Spring Bootframework~30 mins

Stateless authentication mental model in Spring Boot - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Stateless Authentication Mental Model with Spring Boot

📖 Scenario: You are building a simple web service that uses stateless authentication to verify users without storing session data on the server. This is common in modern web apps where each request carries its own authentication token.

🎯 Goal: Create a Spring Boot project that demonstrates the stateless authentication mental model by setting up a user data structure, configuring a secret key, implementing token validation logic, and completing the security filter to check tokens on incoming requests.

📋 What You'll Learn

Create a user data structure with fixed username and password

Add a secret key configuration for token signing

Implement a method to validate tokens against the secret key

Complete a security filter that checks the token on each request

💡 Why This Matters

🌍 Real World

Stateless authentication is used in modern web apps and APIs to avoid storing session data on the server, improving scalability and security.

💼 Career

Understanding stateless authentication is essential for backend developers working with REST APIs and microservices, especially using Spring Boot.

Progress0 / 4 steps

Create User Data Structure

Create a Map<String, String> called users with one entry: key "user1" and value "password123".

Spring Boot

// Your code here
// Create a Map called users with one user

Need a hint?

Use a HashMap to store username and password pairs.

Add Secret Key Configuration

Add a String variable called SECRET_KEY with the value "mySecretKey123" inside the AuthData class.

Spring Boot

import java.util.Map;
import java.util.HashMap;

public class AuthData {
    public static final Map users = new HashMap() {{
        put("user1", "password123");
    }};

    // Your code here
    // Add a String SECRET_KEY with value "mySecretKey123"
}

Need a hint?

This key will be used to sign and verify tokens.

Implement Token Validation Method

Inside a class called TokenUtil, write a static method boolean validateToken(String token) that returns true if the token equals AuthData.SECRET_KEY, otherwise false.

Spring Boot

import java.util.Map;
import java.util.HashMap;

public class AuthData {
    public static final Map users = new HashMap() {{
        put("user1", "password123");
    }};

    public static final String SECRET_KEY = "mySecretKey123";
}

public class TokenUtil {
    // Your code here
    // Write static boolean validateToken(String token) method
}

Need a hint?

This simple check simulates token validation by comparing with the secret key.

Complete Security Filter to Check Token

In a class AuthFilter that extends OncePerRequestFilter, override doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain). Extract the Authorization header, validate it using TokenUtil.validateToken, and if valid, call filterChain.doFilter(request, response) to continue the request.

Spring Boot

import java.util.Map;
import java.util.HashMap;
import jakarta.servlet.FilterChain;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.web.filter.OncePerRequestFilter;

public class AuthData {
    public static final Map users = new HashMap() {{
        put("user1", "password123");
    }};

    public static final String SECRET_KEY = "mySecretKey123";
}

public class TokenUtil {
    public static boolean validateToken(String token) {
        return AuthData.SECRET_KEY.equals(token);
    }
}

public class AuthFilter extends OncePerRequestFilter {
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) {
        // Your code here
        // Extract Authorization header, validate token, and continue filter chain if valid
    }
}

Need a hint?

This filter checks the token on every request and blocks unauthorized access.