Bird
Raised Fist0
Spring Bootframework~30 mins

JWT validation filter in Spring Boot - Mini Project: Build & Apply

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
JWT Validation Filter in Spring Boot
📖 Scenario: You are building a secure Spring Boot web application. You want to check every incoming HTTP request for a valid JWT token to allow access only to authenticated users.
🎯 Goal: Create a JWT validation filter that intercepts HTTP requests, extracts the JWT token from the Authorization header, validates it, and sets the authentication in the security context.
📋 What You'll Learn
Create a filter class named JwtValidationFilter that extends OncePerRequestFilter
Add a secret key variable secretKey for JWT signature validation
Implement the doFilterInternal method to extract and validate the JWT token from the Authorization header
Set the authentication in the SecurityContextHolder if the token is valid
💡 Why This Matters
🌍 Real World
JWT validation filters are used in real web applications to secure APIs by checking tokens on every request.
💼 Career
Understanding how to implement authentication filters is essential for backend developers working with Spring Boot and security.
Progress0 / 4 steps
1
Create JwtValidationFilter class and secretKey variable
Create a public class named JwtValidationFilter that extends OncePerRequestFilter. Inside it, declare a private final String variable called secretKey and set it to "mySecretKey12345".
Spring Boot
Hint

Extend OncePerRequestFilter and declare secretKey as a private final String with the exact value.

2
Override doFilterInternal method
Override the doFilterInternal method with parameters HttpServletRequest request, HttpServletResponse response, and FilterChain filterChain. For now, just call filterChain.doFilter(request, response) inside the method.
Spring Boot
Hint

Override doFilterInternal with the correct parameters and call filterChain.doFilter(request, response) inside.

3
Extract and validate JWT token
Inside doFilterInternal, get the Authorization header from request into a String variable called authHeader. Check if authHeader is not null and starts with "Bearer ". If so, extract the token substring after "Bearer " into a variable token. Then validate the token by checking if it equals "validToken123" (simulate validation).
Spring Boot
Hint

Get the Authorization header, check it starts with "Bearer ", then extract the token substring and compare it to "validToken123".

4
Set authentication in SecurityContextHolder
Inside the token validation if block, create a UsernamePasswordAuthenticationToken named authentication with principal as null, credentials as null, and an empty list of authorities. Then set this authentication in SecurityContextHolder.getContext().setAuthentication(authentication). Finally, call filterChain.doFilter(request, response) after the validation logic.
Spring Boot
Hint

Create a UsernamePasswordAuthenticationToken with null principal and credentials and empty authorities, then set it in the security context.

Practice

(1/5)
1. What is the main purpose of a JWT validation filter in a Spring Boot application?
easy
A. To generate new JWT tokens for users
B. To check and verify JWT tokens on incoming HTTP requests
C. To log all incoming requests without validation
D. To encrypt the response data before sending

Solution

  1. Step 1: Understand JWT validation filter role

    A JWT validation filter is designed to intercept incoming requests and check the validity of JWT tokens.

  2. Step 2: Identify the correct purpose

    It does not generate tokens or encrypt data; its main job is to verify tokens to allow or deny access.

  3. Final Answer:

    To check and verify JWT tokens on incoming HTTP requests -> Option B

  4. Quick Check:

    JWT validation filter = Verify tokens [OK]
Hint: JWT filter checks tokens on requests, not generating or logging [OK]
Common Mistakes:
  • Confusing validation with token generation
  • Thinking filter encrypts data
  • Assuming it only logs requests
2. Which method in a Spring Boot filter is typically overridden to implement JWT validation logic?
easy
A. doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
B. init(FilterConfig filterConfig)
C. destroy()
D. handleRequest(HttpRequest request)

Solution

  1. Step 1: Identify filter method for request processing

    In Spring Boot, filters extend OncePerRequestFilter and override doFilterInternal to process requests.

