In this article, we demonstrate how we can configure a Redis Cache¹ ² for a Spring Boot Application in containerized environment using Docker.

For that purpose, we will build a small REST API with Spring Boot where it sends request to another free API and it will cache the response in the Redis Cache for subsequent calls. A well-known free API which gives dummy response data is http://jsonplaceholder.typicode.com. Under the hood, the application will call this API using the Apache HTTP Client library³ for fetching the data for dummy posts.

Step 1: Gradle dependencies

Firstly, we use the Gradle with the following dependencies,

    implementation 'org.springframework.boot:spring-boot-starter-web:3.4.4'
    implementation 'org.apache.httpcomponents:httpclient:4.5.14'
    implementation 'org.hibernate:hibernate-validator:8.0.2.Final'
    implementation 'redis.clients:jedis:5.2.0'

    implementation 'org.mapstruct:mapstruct:1.6.3'
    annotationProcessor 'org.mapstruct:mapstruct-processor:1.6.3'

For the Spring Boot we use the classical starter dependency. In addition, we use MapStruct and Hibernate Validation for DTOs. Regarding Redis client we use the Jedis and HTTP client the Apache HTTP Client version 4.

Step 2: application.properties file

In application.properties file we placed all the necessary properties for configuring HTTP Client and Redis. As you can see, the properties are more or less the same because both of them make use of TCP protocol upon a client-server architecture.

spring.redis.host=${SPRING_REDIS_HOST:localhost}
spring.redis.port=${SPRING_REDIS_PORT:6379}
spring.redis.max-size=100
spring.redis.max-idle=30
spring.redis.min-idle=10
spring.redis.max-wait=2000
spring.redis.test-on-borrow=false
spring.redis.test-on-return=false
spring.redis.test-while-idle=false
spring.redis.time-between-eviction=30000
spring.redis.min-evictable-idle-time=60000
spring.redis.block-when-exhausted=true
spring.redis.expiration-in-seconds=3600

http.client.max-size=100
http.client.max-per-route=20
http.client.connect-timeout=5000
http.client.request-timeout=5000
http.client.socket-timeout=10000

api.protocol=https
api.baseUrl=jsonplaceholder.typicode.com

Step 3: Dockerfile and compose.yaml

The Spring Boot application and the Redis will be containerized. For that purpose, we want to create a Dockerfile for the Spring Boot⁴,

FROM eclipse-temurin:21-jdk

RUN groupadd -r spring && useradd -r -g spring springuser

WORKDIR /app

COPY --chown=springuser:spring build/libs/cache-service-1.0.jar app.jar

USER springuser

ENTRYPOINT ["java", "-jar", "app.jar"]

We use Java 21 for running the application, and the base image eclipse-temurin:21-jdk. The cache-service-1.0.jar is the jar file of our application and we copy it inside the filesystem of the image. Also we have created a spring group and the user springuser, as security best practice.

In the same manner, we use the base image of Redis⁵ as found in the DockerHub, without any modifications. In order to create the container for the application and for Redis, we use a compose.yaml file⁶ as shown below,

services:
  redis:
    image: redis
    container_name: redis
    ports:
      - "6379:6379"

  spring-app:
    build: .
    container_name: spring-app
    ports:
      - "8080:8080"
    environment:
      SPRING_REDIS_HOST: redis
      SPRING_REDIS_PORT: 6379

Step 4: RedisConfig and RedisService classes

In RedisConfig class we configure the connection pool and we use JedisPool object as Bean with Spring’s Dependency Injection⁷.

