
Link to the full version of the project on GitHub:
Github TokenJWTProject
What is JWT?
JWT is an open standard (RFC 7519) for the secure exchange of information in the form of a JSON object, and because messages are digitally signed, the information inside can be trusted.
Link to the standard documentation: RFC 7519
WIKI: JSON Web Token
The most common use case for JWT is authorization. After a user logs in, each subsequent request will include a token. This token allows the user to access routes and make requests that are only allowed to authenticated users.
Each token consists of three parts:
Header: contains information about the algorithm and the type of token
{ "alg": "HS256", "typ": "JWT" } |
Payload: contains random data. For example, an identifier along with the expiration date of that token. This ensures that the token will expire over time and cannot be used indefinitely.
{ "sub": "1234567890", "name": "Daenerys Targaryen", "iat": 1516239022 } |
Signature: This is where the token is generated. It combines the header version, payload in Base64URL encoding with the secret key.
JWT parts have standardized sets of fields. You can see a complete list here: wiki
Example of a finished token: Base64URL(header) + Base64URL(payload) + Base64URL(signature)
JWT uses the HMAC algorithm for signing (1 key), alternatively you can also use the RSA algorithm with a public/private key pair.
I suggest some useful sites for your convenience in working with JWT:
– Check / Debug / Encoded / Decoded JWT
https://jwt.io/
https://www.jsonwebtoken.io
– Online RSA Key Generator
https://travistidwell.com/jsencrypt/demo
Used:
Spring Boot | JSON Web Token | REST web сервис | Swagger | Junit 5 |
It is necessary to execute:
– Generation of a key pair (public/private);
– Load keys from a file;
– Generating JWT token directly;
– Deploy a REST web service with a public key (GET request);
– Write several tests in Junit;
– Launch the project from the console;
Create a maven project and plug in the necessary dependencies in pom.xml
The MIT project will be used as the main library to work with JWT ref on GitHub: auth0/java-jwt
com.auth0 java-jwt |
In the example, let’s consider two options for key loading.
- Loading a prepared pair from a file
- Generation of keys at the moment of application’s work.
For this we will prepare a Public / Private PKCS8 format pair, RSA algorithm (1024, 2048), encoding PEM. I will use an online generator: Online RSA Key Generator.
These keys are in PKCS1 RSA Cryptography Standard. Private key must be converted to PKCS8 RSA Cryptography Standard. One command in the terminal. Where private_key_file – path to locally saved file.
openssl pkcs8 -topk8 -inform PEM -outform DER -in private_key_file -nocrypt > pkcs8_key |
The project is set up, we can move on to writing code.
Project structure:
ru.gotoqa.config – The catalog contains Swagger configuration classes
ru.gotoqa.models – Directory for POJO entities for json
ru.gotoqa.controller – Implementing a REST full web service
ru.gotoqa.core – Logic of preparing and storing answers
ru.gotoqa.util – Catalog for secondary methods
Link to the full version of the project on GitHub:
Github TokenJWTProject