Bird
Raised Fist0
Spring Bootframework~5 mins

Authentication with JWT token in Spring Boot - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is a JWT token in the context of authentication?
A JWT (JSON Web Token) is a compact, URL-safe token used to securely transmit information between parties. It contains claims and is digitally signed to verify authenticity, often used to prove user identity after login.
Click to reveal answer
beginner
What are the three parts of a JWT token?
A JWT token has three parts separated by dots: Header (specifies token type and signing algorithm), Payload (contains claims like user info), and Signature (verifies token integrity).
Click to reveal answer
intermediate
How does Spring Boot typically verify a JWT token in a request?
Spring Boot extracts the JWT from the Authorization header, verifies its signature and expiration, then loads user details from the token claims to authenticate the user for the request.
Click to reveal answer
intermediate
Why is it important to keep the JWT secret key safe?
The secret key signs the JWT token. If exposed, attackers can create fake tokens and impersonate users, breaking security. Keeping it secret ensures token trustworthiness.
Click to reveal answer
beginner
What is the role of the 'Authorization' header in JWT authentication?
The 'Authorization' header carries the JWT token in the format 'Bearer <token>'. It is sent with each request to prove the user's identity to the server.
Click to reveal answer
Which part of the JWT contains the user's identity information?
AHeader
BSecret key
CSignature
DPayload
In Spring Boot, where is the JWT token usually found in an HTTP request?
AIn a cookie
BIn the Authorization header
CIn the request body
DIn the URL query parameters
What does the signature part of a JWT ensure?
AThat the token has not been tampered with
BThat the token is encrypted
CThat the token is expired
DThat the token contains user roles
Why should the JWT secret key never be exposed publicly?
ABecause it can be used to generate fake tokens
BBecause it is stored in the database
CBecause it slows down the server
DBecause it contains user passwords
What happens if a JWT token is expired when received by the server?
AThe server accepts it anyway
BThe server refreshes the token automatically
CThe server rejects the request and asks for re-authentication
DThe server ignores the expiration
Explain how JWT authentication works in a Spring Boot application from login to accessing a protected resource.
Think about the steps from user login to token verification on requests.
You got /6 concepts.
    Describe the structure of a JWT token and the purpose of each part.
    Remember the token has three dot-separated parts.
    You got /3 concepts.

      Practice

      (1/5)
      1. What is the main purpose of using a JWT token in Spring Boot authentication?
      easy
      A. To store user passwords in the database
      B. To securely transmit user identity without sending passwords every time
      C. To encrypt the entire application data
      D. To replace the need for HTTPS

      Solution

      1. Step 1: Understand JWT token role

        JWT tokens are used to prove user identity securely without resending passwords.

      2. Step 2: Compare options with JWT purpose

        Only To securely transmit user identity without sending passwords every time correctly describes this purpose; others are unrelated or incorrect.

      3. Final Answer:

        To securely transmit user identity without sending passwords every time -> Option B

      4. Quick Check:

        JWT token purpose = secure identity proof [OK]
      Hint: JWT tokens prove identity without passwords [OK]
      Common Mistakes:
      • Thinking JWT stores passwords
      • Confusing JWT with data encryption
      • Assuming JWT replaces HTTPS
      2. Which of the following is the correct way to extract the JWT token from an HTTP request header in Spring Boot?
      easy
      A. String token = request.getParameter("Authorization");
      B. String token = request.getCookie("jwt");
      C. String token = request.getBody();
      D. String token = request.getHeader("Authorization").substring(7);

      Solution

      1. Step 1: Identify JWT token location in HTTP request

        JWT tokens are usually sent in the Authorization header with prefix "Bearer ".

      2. Step 2: Extract token correctly

        String token = request.getHeader("Authorization").substring(7); extracts the header and removes the "Bearer " prefix (7 characters), which is correct.

      3. Final Answer:

        String token = request.getHeader("Authorization").substring(7); -> Option D

      4. Quick Check:

        Extract JWT from Authorization header [OK]
      Hint: JWT is in Authorization header with 'Bearer ' prefix [OK]
      Common Mistakes:
      • Using request parameters instead of headers
      • Trying to get token from request body
      • Assuming token is in cookies by default
      3. Given this Spring Boot JWT validation snippet, what will be the output if the token is expired? 
      try {
  Jwts.parserBuilder().setSigningKey(key).build().parseClaimsJws(token);
  System.out.println("Token is valid");
} catch (ExpiredJwtException e) {
  System.out.println("Token expired");
} catch (JwtException e) {
  System.out.println("Invalid token");
}
      medium
      A. Invalid token
      B. Token is valid
      C. Token expired
      D. No output

      Solution

      1. Step 1: Understand exception handling in JWT parsing

        If the token is expired, the parser throws ExpiredJwtException, caught by the first catch block.

      2. Step 2: Identify printed output for expired token

        The catch block prints "Token expired" when ExpiredJwtException occurs.

      3. Final Answer:

        Token expired -> Option C

      4. Quick Check:

        Expired token triggers ExpiredJwtException [OK]
      Hint: ExpiredJwtException means token expired [OK]
      Common Mistakes:
      • Confusing expired token with invalid token
      • Ignoring exception handling order
      • Assuming no output on exceptions
      4. Identify the error in this JWT token generation code snippet in Spring Boot: 
      String token = Jwts.builder()
  .setSubject(username)
  .signWith(SignatureAlgorithm.HS256, secretKey)
  .compact();
      medium
      A. Incorrect method to set signing key in new jjwt versions
      B. Missing call to build() before compact()
      C. Username should not be set as subject
      D. Missing token expiration setting

      Solution

      1. Step 1: Check jjwt signing method usage

        In recent jjwt versions, signWith requires a Key object, not just algorithm and string key.

      2. Step 2: Identify correct signing method

        Using signWith(SignatureAlgorithm, String) is deprecated and causes errors; must use signWith(Key).

      3. Final Answer:

        Incorrect method to set signing key in new jjwt versions -> Option A

      4. Quick Check:

        Use Key object with signWith in jjwt [OK]
      Hint: Use Key object, not algorithm + string, in signWith [OK]
      Common Mistakes:
      • Ignoring jjwt version changes
      • Assuming string key is accepted directly
      • Confusing expiration with signing errors
      5. You want to implement JWT authentication in Spring Boot that automatically rejects tokens older than 15 minutes and refreshes tokens on each valid request. Which approach correctly combines expiration and refresh logic?
      hard
      A. Set token expiration to 15 minutes and issue a new token with updated expiration on each valid request
      B. Set token expiration to 15 minutes and never refresh tokens; force user to login again after expiry
      C. Set token expiration to 1 hour and refresh tokens only when user logs out
      D. Do not set expiration and refresh tokens every time to keep user logged in indefinitely

      Solution

      1. Step 1: Understand token expiration and refresh needs

        To reject tokens older than 15 minutes, set expiration to 15 minutes.

      2. Step 2: Implement refresh on each valid request

        Issuing a new token with updated expiration on each valid request keeps user session active securely.

      3. Final Answer:

        Set token expiration to 15 minutes and issue a new token with updated expiration on each valid request -> Option A

      4. Quick Check:

        Short expiration + refresh token = secure session [OK]
      Hint: Short expiration plus refresh token on requests [OK]
      Common Mistakes:
      • Not refreshing tokens causing forced logouts
      • Setting too long expiration risking security
      • Ignoring expiration causing infinite sessions