@Data
@Configuration
@ConfigurationProperties(prefix = "spring.redis")
public class RedisConfig {

    private String host;
    private int port;
    private int maxSize;
    private int maxIdle;
    private int minIdle;
    private int maxWait;
    private boolean testOnBorrow;
    private boolean testOnReturn;
    private boolean testWhileIdle;
    private int timeBetweenEviction;
    private int minEvictableIdleTime;
    private boolean blockWhenExhausted;

    @Bean
    public JedisPool jedisPool() {
        
        JedisPoolConfig jedisPoolConfig = new JedisPoolConfig();

        // Configure pool size
        jedisPoolConfig.setMaxTotal(maxSize);
        jedisPoolConfig.setMaxIdle(maxIdle);
        jedisPoolConfig.setMinIdle(minIdle);
        // Set eviction settings for the connections
        jedisPoolConfig.setMaxWait(Duration.ofMillis(maxWait));
        jedisPoolConfig.setTestOnBorrow(testOnBorrow);
        jedisPoolConfig.setTestOnReturn(testOnReturn);
        jedisPoolConfig.setTestWhileIdle(testWhileIdle);
        jedisPoolConfig.setTimeBetweenEvictionRuns(Duration.ofMillis(timeBetweenEviction));
        jedisPoolConfig.setMinEvictableIdleDuration(Duration.ofMillis(minEvictableIdleTime));
        jedisPoolConfig.setBlockWhenExhausted(blockWhenExhausted);

        return new JedisPool(jedisPoolConfig, host, port);
    }
}

We use @ConfigurationProperties(prefix = “spring.redis”) to get the values of the variables from the application.properties file. As it is shown, we can configure many properties for the Redis Server, the most common are pool size. This is a simple example for non production applications. In production environment a tuning of connection pool is needed for better performance.

In the RedisService class we declare the method to get, set and delete a key-value pair,

@Data
@Service
@ConfigurationProperties(prefix = "spring.redis")
public class RedisService {

    private int expirationInSeconds;

    private final JedisPool jedisPool;

    public RedisService(JedisPool jedisPool) {

        this.jedisPool = jedisPool;
    }

    public void setData(String key, String value) {

        try (Jedis jedis = jedisPool.getResource()) {
            jedis.set(key, value);
        }
    }

    public void setDataWithExpiration(String key, String value, long requestedExpiration) {

        long expirationToBeSet = requestedExpiration == 0 ? expirationInSeconds : requestedExpiration;

        try (Jedis jedis = jedisPool.getResource()) {
            jedis.setex(key, expirationToBeSet, value);
        }
    }

    public String getData(String key) {

        try (Jedis jedis = jedisPool.getResource()) {
            return jedis.get(key);
        }
    }

    public long deleteData(String key) {

        try (Jedis jedis = jedisPool.getResource()) {
            return jedis.del(key);
        }
    }

    @PostConstruct
    public void checkConnection() {

        try (Jedis jedis = jedisPool.getResource()) {
            String response = jedis.ping();
            System.out.println("Redis connection OK: " + response);
        } catch (Exception e) {
            System.out.println("Redis connection failed: " + e.getMessage());
        }
    }
}

The setData() sets a key-value without expiration time, default behavior and setDataWithExpiration() method sets a key with expiration time that we can set from a controller, as we will see. In the same manner, we have the getData() method, where we retrieve the value based on the key and the deleteData() method where we delete a key-value pair. The checkConnection() method is a helper method to see if the Redis Server is running after the RedisService is initialized.

Step 5: HttpConfig, HttpService, ApiService and ApiProperties

In the same way, we have created the relative classes for sending HTTP requests. The HttpConfig provides a CloseableHttpClient object for sending requests in the http://jsonplaceholder.typicode.com/. In this example, we send GET and PUT requests for the posts API (http://jsonplaceholder.typicode.com/posts/1).

The ApiService and ApiProperties are helper method to construct the URLs for the different endpoints. As we can see the above API has many endpoints. The code for those classes can be found in the GitHub Repository.

Step 6: Data Transfer Objects

In this simple application we have the DTOs for Post, UpdatePost and HttpCallResponse.

