Skip to main content

๐Ÿ‘‰ Unlocking JWT Security: A Deep Dive into Token Validation in Spring Boot

Hi ๐Ÿ‘‹, I’m Anandharaj.


Today’s Learnings : JWT Token Validation in Spring Security

๐Ÿ”น Always Spring Security gives confusion to me.
So I’m sharing my learnings on how a JWT token is validated when a request comes in.



๐ŸŒ What happens when a request comes in?

1️⃣ Incoming request with a token
When a request hits your API, Spring Security’s filter chain intercepts it and extracts the token from the Authorization header (usually in the format: Bearer <token>).

2️⃣ Check token type
The filter checks if it’s a Bearer token and then hands it over to a configured JWT decoder.


๐Ÿ”Ž JWT Structure

A JWT has three parts, separated by dots (.):

  • Header ๐Ÿ‘‰ contains metadata (e.g., algorithm: HS256, RS256)

  • Payload ๐Ÿ‘‰ contains claims (user info, expiry time, issuer, audience, etc.)

  • Signature ๐Ÿ‘‰ ensures integrity and authenticity

๐Ÿ‘‰ Header and Payload are Base64URL‑encoded and readable.
๐Ÿ‘‰ Signature is cryptographically generated and cannot be reverse‑engineered.




๐Ÿ›  How Spring validates a JWT

✔️ Step 1: Decoder setup
When your Spring Boot app starts, it uses a configured JwtDecoder.

For example:


.oauth2ResourceServer(oauth2 -> { oauth2.jwt(jwt -> { jwt.decoder(jwtDecoder); }); });
  • The JwtDecoder is initialized with trusted details (like public keys or JWK Set URIs) from your identity provider.

  • These details are usually cached by Spring for performance.


✔️ Step 2: Validation process

When a token arrives:

  • Header & Payload validation:
    The decoder checks claims like exp (expiry), iss (issuer), aud (audience) against the trusted configuration.

  • Signature validation:
    Using the public key (fetched from the trusted issuer during app startup), Spring recalculates the signature from the header and payload and compares it with the signature part of the token.

✅ If everything matches, the token is valid.


❌ If not, access is denied.



๐Ÿ’ก Key Takeaways

✅ Always configure a JwtDecoder that matches the way your tokens are generated (e.g., RS256 → use a JWK set URI from your identity provider).


✅ Remember the three parts of a JWT – only header and payload are human-readable; the signature is cryptographically protected.


✅ Spring Security handles this flow through its filter chain and caching, so you rarely need to manually decode tokens.



๐Ÿ–ฅ Bonus Tip

If you want to inspect a token manually, try https://jwt.io.
Paste your token, and you’ll see the header, payload, and whether the signature is verified (see my screenshot above).


✍️ This was a quick note from my daily learnings.


If you’ve struggled with JWT validation, hope this helps you understand the flow better! ๐Ÿš€


Comments

Popular posts from this blog

๐Ÿ” Is final Really Final in Java? The Truth May Surprise You ๐Ÿ˜ฒ

๐Ÿ’ฌ “When I was exploring what to do and what not to do in Java, one small keyword caught my eye — final . I thought it meant: locked, sealed, frozen — like my fridge when I forget to defrost it.”   But guess what? Java has its own meaning of final… and it’s not always what you expect! ๐Ÿ˜… Let’s break it down together — with code, questions, confusion, jokes, and everything in between. ๐ŸŽฏ The Confusing Case: You Said It's Final... Then It Changed?! ๐Ÿซ  final List<String> names = new ArrayList <>(); names.add( "Anand" ); names.add( "Rahul" ); System.out.println(names); // [Anand, Rahul] ๐Ÿคฏ Hold on... that’s final , right?! So how on earth is it still changing ? Time to dive deeper... ๐Ÿง  Why Is It Designed Like This? Here’s the key secret: In Java, final applies to the reference , not the object it points to . Let’s decode this like a spy mission ๐Ÿ•ต️‍♂️: Imagine This: final List<String> names = new ArrayList <>(); Be...

๐ŸŽข Java Loops: Fun, Fear, and ForEach() Fails

๐ŸŒ€ Oops, I Looped It Again! — The Ultimate Java Loop Guide You Won't Forget “I remember this question from one of my early interviews — I was just 2 years into Java and the interviewer asked, ‘Which loop do you prefer and why?’” At first, I thought, “Duh! for-each is cleaner.” But then he grilled me with cases where it fails. ๐Ÿ˜ต That led me to explore all loop types, their powers, and their pitfalls. Let’s deep-dive into every major Java loop with examples &  real-world guidance so you'll never forget again. ๐Ÿ” Loop Type #1: Classic For Loop — “The Old Reliable” ✅ When to Use: You need an index You want to iterate in reverse You want full control over loop mechanics ✅ Good Example: List<String> names = List.of("A", "B", "C"); for (int i = 0; i < names.size(); i++) { System.out.println(i + ": " + names.get(i)); } ๐Ÿ”ฅ Reverse + Removal Example: List<String> item...

๐Ÿงต Virtual Threads in Java — The Ultimate Guide with Diagrams, Code & Interview Qs!

๐Ÿš€ “How are Virtual Threads different from Thread Pools?” ๐Ÿ˜ต “Are they OS threads or JVM threads?” ๐Ÿ™ƒ “Should I still use CompletableFuture?” ๐Ÿคฏ “How do I even use them in real-time microservices?” ๐Ÿง  What are Virtual Threads? Virtual Threads (introduced in Java 21 as stable ๐ŸŽ‰) are lightweight threads managed by the JVM instead of the OS kernel. ๐Ÿ‘‰ They look like normal threads, but don’t hog OS resources like traditional threads. ๐Ÿง  What is the OS Kernel? ๐Ÿ›️ OS Kernel = The Brain of the Operating System It’s the core part of your OS (Windows, Linux, Mac) that: Manages memory ๐Ÿง  Schedules threads ๐Ÿ•’ Talks to hardware ๐Ÿ’ป Handles I/O operations ๐Ÿ“จ When you create a traditional thread in Java, the JVM asks the OS Kernel to create a real OS-level thread. ๐Ÿ–ผ️ Imagine This... ┌───────────────────────────┐ │ Your Java Application │ └────────────┬──────────────┘ │ ...