Creating a Spring Security Key for Signing a JWT Token

Azure Spring Apps is a fully managed service from Microsoft (built in collaboration with VMware), focused on building and deploying Spring Boot applications on Azure Cloud without worrying about Kubernetes.

The Enterprise plan comes with some interesting features, such as commercial Spring runtime support, a 99.95% SLA and some deep discounts (up to 47%) when you are ready for production.

>> Learn more and deploy your first Spring Boot app to Azure.

And, you can participate in a very quick (1 minute) paid user research from the Java on Azure product team.

Slow MySQL query performance is all too common. Of course it is. A good way to go is, naturally, a dedicated profiler that actually understands the ins and outs of MySQL.

The Jet Profiler was built for MySQL only, so it can do things like real-time query performance, focus on most used tables or most frequent queries, quickly identify performance issues and basically help you optimize your queries.

Critically, it has very minimal impact on your server's performance, with most of the profiling work done separately - so it needs no server changes, agents or separate services.

Basically, you install the desktop application, connect to your MySQL server, hit the record button, and you'll have results within minutes:

>> Try out the Profiler

Accelerate Your Jakarta EE Development with Payara Server!

With best-in-class guides and documentation, Payara essentially simplifies deployment to diverse infrastructures.

Beyond that, it provides intelligent insights and actions to optimize Jakarta EE applications.

The goal is to apply an opinionated approach to get to what's essential for mission-critical applications - really solid scalability, availability, security, and long-term support:

>> Download and Explore the Guide (to learn more)

The AI Assistant to boost Boost your productivity writing unit tests - Machinet AI.

AI is all the rage these days, but for very good reason. The highly practical coding companion, you'll get the power of AI-assisted coding and automated unit test generation.
Machinet's Unit Test AI Agent utilizes your own project context to create meaningful unit tests that intelligently aligns with the behavior of the code.
And, the AI Chat crafts code and fixes errors with ease, like a helpful sidekick.

Simplify Your Coding Journey with Machinet AI:

>> Install Machinet AI in your IntelliJ

Looking for the ideal Linux distro for running modern Spring apps in the cloud?

Meet Alpaquita Linux: lightweight, secure, and powerful enough to handle heavy workloads.

This distro is specifically designed for running Java apps. It builds upon Alpine and features significant enhancements to excel in high-density container environments while meeting enterprise-grade security standards.

Specifically, the container image size is ~30% smaller than standard options, and it consumes up to 30% less RAM:

>> Try Alpaquita Containers now.

DbSchema is a super-flexible database designer, which can take you from designing the DB with your team all the way to safely deploying the schema.

The way it does all of that is by using a design model, a database-independent image of the schema, which can be shared in a team using GIT and compared or deployed on to any database.

And, of course, it can be heavily visual, allowing you to interact with the database using diagrams, visually compose queries, explore the data, generate random data, import data or build HTML5 database reports.

>> Take a look at DBSchema

Slow MySQL query performance is all too common. Of course it is. A good way to go is, naturally, a dedicated profiler that actually understands the ins and outs of MySQL.

Critically, it has very minimal impact on your server's performance, with most of the profiling work done separately - so it needs no server changes, agents or separate services.

Basically, you install the desktop application, connect to your MySQL server, hit the record button, and you'll have results within minutes:

>> Try out the Profiler

1. Overview

JSON Web Tokens (JWT) is the de facto standard for securing a stateless application. The Spring Security framework provides methods of integrating JWT to secure REST APIs. One of the key processes of generating a token is applying a signature to guarantee authenticity.

In this tutorial, we’ll explore a stateless Spring Boot application that utilizes JWT authentication. We’ll set up the necessary components and create a cryptographic SecretKey instance to sign and verify the JWT.

2. Project Setup

To begin with, let’s bootstrap a stateless Spring Boot application with Spring Security and JWT token. Notably, we’ll not show the full setup code for simplicity and brevity.

2.1. Maven Dependencies

First, let’s add the spring-boot-starter-web, spring-boot-starter-security, spring-boot-starter-data-jpa, and h2 database dependencies to the pom.xml:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
    <version>3.2.3</version> 
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId> 
    <version>3.2.3</version> 
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-data-jpa</artifactId>
    <version>3.2.3</version>  
</dependency>
<dependency>
    <groupId>com.h2database</groupId>
    <artifactId>h2</artifactId>
    <version>2.2.224</version>
</dependency>

The Spring Boot Starter Web provides API to build REST APIs. Also, the Spring Boot Starter Security dependency helps provide authentication and authorization. We add an in-memory database for fast prototyping.

Next, let’s add the jjwt-api, jjwt-impl and jjwt-jackson dependencies to the pom.xml:

<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-api</artifactId>
    <version>0.12.5</version>
</dependency>
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-impl</artifactId>
    <version>0.12.5</version>
</dependency>
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-jackson</artifactId>
    <version>0.12.5</version>
</dependency>

These dependencies provide an API to generate and sign a JWT and integrate it into Spring Security.

2.2. JWT Configuration

First, let’s create an authentication entry point:

@Component
class AuthEntryPointJwt implements AuthenticationEntryPoint {
    // ...
}

Here, we create a class to handle authorized access attempts in a Spring Security application using JWT authentication. It acts as a gatekeeper, ensuring only users with valid access can access protected resources.