@Data
@JsonIgnoreProperties(ignoreUnknown = true)
@AllArgsConstructor
@NoArgsConstructor
public class Post {

    private long userId;
    private long id;
    private String title;
    private String body;
}

@Data
@JsonIgnoreProperties(ignoreUnknown = true)
@AllArgsConstructor
@NoArgsConstructor
public class UpdatePost {

    @NotBlank
    private long userId;
    @NotBlank
    private long id;
    private String title;
    private String body;
}

The HttpCallResponse is a custom response object we use for the response entity.

@Data
@Builder
@AllArgsConstructor
@NoArgsConstructor
public class HttpCallResponse {

    private int statusCode;
    private String body;
}

Step 7: PostServiceImpl class

The PostServiceImpl class implements PostService interface and it has three methods,

public interface PostService {

    Post getPost(long postId);
    Post getPostWithExpirationInRedis(long postId, long expirationInSeconds);
    Post updatePostAndRemoveFromCache(UpdatePost updatePost);
}

In the getPost() method, first we check if the id of the Post is saved as key in Redis. If indeed we have such a key, we retrieve the value. This value is basically a JSON representation of the object saved as string. Retrieving this value from Redis we construct the Post object using Jackson-Databind library⁸ and return a response without sending any request to the public API.

If we do not have the key, we send a GET request to the public API and save the response body in Redis. The key is a string of Post’s id and the value is a string of the whole response body, e.g.

{
    "userId": 1,
    "id": 1,
    "title": "sunt aut facere repellat provident occaecati excepturi optio reprehenderit",
    "body": "quia et suscipit\nsuscipit recusandae consequuntur expedita et cum\nreprehenderit molestiae ut ut quas totam\nnostrum rerum est autem sunt rem eveniet architecto"
}

@Service
@AllArgsConstructor
public class PostServiceImpl implements PostService {

    private final ApiService apiService;
    private final RedisService redisService;
    private final HttpService httpService;

    public Post getPost(long postId) {

        String result = redisService.getData(Long.toString(postId));
        ObjectMapper mapper = new ObjectMapper();

        if (Objects.nonNull(result)) {

            System.out.println("You hit Redis cache");
            try {
                return mapper.readValue(result, Post.class);
            } catch (JsonProcessingException e) {
                System.out.println(e.getMessage());
            }
        }

        // Send HTTP GET Request to the API for fetching the Post
        String url = apiService.constructGetPostByIdEndpoint(postId);

        try {
            HttpCallResponse response = httpService.getRequest(url);

            if (response.getStatusCode() == 200) {
                String body = response.getBody();
                redisService.setData(Long.toString(postId), response.getBody());

                // Use Jackson to convert JSON to Java object
                return mapper.readValue(body, Post.class);
            }
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }

        return null;
    }

    public Post getPostWithExpirationInRedis(long postId, long expirationInSeconds) {

        String result = redisService.getData(Long.toString(postId));
        ObjectMapper mapper = new ObjectMapper();

        if (Objects.nonNull(result)) {

            System.out.println("You hit Redis cache");
            try {
                return mapper.readValue(result, Post.class);
            } catch (JsonProcessingException e) {
                System.out.println(e.getMessage());
            }
        }

        // Send HTTP GET Request to the API for fetching the Post
        String url = apiService.constructGetPostByIdEndpoint(postId);

        try {
            HttpCallResponse response = httpService.getRequest(url);

            if (response.getStatusCode() == 200) {
                String body = response.getBody();
                redisService.setDataWithExpiration(Long.toString(postId), response.getBody(), expirationInSeconds);

                // Use Jackson to convert JSON to Java object
                return mapper.readValue(body, Post.class);
            }
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }

        return null;
    }

    public Post updatePostAndRemoveFromCache(UpdatePost updatePost) {

        ObjectMapper mapper = new ObjectMapper();
        // Send HTTP GET Request to the API for fetching the Post
        String url = apiService.constructPutPostByIdEndpoint(updatePost.getId());

        try {
            String jsonPayload = mapper.writeValueAsString(updatePost);

