bezkoder / spring-boot-spring-security-jwt-authentication Goto Github PK

javax.validation.constraints doesn't supports now.
You need to add spring-boot-starter-validation dependency.

com.bezkoder.springjwt.controllers.AuthController.lambda$1(AuthController.java:99)

Question.
With this implementation, if you intentionally remove the token from the request header, won't the token filter stop working?

https://github.com/bezkoder/spring-boot-spring-security-jwt-authentication/blob/master/src/main/java/com/bezkoder/springjwt/security/jwt/AuthTokenFilter.java#L36

Hi sir, on the WebSecurityConfig java file, the AuthTokenFilter constructor is missing two parameters, jwt utils and user details service.

Can you please assign this issue to me so that I can resolve it.

Thank you.

Upgrade into Spring Boot 3.x.x version

When trying to create users following the example in the docs I get 401 on posting to /api/auth/signup

2023-06-13T15:35:30.978+05:30 INFO 27060 --- [on(5)-127.0.0.1] inMXBeanRegistrar$SpringApplicationAdmin : Application shutdown requested.
2023-06-13T15:35:31.139+05:30 INFO 27060 --- [on(5)-127.0.0.1] o.apache.catalina.core.StandardService : Stopping service [Tomcat]
2023-06-13T15:35:31.152+05:30 WARN 27060 --- [on(5)-127.0.0.1] o.a.c.loader.WebappClassLoaderBase : The web application [ROOT] appears to have started a thread named [HikariPool-1 housekeeper] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
[email protected]/jdk.internal.misc.Unsafe.park(Native Method)
[email protected]/java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:252)
[email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:1672)
[email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1182)
[email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:899)
[email protected]/java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1062)
[email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1122)
[email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
[email protected]/java.lang.Thread.run(Thread.java:833)
2023-06-13T15:35:31.171+05:30 INFO 27060 --- [on(5)-127.0.0.1] j.LocalContainerEntityManagerFactoryBean : Closing JPA EntityManagerFactory for persistence unit 'default'
2023-06-13T15:35:31.176+05:30 INFO 27060 --- [on(5)-127.0.0.1] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Shutdown initiated...
2023-06-13T15:35:31.199+05:30 INFO 27060 --- [on(5)-127.0.0.1] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Shutdown completed.

Hi May I ask what is the use of

SecurityContextHolder.getContext().setAuthentication(authentication);

in the AuthController?

I thought JWT was session-less and stateless. Thank you

Hi after implementing the spring security with jwt token it is working as expected with known API urls but when I hit with unknown URL, get 401 authorized error and if any exception is raised at runtime also gets 401 authorized because fo the below exception in Cansole.
getting org. spring framework.security.authentication.InsufficientAuthenticationException

do I need to add any filter in AuthEntryPointJwt under the commence? I just wanted to ignore the authentication filter if there is any unknown API hit that came to the application and should throw the NoHandlerFoundException custom exception error with below handler. how can I do that?

@ExceptionHandler(NoHandlerFoundException.class)
public ResponseEntity handle(NoHandlerFoundException ex){
return new ResponseEntity<>(APIError.createInstance(HttpStatus.NOT_FOUND.toString(),
List.of(new ErrorDetails(ex.getMessage(),null))), null, HttpStatus.NOT_FOUND);
}

What type of license would this tutorial fall under?

Spring security has had full JWT-support since 2017.

Writing a custom security solution with some sort of custom security filter is bad practice. Thats why there are security standards, to avoid writing custom security solutions.

The spring security documentation has clear instructions on how to handle JWTs and this is not it.

https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html#oauth2resourceserver-jwt-architecture