Then, let’s create a class named AuthTokenFilter that intercepts incoming requests, validates JWT tokens, and authenticates users if a valid token is present:

class AuthTokenFilter extends OncePerRequestFilter {
    // ...
}

Finally, let’s create the JwtUtil class, which provides methods for creating and verifying tokens:

@Component
class JwtUtils {
    // ... 
}

This class contains the logic that uses the signWith() method.

2.3. Security Configuration

Finally, let’s define the SecurityConfiguration class and integrate the JWT:

@Configuration
@EnableWebSecurity
@EnableMethodSecurity
class SecurityConfiguration {
    // ...

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.csrf(AbstractHttpConfigurer::disable)
          .cors(AbstractHttpConfigurer::disable)
          .authorizeHttpRequests(req -> req.requestMatchers(WHITE_LIST_URL)
            .permitAll()
            .anyRequest()
            .authenticated())
          .exceptionHandling(ex -> ex.authenticationEntryPoint(unauthorizedHandler))
          .sessionManagement(session -> session.sessionCreationPolicy(STATELESS))
          .authenticationProvider(authenticationProvider())
          .addFilterBefore(
              authenticationJwtTokenFilter(), 
              UsernamePasswordAuthenticationFilter.class
           );

        return http.build();
    }

    // ...
}

In the code above, we integrate the JWT entry point and filter to activate JWT authentication.

3. The signWith() Method

The JJWT library provides a signWith() method to help sign a JWT with a specific cryptographic algorithm and a secret key. This signing process is essential for ensuring the integrity and authenticity of the JWT.

The signWith() method accepts the Key or SecretKey instances and signature algorithm as arguments. The Hash-based Message Authentication Code (HMAC) algorithm is among the most commonly used signing algorithms.

Importantly, the method requires a secret key, typically a byte array, for the signing process. We can use the Key or SecretKey instance to convert a secret string to a secret key.

Notably, we can pass an ordinary string as a secret key. However, this lacks the security guarantees and randomness of cryptographic Key or SecretKey instances.

Using the SecretKey instance ensures the integrity and authenticity of JWT.

4. Signing JWT

We can create a strong secret key to sign JWT using the Key and SecretKey instance.

4.1. Using Key Instance

Essentially, we can convert a secret string to a Key instance to further encrypt it before using it to sign JWT.

First, let’s ensure the secret string is Base64 encoded:

private String jwtSecret = "4261656C64756E67";

Next, let’s create a Key object:

private Key getSigningKey() {
    byte[] keyBytes = Decoders.BASE64.decode(this.jwtSecret);
    return Keys.hmacShaKeyFor(keyBytes);
}

In the code above, we decode the jwtSecret into a byte array. Next, we invoke the hmacShaKeyFor() which accepts keyBytes as a parameter on the Keys instance. This generates a secret key based on the HMAC algorithm.

In the case where the secret key is not Base64 encoded, we can invoke the getByte() method on the plain string:

private Key getSigningKey() {
    byte[] keyBytes = this.jwtSecret.getBytes(StandardCharsets.UTF_8);
    return Keys.hmacShaKeyFor(keyBytes);
}

However, this is not recommended because the secret may be poorly formed, and the string may contain non-UTF-8 characters. Hence, we must ensure the key string is Base64 encoded before generating a secret key from it.

4.2. Using SecretKey Instance

Also, we can form a strong secret key using the HMAC-SHA Algorithm to create a SecretKey instance. Let’s create a SecretKey instance that returns a secret key:

SecretKey getSigningKey() {
    return Jwts.SIG.HS256.key().build();
}

Here, we directly use the HMAC-SHA algorithm without using a byte array. This forms a strong signature key. Next, we can update the signWith() method by passing the getSigningKey() as an argument.

Alternatively, we can create a SecretKey instance from a Base16 encoded string:

SecretKey getSigningKey() {
    byte[] keyBytes = Decoders.BASE64.decode(jwtSecret);
    return Keys.hmacShaKeyFor(keyBytes);
}

This generates a strong SecretKey type to sign and verify JWT.

Notably, using the SecretKey instance over the Key instance is advisable because the new method named verifyWith() to verify the token accepts the SecretKey type as a parameter.

4.3. Applying the Key

Now, let’s apply the secret key to sign the JWT of our application:

String generateJwtToken(Authentication authentication) {
    UserDetailsImpl userPrincipal = (UserDetailsImpl) authentication.getPrincipal();

    return Jwts.builder()
      .subject((userPrincipal.getUsername()))
      .issuedAt(new Date())
      .expiration(new Date((new Date()).getTime() + jwtExpirationMs))
      .signWith(key)
      .compact();
}

The signWith() method takes the SecretKey instance as a parameter to append a unique signature to the token.

5. Conclusion

In this article, we learned how to create a secret key using the Java Key and SecretKey instance. Also, we saw a stateless Spring Boot application that utilizes a JWT token for token integrity and applies a Key or SecretKey instance to sign and verify it. Using a plain string is no longer advisable.

As always, the full source code for the example code is available over on GitHub.

REST with Spring

Learn Spring Security ▼▲

Learn Spring Security Core

Learn Spring Security OAuth

Learn Spring

Learn Spring Data JPA

Persistence

REST

Security

Full Archive

Baeldung Ebooks

About Baeldung

Write for Baeldung