            HttpCallResponse response = httpService.putRequest(url, jsonPayload);

            if (response.getStatusCode() == 200) {
                String body = response.getBody();

                // Use Jackson to convert JSON to Java object
                Post post = mapper.readValue(body, Post.class);

                //Invalidate from the Redis Cache
                long deletedKey = redisService.deleteData(Long.toString(post.getId()));
                System.out.println("Deleted key: " + deletedKey);

                return post;
            }
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }

        return null;
    }
}

Step 8: PostController

Our application has the following endpoints that are declared in the PostController class.

@AllArgsConstructor
@RestController
public class PostController {

    private final PostService postService;

    @GetMapping("/posts/{id}")
    public ResponseEntity<Post> getPost(@PathVariable("id") long postId) {

        Long startTime = System.currentTimeMillis();
        Post post = postService.getPost(postId);
        Long endTime = System.currentTimeMillis();

        System.out.println("Elapsed time: " + (endTime - startTime) + "ms");
        return new ResponseEntity<>(post, HttpStatus.OK);
    }

    @GetMapping("/posts/{id}/set")
    public ResponseEntity<Post> getPostWithExpirationTime(@PathVariable("id") long postId,
                                                          @RequestParam long expirationInSeconds) {

        Long startTime = System.currentTimeMillis();
        Post post = postService.getPostWithExpirationInRedis(postId, expirationInSeconds);
        Long endTime = System.currentTimeMillis();

        System.out.println("Elapsed time: " + (endTime - startTime) + "ms");
        return new ResponseEntity<>(post, HttpStatus.OK);
    }

    @PutMapping("/posts/{id}")
    public ResponseEntity<?> updatePost(@PathVariable("id") long id,
                                        @Valid @RequestBody UpdatePost updatePost,
                                        BindingResult bindingResult) {

        if (bindingResult.hasErrors()) {
            return ResponseEntity.badRequest().body(bindingResult.getAllErrors());
        }

        Post updatedPost = postService.updatePostAndRemoveFromCache(updatePost);

        return new ResponseEntity<>(updatedPost, HttpStatus.OK);
    }
}

The /posts/{id} endpoint handles HTTP GET method. In the beginning, Redis does not contain any Post, e.g. id = 1. The application sends a GET request to the http://jsonplaceholder.typicode.com/posts/1 and sets the value in the Redis⁹. In order to understand better how fast we get the response from Redis Cache, in the controller is calculating the elapsed time and outputs the value in the console log. Sending a HTTP request it takes some time, e.g. some hundreds ms. Although, for Redis this operation is executed under 3ms, because it retrieves the data from the RAM.

The /posts/{id} PUT method updates Post title and body and removes the key-value pair from the Redis Server, if it is found. The method RedisService#deleteData() returns 0 if no pair were deleted otherwise a positive value.

The /posts/{id}/set?expirationInSeconds=3600 endpoint handles also HTTP GET method but it use the setex() method of Jedis which accepts an argument for the expiration time of the key in seconds¹⁰, in our example we use an hour for expiration time.

Step 9: CacheServiceApplication

This class is the typical starter class of a Spring Boot application. We have also added @ConfigurationPropertiesScan to scan the project’s classes and inject the values from the application.properties file.

@SpringBootApplication
@ConfigurationPropertiesScan
public class CacheServiceApplication {

    public static void main(String[] args) {
        SpringApplication.run(CacheServiceApplication.class, args);
    }
}

Running the application

In order to run the application in Docker, we have to build the jar file, create the images and start the containers. For that purpose we use,

./gradlew clean build

docker compose build // (or docker compose down)

docker compose up

The application is running in http://localhost:8080. For retrieving the first post with can send a request http://localhost:8080/posts/1 using Postman.

You can find all the code in the GitHub repository.

