Skip to main content

๐Ÿ‘‰ Unlocking JWT Security: A Deep Dive into Token Validation in Spring Boot

Hi ๐Ÿ‘‹, I’m Anandharaj.


Today’s Learnings : JWT Token Validation in Spring Security

๐Ÿ”น Always Spring Security gives confusion to me.
So I’m sharing my learnings on how a JWT token is validated when a request comes in.



๐ŸŒ What happens when a request comes in?

1️⃣ Incoming request with a token
When a request hits your API, Spring Security’s filter chain intercepts it and extracts the token from the Authorization header (usually in the format: Bearer <token>).

2️⃣ Check token type
The filter checks if it’s a Bearer token and then hands it over to a configured JWT decoder.

๐Ÿ”Ž JWT Structure

A JWT has three parts, separated by dots (.):

  • Header ๐Ÿ‘‰ contains metadata (e.g., algorithm: HS256, RS256)

  • Payload ๐Ÿ‘‰ contains claims (user info, expiry time, issuer, audience, etc.)

  • Signature ๐Ÿ‘‰ ensures integrity and authenticity

๐Ÿ‘‰ Header and Payload are Base64URL‑encoded and readable.
๐Ÿ‘‰ Signature is cryptographically generated and cannot be reverse‑engineered.



๐Ÿ›  How Spring validates a JWT

✔️ Step 1: Decoder setup
When your Spring Boot app starts, it uses a configured JwtDecoder.

For example:


.oauth2ResourceServer(oauth2 -> {
    oauth2.jwt(jwt -> {
        jwt.decoder(jwtDecoder);
    });
});

  • The JwtDecoder is initialized with trusted details (like public keys or JWK Set URIs) from your identity provider.

  • These details are usually cached by Spring for performance.

✔️ Step 2: Validation process

When a token arrives:

  • Header & Payload validation:
    The decoder checks claims like exp (expiry), iss (issuer), aud (audience) against the trusted configuration.

  • Signature validation:
    Using the public key (fetched from the trusted issuer during app startup), Spring recalculates the signature from the header and payload and compares it with the signature part of the token.

✅ If everything matches, the token is valid.


❌ If not, access is denied.


๐Ÿ’ก Key Takeaways

✅ Always configure a JwtDecoder that matches the way your tokens are generated (e.g., RS256 → use a JWK set URI from your identity provider).


✅ Remember the three parts of a JWT – only header and payload are human-readable; the signature is cryptographically protected.


✅ Spring Security handles this flow through its filter chain and caching, so you rarely need to manually decode tokens.


๐Ÿ–ฅ Bonus Tip

If you want to inspect a token manually, try https://jwt.io.
Paste your token, and you’ll see the header, payload, and whether the signature is verified (see my screenshot above).

✍️ This was a quick note from my daily learnings.


 If you’ve struggled with JWT validation, hope this helps you understand the flow better! ๐Ÿš€


Labels:

Comments

Post a Comment

Popular posts from this blog

๐Ÿ” Is final Really Final in Java? The Truth May Surprise You ๐Ÿ˜ฒ

๐Ÿ’ฌ “When I was exploring what to do and what not to do in Java, one small keyword caught my eye — final . I thought it meant: locked, sealed, frozen — like my fridge when I forget to defrost it.”   But guess what? Java has its own meaning of final… and it’s not always what you expect! ๐Ÿ˜… Let’s break it down together — with code, questions, confusion, jokes, and everything in between. ๐ŸŽฏ The Confusing Case: You Said It's Final... Then It Changed?! ๐Ÿซ  final List<String> names = new ArrayList <>(); names.add( "Anand" ); names.add( "Rahul" ); System.out.println(names); // [Anand, Rahul] ๐Ÿคฏ Hold on... that’s final , right?! So how on earth is it still changing ? Time to dive deeper... ๐Ÿง  Why Is It Designed Like This? Here’s the key secret: In Java, final applies to the reference , not the object it points to . Let’s decode this like a spy mission ๐Ÿ•ต️‍♂️: Imagine This: final List<String> names = new ArrayList <>(); Be...
Post a Comment
Read more

๐ŸŒŸ My Journey – From Zero to Senior Java Tech Lead ๐ŸŒŸ

 There’s one thing I truly believe… If I can become a Java developer, then anyone in the world can. ๐Ÿ’ฏ Sounds crazy? Let me take you back. ๐Ÿ•“ Back in 2015… I had zero coding knowledge . Not just that — I had no interest in coding either. But life has its own plans. In 2016, I got a chance to move to Bangalore and joined a Java course at a training center. That’s where it all started — Every day, every session made me feel like: "Ohhh! Even I can be a developer!" That course didn’t just teach Java — it gave me confidence . ๐Ÿงช Two Life-Changing Incidents 1️⃣ The Interview That Wasn't Planned Halfway through my course, I had to urgently travel to Chennai to donate blood to a family member. After that emotional rollercoaster, I found myself reflecting on my skills and the future. The next day, as I was preparing for my move to Bangalore to complete the remaining four months of my course, I randomly thought — "Let me test my skills... let me just see...
1 comment
Read more

๐ŸŽข Java Loops: Fun, Fear, and ForEach() Fails

๐ŸŒ€ Oops, I Looped It Again! — The Ultimate Java Loop Guide You Won't Forget “I remember this question from one of my early interviews — I was just 2 years into Java and the interviewer asked, ‘Which loop do you prefer and why?’” At first, I thought, “Duh! for-each is cleaner.” But then he grilled me with cases where it fails. ๐Ÿ˜ต That led me to explore all loop types, their powers, and their pitfalls. Let’s deep-dive into every major Java loop with examples &  real-world guidance so you'll never forget again. ๐Ÿ” Loop Type #1: Classic For Loop — “The Old Reliable” ✅ When to Use: You need an index You want to iterate in reverse You want full control over loop mechanics ✅ Good Example: List<String> names = List.of("A", "B", "C"); for (int i = 0; i < names.size(); i++) { System.out.println(i + ": " + names.get(i)); } ๐Ÿ”ฅ Reverse + Removal Example: List<String> item...
Post a Comment
Read more