What is JWT validation filter in Spring Boot?

Spring Bootframework~5 mins

JWT validation filter in Spring Boot

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Introduction

A JWT validation filter checks if a user's token is valid before allowing access to protected parts of a web app. It helps keep the app safe by making sure only authorized users can get in.

When you want to protect API endpoints so only logged-in users can access them.

When you need to check the user's identity on every request automatically.

When you want to reject requests with expired or tampered tokens.

When building a REST API that uses JWT for user authentication.

When you want to add security without changing your controller code.

Syntax

Spring Boot

public class JwtValidationFilter extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        String token = extractToken(request);
        if (token != null && validateToken(token)) {
            // Set authentication in security context
            filterChain.doFilter(request, response);
        } else {
            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
            return;
        }
    }

    private String extractToken(HttpServletRequest request) {
        String bearer = request.getHeader("Authorization");
        if (bearer != null && bearer.startsWith("Bearer ")) {
            return bearer.substring(7);
        }
        return null;
    }

    private boolean validateToken(String token) {
        // Logic to check token signature and expiry
        return true; // or false
    }
}

The filter extends OncePerRequestFilter to run once per request.

Extract the token from the Authorization header, usually starting with "Bearer ".

Examples

Basic check to allow or deny access based on token validity.

Spring Boot

String token = extractToken(request);
if (token != null && validateToken(token)) {
    // Allow access
} else {
    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    return;
}

Extracts the JWT token from the Authorization header if it starts with "Bearer ".

Spring Boot

private String extractToken(HttpServletRequest request) {
    String bearer = request.getHeader("Authorization");
    if (bearer != null && bearer.startsWith("Bearer ")) {
        return bearer.substring(7);
    }
    return null;
}

Placeholder for token validation logic using a JWT library.

Spring Boot

private boolean validateToken(String token) {
    // Use JWT library to check signature and expiry
    return true; // or false
}

Sample Program

This filter checks the Authorization header for a JWT token. If the token equals "valid-token", it lets the request continue. Otherwise, it sends a 401 Unauthorized response with a message.

Spring Boot

package com.example.security;

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.web.filter.OncePerRequestFilter;
import java.io.IOException;

public class JwtValidationFilter extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        String token = extractToken(request);
        if (token != null && validateToken(token)) {
            // Token is valid, continue processing
            filterChain.doFilter(request, response);
        } else {
            // Token missing or invalid, reject request
            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
            response.getWriter().write("Unauthorized: Invalid or missing token");
        }
    }

    private String extractToken(HttpServletRequest request) {
        String bearer = request.getHeader("Authorization");
        if (bearer != null && bearer.startsWith("Bearer ")) {
            return bearer.substring(7);
        }
        return null;
    }

    private boolean validateToken(String token) {
        // Simple dummy validation: token must equal "valid-token" for demo
        return "valid-token".equals(token);
    }
}

OutputSuccess

Important Notes

Always place the JWT validation filter before your controllers in the filter chain.

Use a real JWT library like jjwt or java-jwt to verify token signature and expiry.

Make sure to handle exceptions and send clear error messages for better debugging.

Summary

A JWT validation filter checks tokens on incoming requests to protect your app.

It extracts the token from the Authorization header and verifies it.

If the token is valid, the request proceeds; if not, it returns 401 Unauthorized.