References

[1] https://redis.io/ Redis Official Site.

[2] https://redis.io/nosql/key-value-databases/ Key-value databases article.

[3] https://hc.apache.org/httpcomponents-client-4.5.x/index.html Apache HTTP Client documentation.

[4] https://spring.io/guides/gs/spring-boot-docker Tutorial for creating Spring Boot Container in Docker.

[5] https://hub.docker.com/_/redis Docker Image for Redis Cache.

[6] https://docs.docker.com/compose/intro/compose-application-model/ Docker Compose Guide.

[7] https://docs.spring.io/spring-framework/reference/core/beans/dependencies/factory-collaborators.html Spring DI tutorial.

[8] https://github.com/FasterXML/jackson-databind JSON serialize, de-serialize library.

[9] https://redis.io/docs/latest/commands/set/ Set command documentation.

[10] https://redis.io/docs/latest/commands/setex/ Setex command documentation.

Introduction

Nowadays, Web Services using REST architecture, are built in many small and large-scale systems. A key component of theses services is security. In this article, we will demonstrate the basic architectural design of authentication using JWT Bearer token in Spring Security¹.

To begin with, the JWT (JSON Web Token) is a token format² that it is used both in OAuth2 security framework and standalone. In the latter situation, the information of a user is encoding in a token (JWT) and it is passed in each request in the header Authorization as shown below,

Authorization: Bearer eyJhbGciQiJIUzC1NiJ9.eyJzdWIiOiJ0ZXN0vnVzZXIiKCJpYXQiOjE3MTc2MDI1ODIsImV4cCI6MTcxNzYwNDM4Mn0.6y6WSTtcQ8Bf2eV4f4TcVrftS4HHJJPEYWRhSnLSu_w

The main difference from the classical approach (session and cookies) is that each request has the information for the user and each time the server process this request. This comes in accordance with the stateless concept of REST.

In Spring Security the request is passing from different filters that transform the request or even send a response. In the bottom of the filter chain is a servlet (DispatcherServlet instance) and it works as front controller. Regarding authentication, is performed in the security chain. This is a separated from the main FilterChain instance using a dedicated FilterChainProxy instance where security filters are registered¹.

Application Setup

We will make a simple application, named jwt-application, with a table in MySQL database to persist user data and some endpoints. The application is built upon Java 17, Spring 6, Spring Boot 3.3.0 and Spring Security 6.3.0. The packages for this application (using Maven) are shown,

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-api</artifactId>
    <version>0.11.5</version>
</dependency>
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-impl</artifactId>
    <version>0.11.5</version>
</dependency>
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-jackson</artifactId>
    <version>0.11.5</version>
</dependency>
<dependency>
    <groupId>com.mysql</groupId>
    <artifactId>mysql-connector-j</artifactId>
    <scope>runtime</scope>
</dependency>
<dependency>
    <groupId>org.projectlombok</groupId>
    <artifactId>lombok</artifactId>
    <optional>true</optional>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-test</artifactId>
    <scope>test</scope>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-test</artifactId>
    <scope>test</scope>
</dependency>

In order to connect with the database we need to make a database schema in MySQL and an user with the role of owner. After that, we put the configuration for the JDBC in the application.properties file,

spring.application.name=jwt-application
spring.main.allow-circular-references=true
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
spring.datasource.url = jdbc:mysql://localhost:3306/${JWT_APP_DB}
spring.datasource.username = ${JWT_APP_USERNAME}
spring.datasource.password = ${JWT_APP_PASSWORD}
spring.jpa.hibernate.ddl-auto = create
spring.jpa.properties.hibernate.dialect = org.hibernate.dialect.MySQLDialect
spring.jpa.hibernate.naming.physical-strategy=org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl

jwt.secret.key = ${JWT_KEY}

The Spring Boot scans environment variables and takes the values. For example, we have put JWT_APP_DB environment variable and Spring Boot reads it from the system with the annotation ${JWT_APP_DB}.

