Bird
Raised Fist0
Spring Bootframework~5 mins

JWT validation filter in Spring Boot - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the main purpose of a JWT validation filter in a Spring Boot application?
A JWT validation filter checks the JSON Web Token in incoming requests to verify the user's identity and permissions before allowing access to protected resources.
Click to reveal answer
beginner
Where in the request lifecycle does a JWT validation filter typically operate?
It operates before the request reaches the controller, intercepting the request to validate the token and set the security context if valid.
Click to reveal answer
intermediate
Which Spring Boot class is commonly extended to create a JWT validation filter?
OncePerRequestFilter is commonly extended to create a JWT validation filter that runs once per request.
Click to reveal answer
beginner
What happens if the JWT token is missing or invalid in the JWT validation filter?
The filter usually rejects the request by sending an unauthorized error response, preventing access to protected endpoints.
Click to reveal answer
intermediate
How does the JWT validation filter set the user details for the rest of the application after validating the token?
It creates an Authentication object with user details and sets it in the SecurityContextHolder, so Spring Security knows the user is authenticated.
Click to reveal answer
What does a JWT validation filter check in an HTTP request?
AThe request body content
BThe request URL path
CThe HTTP method type
DThe JSON Web Token in the Authorization header
Which method is overridden in a Spring Boot JWT validation filter extending OncePerRequestFilter?
AdoFilterInternal
BdoFilter
Cinit
Ddestroy
What happens if the JWT token is expired when validated by the filter?
AThe filter refreshes the token automatically
BThe filter ignores the token and allows access
CThe filter rejects the request with an unauthorized error
DThe filter redirects to the login page
After validating the JWT, how does the filter inform Spring Security about the authenticated user?
ABy setting an Authentication object in SecurityContextHolder
BBy modifying the HTTP response headers
CBy calling the controller directly
DBy storing user info in a cookie
Which header usually carries the JWT token in HTTP requests?
AContent-Type
BAuthorization
CAccept
DUser-Agent
Explain how a JWT validation filter works in a Spring Boot application from receiving a request to setting authentication.
Think about the steps the filter takes to check the token and tell Spring Security about the user.
You got /5 concepts.
    Describe why using a JWT validation filter improves security in a web application.
    Consider how the filter controls who can use the app resources.
    You got /5 concepts.

      Practice

      (1/5)
      1. What is the main purpose of a JWT validation filter in a Spring Boot application?
      easy
      A. To generate new JWT tokens for users
      B. To check and verify JWT tokens on incoming HTTP requests
      C. To log all incoming requests without validation
      D. To encrypt the response data before sending

      Solution

      1. Step 1: Understand JWT validation filter role

        A JWT validation filter is designed to intercept incoming requests and check the validity of JWT tokens.

      2. Step 2: Identify the correct purpose

        It does not generate tokens or encrypt data; its main job is to verify tokens to allow or deny access.

      3. Final Answer:

        To check and verify JWT tokens on incoming HTTP requests -> Option B

      4. Quick Check:

        JWT validation filter = Verify tokens [OK]
      Hint: JWT filter checks tokens on requests, not generating or logging [OK]
      Common Mistakes:
      • Confusing validation with token generation
      • Thinking filter encrypts data
      • Assuming it only logs requests
      2. Which method in a Spring Boot filter is typically overridden to implement JWT validation logic?
      easy
      A. doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
      B. init(FilterConfig filterConfig)
      C. destroy()
      D. handleRequest(HttpRequest request)

      Solution

      1. Step 1: Identify filter method for request processing

        In Spring Boot, filters extend OncePerRequestFilter and override doFilterInternal to process requests.

      2. Step 2: Match method to JWT validation

        doFilterInternal is where JWT token extraction and validation happen before continuing the chain.

      3. Final Answer:

        doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) -> Option A

      4. Quick Check:

        JWT validation code goes in doFilterInternal [OK]
      Hint: JWT validation logic goes in doFilterInternal method [OK]
      Common Mistakes:
      • Using init() which is for filter setup only
      • Confusing destroy() with request handling
      • Inventing non-existent handleRequest() method
      3. Given this snippet inside a JWT validation filter, what happens if the token is invalid? 
      String token = request.getHeader("Authorization");
if (token == null || !jwtUtil.validateToken(token)) {
    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    return;
}
chain.doFilter(request, response);
      medium
      A. The server throws a NullPointerException
      B. The request proceeds without validation
      C. The request is blocked with 401 Unauthorized status
      D. The token is refreshed automatically

      Solution

      1. Step 1: Analyze token check condition

        If token is missing or invalid, the code sets response status to 401 and returns immediately.

      2. Step 2: Understand filter chain behavior

        Because it returns before calling chain.doFilter, the request does not proceed further.

      3. Final Answer:

        The request is blocked with 401 Unauthorized status -> Option C

      4. Quick Check:

        Invalid token = 401 block [OK]
      Hint: Invalid token triggers 401 and stops request chain [OK]
      Common Mistakes:
      • Assuming request proceeds despite invalid token
      • Expecting automatic token refresh
      • Thinking NullPointerException occurs here
      4. Identify the error in this JWT validation filter snippet: 
      @Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
    String token = request.getHeader("Authorization");
    if (token != null && jwtUtil.validateToken(token)) {
        SecurityContextHolder.getContext().setAuthentication(jwtUtil.getAuthentication(token));
    }
    chain.doFilter(request, response);
}
      medium
      A. It does not handle the case when token is missing or invalid by blocking the request
      B. It incorrectly sets authentication before validation
      C. It calls chain.doFilter twice causing errors
      D. It throws IOException without handling

      Solution

      1. Step 1: Review token validation logic

        The code sets authentication only if token is valid, but does not block invalid or missing tokens.

      2. Step 2: Check filter chain continuation

        It always calls chain.doFilter, so invalid requests proceed without rejection.

      3. Final Answer:

        It does not handle the case when token is missing or invalid by blocking the request -> Option A

      4. Quick Check:

        Missing block on invalid token = security hole [OK]
      Hint: Always block requests with missing or invalid tokens [OK]
      Common Mistakes:
      • Allowing requests without token validation
      • Calling chain.doFilter twice (not here though)
      • Misunderstanding exception handling in filters
      5. You want to create a JWT validation filter that extracts the token from the Authorization header, validates it, and sets the user authentication in the security context only if valid. Which sequence of actions is correct inside doFilterInternal?
      hard
      A. Continue filter chain -> Extract token -> Validate token -> Set authentication -> Else respond 401
      B. Validate token -> Extract token -> Set authentication -> Continue filter chain -> Else respond 401
      C. Set authentication -> Extract token -> Validate token -> Continue filter chain -> Else respond 401
      D. Extract token -> Validate token -> Set authentication -> Continue filter chain -> Else respond 401

      Solution

      1. Step 1: Determine correct order of JWT processing

        First, extract the token from the Authorization header, then validate it to ensure it's correct.

      2. Step 2: Set authentication and control flow

        If valid, set user authentication in the security context, then continue the filter chain; otherwise, respond with 401 Unauthorized.

      3. Final Answer:

        Extract token -> Validate token -> Set authentication -> Continue filter chain -> Else respond 401 -> Option D

      4. Quick Check:

        Correct JWT filter flow = Extract token -> Validate token -> Set authentication -> Continue filter chain -> Else respond 401 [OK]
      Hint: Extract first, then validate, set auth, continue or block [OK]
      Common Mistakes:
      • Validating before extracting token
      • Setting authentication before validation
      • Continuing filter chain before validation