0
0
Spring Bootframework~20 mins

Why JWT matters for APIs in Spring Boot - Challenge Your Understanding

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
JWT API Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
What is the primary purpose of JWT in API security?
Consider a Spring Boot API that uses JWT for authentication. What is the main reason JWT is used in this context?
ATo store user passwords safely on the client side
BTo encrypt all API data so only the server can read it
CTo replace HTTPS for secure communication
DTo securely transmit user identity and claims between client and server without storing session state on the server
Attempts:
2 left
💡 Hint

Think about how JWT helps avoid server-side session storage.

component_behavior
intermediate
2:00remaining
How does a Spring Boot API behave when receiving an expired JWT?
In a Spring Boot API secured with JWT, what happens when a client sends a request with an expired JWT token?
AThe API rejects the request with a 401 Unauthorized error
BThe API accepts the request but logs a warning
CThe API refreshes the token automatically and processes the request
DThe API ignores the token and treats the request as anonymous
Attempts:
2 left
💡 Hint

Think about how JWT expiration affects authentication.

📝 Syntax
advanced
2:30remaining
Identify the correct way to extract claims from a JWT in Spring Boot
Given the following code snippet to parse a JWT token, which option correctly extracts the 'username' claim?
Spring Boot
String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...";
Claims claims = Jwts.parserBuilder()
    .setSigningKey(secretKey)
    .build()
    .parseClaimsJws(token)
    .getBody();
// Extract username here
AString username = claims.get("username", String.class);
BString username = claims.getSubject();
CString username = claims.get("user", String.class);
DString username = claims.getIssuer();
Attempts:
2 left
💡 Hint

JWT standard uses a specific claim for the principal subject.

state_output
advanced
2:00remaining
What is the effect of missing JWT in a secured Spring Boot API request?
If a client sends a request to a Spring Boot API endpoint secured with JWT but does not include any JWT token, what will be the API's response?
AThe API processes the request as an anonymous user
BThe API responds with 403 Forbidden error
CThe API responds with 401 Unauthorized error
DThe API redirects the client to a login page
Attempts:
2 left
💡 Hint

Think about how Spring Security handles missing authentication tokens.

🔧 Debug
expert
3:00remaining
Why does this Spring Boot JWT validation code fail to reject tampered tokens?
Examine this JWT validation snippet in a Spring Boot API: String token = request.getHeader("Authorization").substring(7); Claims claims = Jwts.parser() .setSigningKey(secretKey) .parseClaimsJws(token) .getBody(); Why might this code fail to reject a JWT token that has been tampered with?
ANot catching exceptions from parseClaimsJws allows tampered tokens to pass silently
BThe substring(7) call removes part of the token, causing parseClaimsJws to skip verification
CThe secretKey is not decoded properly before use, so signature verification fails silently
DUsing Jwts.parser() instead of Jwts.parserBuilder() causes the signature not to be verified properly
Attempts:
2 left
💡 Hint

Consider what happens if parseClaimsJws throws an exception and it is not handled.