The property jwt.secret.key is needed for signing the JWT. It is a long alphanumerical string with symbols².

Entity User

First we create the entity User in the package hierarchy jwtapplication > entity > User.java. Hibernate will make the table for us. Lombok is using for brevity and it provides for us the getters, setters, constructors and builders.

@Entity
@Data
@AllArgsConstructor
@NoArgsConstructor
@Builder
public class UserInfo {

    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private int id;
    private String username;
    private String email;
    private String password;
    private String roles;
}

User Repository

Using the repository pattern, we make a repository interface jwtapplication > repository > UserRepository.java

@Repository
public interface UserRepository extends JpaRepository<User, Integer> {
    Optional<User> getUserInfoByUsername(String username);
}

Main controller

We create a simple controller in a package hierarchy jwtapplication > controller > UserController.java with base routing /api/v1 and it has a public endpoint (/welcome)and a private one (/user/profile).

@RestController
@RequestMapping("/api/v1")
public class UserController {

    @GetMapping("/welcome")
    public String welcome() {
        return "Welcome page";
    }

    @GetMapping("/user/profile")
    @PreAuthorize("hasAuthority('ROLE_USER')")
    public String userProfile() {
        return "User profile is shown here.";
    }
}

JWT Service class

In addition, we create a JWT service class jwtapplication > authentication > JwtService.java. This class provides the necessary methods for creating the token, validating the token etc. For this purpose we use the jjwt library.

@Component
public class JwtService {

    @Value("${jwt.secret.key}")
    public String SECRET;

    public String generateToken(String username) {
        Map<String, Object> claims = new HashMap<>();

        return createToken(claims, username);
    }

    private String createToken(Map<String, Object> claims, String username) {
        return Jwts.builder()
                .setClaims(claims)
                .setSubject(username)
                .setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 30))
                .signWith(getSignKey(), SignatureAlgorithm.HS256).compact();
    }

    private Key getSignKey() {
        byte[] keyBytes= Decoders.BASE64.decode(SECRET);
        return Keys.hmacShaKeyFor(keyBytes);
    }
    public String extractUsername(String token) {
        return extractClaim(token, Claims::getSubject);
    }

    public Date extractExpiration(String token) {
        return extractClaim(token, Claims::getExpiration);
    }

    public <T> T extractClaim(String token, Function<Claims, T> claimsResolver) {
        final Claims claims = extractAllClaims(token);
        return claimsResolver.apply(claims);
    }
    private Claims extractAllClaims(String token) {
        return Jwts
                .parserBuilder()
                .setSigningKey(getSignKey())
                .build()
                .parseClaimsJws(token)
                .getBody();
    }

    private Boolean isTokenExpired(String token) {
        return extractExpiration(token).before(new Date());
    }

    public Boolean validateToken(String token, UserDetails userDetails) {
        final String username = extractUsername(token);
        return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
    }
}

Authentication controller

We continue to write the authentication controller. Basically, this controller handles login and authentication operations. In the package jwtapplication > authentication > AuthController.java we have,

@RestController
@RequestMapping("/api/v1/auth")
public class AuthController {
    private final AuthService authService;

    public AuthController(AuthService authService) {
        this.authService = authService;
    }

    @PostMapping("/register")
    public ResponseEntity<AuthResponse> register(@RequestBody RegisterDTO dto) {
        return ResponseEntity.ok(authService.register(dto));
    }

    @PostMapping("/authenticate")
    public ResponseEntity<AuthResponse> authenticate(
            @RequestBody AuthRequest authRequest) {
        System.out.println("It is called");
        return ResponseEntity.ok(authService.authenticate(authRequest));
    }
}

Data Transfer Object for Register

RegisterDTO.java is the Data Transfer Object, for example data from the form where the user has filled in. For simplicity we put this class in the same package,

@Data
@AllArgsConstructor
@NoArgsConstructor
public class RegisterDTO {
    private String username;
    private String password;
    private String email;
    private String roles;
}

Data Transfer Objects for authentication’s request and response

AuthRequest.java is an object that contains the login information, username and password. AuthResponse.java is an object that contains the JSON Web Token (JWT) and it is returned from the server.

