @Test226    @WithMockUser(roles = "ADMIN")227    void shouldAllowAdminAccess() throws Exception {228        mockMvc.perform(get("/api/admin/users"))229            .andExpect(status().isOk());230    }231}232```233 234See [references/testing.md](references/testing.md) and [references/jwt-testing-guide.md](references/jwt-testing-guide.md) for full test suites, Testcontainers setup, and a security test checklist.235 236## Best Practices237 238### Token Security239- Use minimum 256-bit secret keys — load from environment variables, never hardcode240- Set short access token lifetimes (15 min); use refresh tokens for longer sessions241- Implement token rotation: revoke old refresh token when issuing a new one242- Use `jti` (JWT ID) claim for blacklisting on logout243 244### Cookie vs Bearer Header245- Prefer HttpOnly cookies for browser clients (XSS-safe)246- Use `Authorization: Bearer` header for mobile/API clients247- Set `Secure`, `SameSite=Lax` or `Strict` on cookies in production248 249### Spring Security 6.x250- Use `SecurityFilterChain` bean — never extend `WebSecurityConfigurerAdapter`251- Disable CSRF only for stateless APIs; keep it enabled for session-based flows252- Use `@EnableMethodSecurity` instead of deprecated `@EnableGlobalMethodSecurity`253- Validate `iss` and `aud` claims; reject tokens from untrusted issuers254 255### Performance256- Cache `UserDetails` with `@Cacheable` to avoid DB lookup on every request257- Cache signing key derivation (avoid re-computing HMAC key per request)258- Use Redis for refresh token storage at scale259 260### What NOT to Do261- Do not store sensitive data (passwords, PII) in JWT claims — claims are only signed, not encrypted262- Do not issue tokens with infinite lifetime263- Do not accept tokens without validating signature and expiration264- Do not share signing keys across environments265 266## Examples267 268### Basic Authentication Flow269 270```java271@RestController272@RequestMapping("/api/auth")273@RequiredArgsConstructor274public class AuthController {275 276    private final AuthService authService;277 278    @PostMapping("/authenticate")279    public ResponseEntity<AuthResponse> authenticate(280            @RequestBody LoginRequest request) {281        return ResponseEntity.ok(authService.authenticate(request));282    }283 284    @PostMapping("/refresh")285    public ResponseEntity<AuthResponse> refresh(@RequestBody RefreshRequest request) {286        return ResponseEntity.ok(authService.refreshToken(request.refreshToken()));287    }288 289    @PostMapping("/logout")290    public ResponseEntity<Void> logout() {291        authService.logout();292        return ResponseEntity.ok().build();293    }294}295```296 297### JWT Authorization on Controller Method298 299```java300@RestController301@RequestMapping("/api/admin")302@PreAuthorize("hasRole('ADMIN')")303public class AdminController {304 305    @GetMapping("/users")306    public ResponseEntity<List<UserResponse>> getAllUsers() {307        return ResponseEntity.ok(adminService.getAllUsers());308    }309}310```311 312See [references/examples.md](references/examples.md) for complete entity models and service implementations.313 314## References315 316| File | Content |317|------|---------|318| [references/jwt-quick-reference.md](references/jwt-quick-reference.md) | Dependencies, minimal service, common patterns |319| [references/jwt-complete-configuration.md](references/jwt-complete-configuration.md) | Full config: properties, SecurityFilterChain, JwtService, OAuth2 RS |320| [references/configuration.md](references/configuration.md) | JWT config beans, CORS, CSRF, error handling, session options |321| [references/examples.md](references/examples.md) | Complete application setup: controllers, services, entities |322| [references/authorization-patterns.md](references/authorization-patterns.md) | RBAC/ABAC entity model, PermissionEvaluator, SpEL expressions |323| [references/token-management.md](references/token-management.md) | Refresh token entity, rotation, blacklisting with Redis |324| [references/testing.md](references/testing.md) | Unit and MockMvc tests, test utilities |325| [references/jwt-testing-guide.md](references/jwt-testing-guide.md) | Testcontainers, load testing, security test checklist |326| [references/security-hardening.md](references/security-hardening.md) | Security headers, HSTS, rate limiting, audit logging |327| [references/performance-optimization.md](references/performance-optimization.md) | Caffeine cache config, async validation, connection pooling |328| [references/oauth2-integration.md](references/oauth2-integration.md) | Google/GitHub OAuth2 login, OAuth2UserService |329| [references/microservices-security.md](references/microservices-security.md) | Inter-service JWT propagation, resource server config |330| [references/migration-spring-security-6x.md](references/migration-spring-security-6x.md) | Migration from Spring Security 5.x |331| [references/troubleshooting.md](references/troubleshooting.md) | Common errors, debugging tips |332 333## Constraints and Warnings334 335### Security Constraints336- JWT tokens are signed but not encrypted — do not include sensitive data in claims337- Always validate `exp`, `iss`, and `aud` claims before trusting the token338- Signing keys must be at least 256 bits; never use weak keys in production339- Load secrets from environment variables or secure vaults, never from config files340- SameSite cookie attribute is essential for CSRF protection in cookie-based flows341 342### Spring Security 6.x Constraints343- `WebSecurityConfigurerAdapter` is removed — use `SecurityFilterChain` beans only344- `@EnableGlobalMethodSecurity` is deprecated — use `@EnableMethodSecurity`345- Lambda DSL is required for `HttpSecurity` configuration (no method chaining)346- `WebSecurityConfigurerAdapter.order()` replaced by `@Order` on `@Configuration` classes347 348### Token Constraints349- Access tokens should expire in 5-15 minutes for security350- Refresh tokens should be stored server-side (DB or Redis), never in localStorage351- Implement token blacklisting for immediate revocation on logout352- `jti` claim is required for token blacklisting to work correctly353 354## Related Skills355 356- `spring-boot-dependency-injection` — Constructor injection patterns used throughout357- `spring-boot-rest-api-standards` — REST API security patterns and error handling358- `unit-test-security-authorization` — Testing Spring Security configurations359- `spring-data-jpa` — User entity and repository patterns360- `spring-boot-actuator` — Security monitoring and health endpoints