Bird
Raised Fist0
Spring Bootframework~30 mins

Why JWT matters for APIs in Spring Boot - See It in Action

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Why JWT matters for APIs
📖 Scenario: You are building a simple API for a book store. You want to make sure only authorized users can access certain API endpoints. To do this, you will use JWT (JSON Web Tokens) to securely identify users.
🎯 Goal: Build a Spring Boot API that uses JWT to protect an endpoint. You will create the data structure for a user, configure a secret key, implement JWT token creation, and secure an API endpoint using the JWT.
📋 What You'll Learn
Create a user data structure with username and password
Add a secret key configuration for signing JWT tokens
Implement JWT token creation logic
Secure an API endpoint to require a valid JWT token
💡 Why This Matters
🌍 Real World
APIs often need to verify who is calling them. JWT tokens let APIs check identity securely without storing session data.
💼 Career
Understanding JWT is essential for backend developers building secure APIs in Spring Boot or other frameworks.
Progress0 / 4 steps
1
Create User Data Structure
Create a record called User with two fields: username of type String and password of type String.
Spring Boot
Hint

Use the record keyword in Java 17+ to create a simple data class.

2
Add Secret Key Configuration
Create a String variable called secretKey and set it to the exact value "mysecretkey12345".
Spring Boot
Hint

This key will be used to sign the JWT tokens.

3
Implement JWT Token Creation
Write a method called createToken that takes a User parameter and returns a String. Inside, return a dummy token string "token-for-" + user.username().
Spring Boot
Hint

This simulates creating a JWT token for the user.

4
Secure API Endpoint with JWT
Create a Spring Boot @RestController class called BookController with a @GetMapping("/books") method called getBooks that takes a @RequestHeader("Authorization") String token parameter. Inside, return a List<String> with one book title "Spring Boot Guide" only if token.equals("token-for-admin"), else return an empty list.
Spring Boot
Hint

This endpoint only returns the book list if the JWT token matches the admin token.

Practice

(1/5)
1. Why is JWT important for APIs in Spring Boot?
easy
A. It replaces the need for HTTPS in API communication.
B. It stores user passwords in the token for quick access.
C. It securely identifies users without storing session data on the server.
D. It automatically encrypts all API responses.

Solution

  1. Step 1: Understand JWT's role in user identification

    JWT carries user identity information inside the token, so the server does not need to keep session data.

  2. Step 2: Recognize security benefits

    This stateless approach improves security and scalability by avoiding server-side session storage.

  3. Final Answer:

    It securely identifies users without storing session data on the server. -> Option C

  4. Quick Check:

    JWT = stateless secure user ID [OK]
Hint: JWT carries user info, no server session needed [OK]
Common Mistakes:
  • Thinking JWT stores passwords inside the token
  • Believing JWT replaces HTTPS
  • Assuming JWT encrypts API responses automatically
2. Which of the following is the correct way to include a JWT in an HTTP request header?
easy
A. Auth-Token: <token>
B. Authorization: Bearer <token>
C. Token: JWT <token>
D. JWT-Authorization: Bearer <token>

Solution

  1. Step 1: Recall standard JWT header format

    The standard way to send JWTs is in the Authorization header with the Bearer scheme.

  2. Step 2: Match the correct syntax

    "Authorization: Bearer <token>" is the correct and widely accepted format.

  3. Final Answer:

    Authorization: Bearer <token> -> Option B

  4. Quick Check:

    JWT header = Authorization: Bearer [OK]
Hint: JWT goes in Authorization header with Bearer prefix [OK]
Common Mistakes:
  • Using non-standard header names like Token or Auth-Token
  • Omitting the Bearer prefix
  • Adding extra words like JWT-Authorization
3. Given this Spring Boot controller method snippet, what will happen if the JWT is missing or invalid?
@GetMapping("/profile")
public ResponseEntity<String> getProfile(@RequestHeader("Authorization") String authHeader) {
    if (authHeader == null || !authHeader.startsWith("Bearer ")) {
        return ResponseEntity.status(401).body("Unauthorized");
    }
    String token = authHeader.substring(7);
    // Assume validateToken returns false if token invalid
    if (!jwtService.validateToken(token)) {
        return ResponseEntity.status(401).body("Unauthorized");
    }
    return ResponseEntity.ok("User profile data");
}
medium
A. Returns 500 Internal Server Error on invalid JWT.
B. Returns 200 OK with user profile regardless of JWT.
C. Throws a NullPointerException if JWT is missing.
D. Returns 401 Unauthorized if JWT is missing or invalid.

Solution

  1. Step 1: Check handling of missing or malformed Authorization header

    The code returns 401 Unauthorized if the header is missing or does not start with "Bearer ".

  2. Step 2: Check token validation logic

    If the token is invalid, the method also returns 401 Unauthorized.

  3. Final Answer:

    Returns 401 Unauthorized if JWT is missing or invalid. -> Option D

  4. Quick Check:

    Missing/invalid JWT = 401 Unauthorized [OK]
Hint: Missing or bad JWT triggers 401 Unauthorized [OK]
Common Mistakes:
  • Assuming it returns 200 OK without JWT
  • Expecting exceptions instead of 401 response
  • Thinking it returns 500 error on invalid token
4. Identify the bug in this Spring Boot JWT filter snippet:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) request;
    String authHeader = req.getHeader("Authorization");
    if (authHeader != null && authHeader.startsWith("Bearer ")) {
        String token = authHeader.substring(7);
        if (jwtService.validateToken(token)) {
            SecurityContextHolder.getContext().setAuthentication(null);
        }
    }
    chain.doFilter(request, response);
}
medium
A. It sets authentication to null instead of a valid Authentication object.
B. It does not check if authHeader is null before substring.
C. It calls chain.doFilter before validating the token.
D. It uses the wrong header name for JWT.

Solution

  1. Step 1: Analyze authentication setting logic

    The code sets authentication to null even when the token is valid, which means no user is authenticated.

  2. Step 2: Understand correct behavior

    It should set a valid Authentication object to represent the logged-in user, not null.

  3. Final Answer:

    It sets authentication to null instead of a valid Authentication object. -> Option A

  4. Quick Check:

    Valid token must set Authentication, not null [OK]
Hint: Valid token must set Authentication object, not null [OK]
Common Mistakes:
  • Ignoring that authentication is set to null
  • Thinking substring without null check causes error here
  • Assuming chain.doFilter order is wrong
  • Believing header name is incorrect
5. You want your Spring Boot API to allow users to stay logged in without server sessions, using JWT. Which approach best achieves this while keeping the API stateless and secure?
hard
A. Generate a JWT after login containing user info, send it to client, and require it in Authorization header for each request.
B. Store user sessions in a database and send session IDs in cookies to clients.
C. Send user credentials with every API request and validate each time on the server.
D. Use JWT only for login, then switch to server sessions for other requests.

Solution

  1. Step 1: Understand stateless authentication with JWT

    JWT tokens carry user info and are sent by clients with each request, so the server does not store session data.

  2. Step 2: Compare with other methods

    Storing sessions or sending credentials every time breaks statelessness or security best practices.

  3. Final Answer:

    Generate a JWT after login containing user info, send it to client, and require it in Authorization header for each request. -> Option A

  4. Quick Check:

    JWT = stateless secure token per request [OK]
Hint: JWT tokens keep API stateless and secure per request [OK]
Common Mistakes:
  • Using server sessions instead of JWT for statelessness
  • Sending credentials on every request
  • Switching between JWT and sessions inconsistently