@Data
@AllArgsConstructor
@NoArgsConstructor
public class AuthRequest {
    private String username;
    private String password;
}

@Data
@Builder
@NoArgsConstructor
@AllArgsConstructor
public class AuthResponse {
    private String token;
}

In real world application, as described in the beginning of this article the token is placed in the HTTP Authorization request header, where security filters process this information for each request where authentication and endpoint authorization is performed.

Authentication services

We make a service class with two methods for register and authenticate. The register method persist the user’s data in the database and return a token. In real world applications, we would perform validation in the controller for user’s data. In addition, the authenticate method calls the Authentication Manager for authenticating the user. In this situation, a UsernamePasswordAuthenticationToken⁴ is created with all information about the user. The key point here is that Authentication Manager communicates with a provider, in our situation DaoAuthenticationProvider as we will see below. The provider has the responsibility to communicate with the database and authenticate the user if exists. However, DaoAuthenticationProvider has special objects that perform this work and they are returned back to the filter chain. The class is shown below,

@Service
public class AuthService {
    private final UserRepository userRepository;
    private final PasswordEncoder passwordEncoder;
    private final JwtService jwtService;
    private final AuthenticationManager authenticationManager;

    public AuthService(UserRepository userRepository, PasswordEncoder passwordEncoder, JwtService jwtService, AuthenticationManager authenticationManager) {
        this.userRepository = userRepository;
        this.passwordEncoder = passwordEncoder;
        this.jwtService = jwtService;
        this.authenticationManager = authenticationManager;
    }

    public AuthResponse register(RegisterDTO dto) {
        var user = User.builder()
                .username(dto.getUsername())
                .password(passwordEncoder.encode(dto.getPassword()))
                .email(dto.getEmail())
                .roles(dto.getRoles())
                .build();

        userRepository.save(user);
        var jwtToken = jwtService.generateToken(user.getUsername());
        return AuthResponse.builder()
                .token(jwtToken)
                .build();
    }

    public AuthResponse authenticate(AuthRequest request) {
        authenticationManager.authenticate(
                new UsernamePasswordAuthenticationToken(
                        request.getUsername(),
                        request.getPassword()
                )
        );
        var user = userRepository.getUserInfoByUsername(request.getUsername()).orElseThrow();
        var jwtToken = jwtService.generateToken(user.getUsername());
        return AuthResponse.builder()
                .token(jwtToken)
                .build();
    }
}

Security Filter for JWT Authentication

A custom security filter (JwtAuthFilter.java) for validating JWT could be the following one in the package jwtapplication > config

@Component
public class JwtAuthFilter extends OncePerRequestFilter {

    private final JwtService jwtService;
    private final UserDetailsService userDetailsService;

    public JwtAuthFilter(JwtService jwtService, UserDetailsService userDetailsService) {
        this.jwtService = jwtService;
        this.userDetailsService = userDetailsService;
    }

    @Override
    protected void doFilterInternal(
            @NonNull HttpServletRequest request,
            @NonNull HttpServletResponse response,
            @NonNull FilterChain filterChain) throws ServletException, IOException {
        String authHeader = request.getHeader("Authorization");

        final String token;
        String username;

        if (authHeader == null || !authHeader.startsWith("Bearer")) {
            filterChain.doFilter(request, response);
            return;
        }

        token = authHeader.substring(7);
        username = jwtService.extractUsername(token);

