JSON Web Tokens (JWT) in Java

Link to the full version of the project on GitHub:
Github TokenJWTProject

What is JWT?
JWT is an open standard (RFC 7519) for the secure exchange of information in the form of a JSON object, and because messages are digitally signed, the information inside can be trusted.

Link to the standard documentation: RFC 7519
WIKI: JSON Web Token

The most common use case for JWT is authorization. After a user logs in, each subsequent request will include a token. This token allows the user to access routes and make requests that are only allowed to authenticated users.

Each token consists of three parts:

Header: contains information about the algorithm and the type of token

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload: contains random data. For example, an identifier along with the expiration date of that token. This ensures that the token will expire over time and cannot be used indefinitely.

{
  "sub": "1234567890",
  "name": "Daenerys Targaryen",
  "iat": 1516239022
}

Signature: This is where the token is generated. It combines the header version, payload in Base64URL encoding with the secret key.

JWT parts have standardized sets of fields. You can see a complete list here: wiki

Example of a finished token: Base64URL(header) + Base64URL(payload) + Base64URL(signature)

JWT uses the HMAC algorithm for signing (1 key), alternatively you can also use the RSA algorithm with a public/private key pair.

I suggest some useful sites for your convenience in working with JWT:
– Check / Debug / Encoded / Decoded JWT
https://jwt.io/
https://www.jsonwebtoken.io

– Online RSA Key Generator
https://travistidwell.com/jsencrypt/demo

Used:

Spring Boot

JSON Web Token

REST web сервис

Swagger

Junit 5

It is necessary to execute:
– Generation of a key pair (public/private);
– Load keys from a file;
– Generating JWT token directly;
– Deploy a REST web service with a public key (GET request);
– Write several tests in Junit;
– Launch the project from the console;

Create a maven project and plug in the necessary dependencies in pom.xml

The MIT project will be used as the main library to work with JWT ref on GitHub: auth0/java-jwt

com.auth0
java-jwt

In the example, let’s consider two options for key loading.

Loading a prepared pair from a file
Generation of keys at the moment of application’s work.

For this we will prepare a Public / Private PKCS8 format pair, RSA algorithm (1024, 2048), encoding PEM. I will use an online generator: Online RSA Key Generator.

These keys are in PKCS1 RSA Cryptography Standard. Private key must be converted to PKCS8 RSA Cryptography Standard. One command in the terminal. Where private_key_file – path to locally saved file.

openssl pkcs8 -topk8 -inform PEM -outform DER -in private_key_file  -nocrypt &gt; pkcs8_key

The project is set up, we can move on to writing code.

Project structure:

ru.gotoqa.config – The catalog contains Swagger configuration classes
ru.gotoqa.models – Directory for POJO entities for json
ru.gotoqa.controller – Implementing a REST full web service
ru.gotoqa.core – Logic of preparing and storing answers
ru.gotoqa.util – Catalog for secondary methods