  2. Step 2: Match method to JWT validation

    doFilterInternal is where JWT token extraction and validation happen before continuing the chain.

  3. Final Answer:

    doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) -> Option A

  4. Quick Check:

    JWT validation code goes in doFilterInternal [OK]
Hint: JWT validation logic goes in doFilterInternal method [OK]
Common Mistakes:
  • Using init() which is for filter setup only
  • Confusing destroy() with request handling
  • Inventing non-existent handleRequest() method
3. Given this snippet inside a JWT validation filter, what happens if the token is invalid? 
String token = request.getHeader("Authorization");
if (token == null || !jwtUtil.validateToken(token)) {
    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    return;
}
chain.doFilter(request, response);
medium
A. The server throws a NullPointerException
B. The request proceeds without validation
C. The request is blocked with 401 Unauthorized status
D. The token is refreshed automatically

Solution

  1. Step 1: Analyze token check condition

    If token is missing or invalid, the code sets response status to 401 and returns immediately.

  2. Step 2: Understand filter chain behavior

    Because it returns before calling chain.doFilter, the request does not proceed further.

  3. Final Answer:

    The request is blocked with 401 Unauthorized status -> Option C

  4. Quick Check:

    Invalid token = 401 block [OK]
Hint: Invalid token triggers 401 and stops request chain [OK]
Common Mistakes:
  • Assuming request proceeds despite invalid token
  • Expecting automatic token refresh
  • Thinking NullPointerException occurs here
4. Identify the error in this JWT validation filter snippet: 
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
    String token = request.getHeader("Authorization");
    if (token != null && jwtUtil.validateToken(token)) {
        SecurityContextHolder.getContext().setAuthentication(jwtUtil.getAuthentication(token));
    }
    chain.doFilter(request, response);
}
medium
A. It does not handle the case when token is missing or invalid by blocking the request
B. It incorrectly sets authentication before validation
C. It calls chain.doFilter twice causing errors
D. It throws IOException without handling

Solution

  1. Step 1: Review token validation logic

    The code sets authentication only if token is valid, but does not block invalid or missing tokens.

  2. Step 2: Check filter chain continuation

    It always calls chain.doFilter, so invalid requests proceed without rejection.

  3. Final Answer:

    It does not handle the case when token is missing or invalid by blocking the request -> Option A

  4. Quick Check:

    Missing block on invalid token = security hole [OK]
Hint: Always block requests with missing or invalid tokens [OK]
Common Mistakes:
  • Allowing requests without token validation
  • Calling chain.doFilter twice (not here though)
  • Misunderstanding exception handling in filters
5. You want to create a JWT validation filter that extracts the token from the Authorization header, validates it, and sets the user authentication in the security context only if valid. Which sequence of actions is correct inside doFilterInternal?
hard
A. Continue filter chain -> Extract token -> Validate token -> Set authentication -> Else respond 401
B. Validate token -> Extract token -> Set authentication -> Continue filter chain -> Else respond 401
C. Set authentication -> Extract token -> Validate token -> Continue filter chain -> Else respond 401
D. Extract token -> Validate token -> Set authentication -> Continue filter chain -> Else respond 401

Solution

  1. Step 1: Determine correct order of JWT processing

    First, extract the token from the Authorization header, then validate it to ensure it's correct.

  2. Step 2: Set authentication and control flow

    If valid, set user authentication in the security context, then continue the filter chain; otherwise, respond with 401 Unauthorized.

  3. Final Answer:

    Extract token -> Validate token -> Set authentication -> Continue filter chain -> Else respond 401 -> Option D

  4. Quick Check:

    Correct JWT filter flow = Extract token -> Validate token -> Set authentication -> Continue filter chain -> Else respond 401 [OK]
Hint: Extract first, then validate, set auth, continue or block [OK]
Common Mistakes:
  • Validating before extracting token
  • Setting authentication before validation
  • Continuing filter chain before validation