Spring Bootframework~30 mins

JWT validation filter in Spring Boot - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

JWT Validation Filter in Spring Boot

📖 Scenario: You are building a secure Spring Boot web application. You want to check every incoming HTTP request for a valid JWT token to allow access only to authenticated users.

🎯 Goal: Create a JWT validation filter that intercepts HTTP requests, extracts the JWT token from the Authorization header, validates it, and sets the authentication in the security context.

📋 What You'll Learn

Create a filter class named JwtValidationFilter that extends OncePerRequestFilter

Add a secret key variable secretKey for JWT signature validation

Implement the doFilterInternal method to extract and validate the JWT token from the Authorization header

Set the authentication in the SecurityContextHolder if the token is valid

💡 Why This Matters

🌍 Real World

JWT validation filters are used in real web applications to secure APIs by checking tokens on every request.

💼 Career

Understanding how to implement authentication filters is essential for backend developers working with Spring Boot and security.

Progress0 / 4 steps

Create JwtValidationFilter class and secretKey variable

Create a public class named JwtValidationFilter that extends OncePerRequestFilter. Inside it, declare a private final String variable called secretKey and set it to "mySecretKey12345".

Spring Boot

import org.springframework.web.filter.OncePerRequestFilter;

// Your code here

Need a hint?

Extend OncePerRequestFilter and declare secretKey as a private final String with the exact value.

Override doFilterInternal method

Override the doFilterInternal method with parameters HttpServletRequest request, HttpServletResponse response, and FilterChain filterChain. For now, just call filterChain.doFilter(request, response) inside the method.

Spring Boot

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;

public class JwtValidationFilter extends OncePerRequestFilter {
    private final String secretKey = "mySecretKey12345";

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        // Your code here
    }
}

Need a hint?

Override doFilterInternal with the correct parameters and call filterChain.doFilter(request, response) inside.

Extract and validate JWT token

Inside doFilterInternal, get the Authorization header from request into a String variable called authHeader. Check if authHeader is not null and starts with "Bearer ". If so, extract the token substring after "Bearer " into a variable token. Then validate the token by checking if it equals "validToken123" (simulate validation).

Spring Boot

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import org.springframework.web.filter.OncePerRequestFilter;

public class JwtValidationFilter extends OncePerRequestFilter {
    private final String secretKey = "mySecretKey12345";

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        String authHeader = request.getHeader("Authorization");
        // Your code here
        filterChain.doFilter(request, response);
    }
}

Need a hint?

Get the Authorization header, check it starts with "Bearer ", then extract the token substring and compare it to "validToken123".

Set authentication in SecurityContextHolder

Inside the token validation if block, create a UsernamePasswordAuthenticationToken named authentication with principal as null, credentials as null, and an empty list of authorities. Then set this authentication in SecurityContextHolder.getContext().setAuthentication(authentication). Finally, call filterChain.doFilter(request, response) after the validation logic.

Spring Boot

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Collections;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.OncePerRequestFilter;

public class JwtValidationFilter extends OncePerRequestFilter {
    private final String secretKey = "mySecretKey12345";

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        String authHeader = request.getHeader("Authorization");
        if (authHeader != null && authHeader.startsWith("Bearer ")) {
            String token = authHeader.substring(7);
            if (token.equals("validToken123")) {
                // Your code here
            }
        }
        filterChain.doFilter(request, response);
    }
}

Need a hint?

Create a UsernamePasswordAuthenticationToken with null principal and credentials and empty authorities, then set it in the security context.