Authorisation is a crucial requirement for any web application. There are multiple mechanisms used for this purpose having their own pros and cons. Also there are several opensource and paid libraries and frameworks that implement them. JWT token based authentication and authorisation is a relatively new and popular implementation used by a lot of modern applications.
1. What is JWT?
https://jwt.io says, JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained method for securely transmitting information between parties as a JSON object. This information is verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
2. How it works?
Initially the client authenticates with the server using a method such as via a username and a password.
When the authentication is successful, server will generate a JWT token. This token is encrypted, having information such as Username, Role- authorisation information) about the logged-in user.
This token will be sent back to client as the response.
In the subsequent requests, client send the JWT token. A common place to send it is the Authorisation header using Bearer schema.
Server will decode the token and authorise the user using the sent data.
3. What will we build?
Here we’ll develop a simple Spring Boot application with users having different roles. Depending on those roles, users will be allowed to access different APIs.
4. Create a Spring Boot application
Using your favorite IDE (IntelliJ IDEA used here) create a new application with Spring Initialiser.