        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
            UserDetails userDetails = userDetailsService.loadUserByUsername(username);

            if (jwtService.validateToken(token, userDetails)) {
                UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(
                        userDetails, null, userDetails.getAuthorities());
                authToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                SecurityContextHolder.getContext().setAuthentication(authToken);
            }
        }

        filterChain.doFilter(request, response);
    }
}

DaoAuthenticationProvider specific interfaces

In Spring Security UserDetails and UserDetailsService interfaces place an important role in the authentication using username and password. As AuthenticationProvider we have used the DaoAuthenticationProvider. For UserDetails and UserDetailsService we could keep the default implementation provided by Spring Security. Although, we have created our custom implementations as example in order to understand better how beans are declared for security configuration.

In the package jwtapplication > service we create CustomUserDetails.java and CustomUserDetailsService.java, as shown below.

public class CustomUserDetails implements UserDetails {

    private final String name;
    private final String password;
    private final List<GrantedAuthority> authorities;

    public CustomUserDetails(User user) {
        name = user.getUsername();
        password = user.getPassword();
        authorities = Arrays.stream(user.getRoles().split(","))
                .map(SimpleGrantedAuthority::new)
                .collect(Collectors.toList());
    }

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return authorities;
    }

    @Override
    public String getPassword() {
        return password;
    }

    @Override
    public String getUsername() {
        return name;
    }

    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    public boolean isEnabled() {
        return true;
    }
}

@Service
public class CustomUserDetailsService implements UserDetailsService {

    private final UserRepository userRepository;

    public CustomUserDetailsService(UserRepository userRepository) {
        this.userRepository = userRepository;
    }

    @Override
    public UserDetails loadUserByUsername(String username) 
            throws UsernameNotFoundException {
        Optional<User> user = userRepository.getUserInfoByUsername(username);

        // Converting user to UserDetails
        return user.map(CustomUserDetails::new)
                .orElseThrow(() -> new UsernameNotFoundException("User not found: " + username));
    }
}

CustomUserDetails in not annotated with @ Service. Basically, we implement the UserDetails interface for application’s needs.

Configure Security Filter Chain

Lastly, we configure the security filter chain with authentication manager and for authentication provider to use DaoAuthenticationProvider³.

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    private final JwtAuthFilter authFilter;
    private final CustomUserDetailsService customUserDetailsService;

    public SecurityConfig(
            JwtAuthFilter authFilter,
            CustomUserDetailsService customUserDetailsService) {
        this.authFilter = authFilter;
        this.customUserDetailsService = customUserDetailsService;
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.csrf(AbstractHttpConfigurer::disable)
                .authorizeHttpRequests(auth -> {
                    auth.requestMatchers(
                            "/api/v1/welcome",
                            "/api/v1/auth/authenticate",
                            "/api/v1/auth/register"
                            ).permitAll();
                }).authorizeHttpRequests(auth -> {
                    auth.requestMatchers("/api/v1/user/**").authenticated();
                }).authorizeHttpRequests(auth -> {
                    auth.requestMatchers("/api/v1/admin/**").authenticated();
                })
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .addFilterBefore(authFilter, UsernamePasswordAuthenticationFilter.class)
                .authenticationProvider(authenticationProvider());

        return http.build();
    }

    @Bean
    public AuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
        authProvider.setUserDetailsService(customUserDetailsService);
        authProvider.setPasswordEncoder(passwordEncoder());
        return authProvider;
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration config) throws Exception {
        return config.getAuthenticationManager();
    }
}

Testing with Postman

To conclude with, you can find the whole code in my repository. In addition, I highly suggest to read the repository for a similar approach.

References

[1] Servlet Authentication Architecture, https://docs.spring.io/spring-security/reference/servlet/authentication/architecture.html

[2] JSON Web Tokens, https://jwt.io/

[3] DaoAuthenticationProvider, https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/dao-authentication-provider.html

[4] Form Login, https://docs.spring.io/spring-security/reference/servlet/authentication/passwords/form.html#servlet-authentication-form