#38 Spring Security | Validating JWT Token

00:00

so till this point we were able to

00:02

create the token the JWT token so just

00:05

to show you how it was looking so if you

00:07

go back here and if you click on login

00:09

so we are passing the details if you can

00:11

see the body we are sending the login

00:13

details which is Navina and and at the

00:15

rate 1 to3 when you click on send the

00:17

request goes to the server and then on

00:19

the server side it verifies the username

00:21

password and if the username is password

00:23

is correct in that case it generates a

00:25

token which you can see here and of

00:28

course using this token I want to do

00:30

other activities example I've done the

00:31

login once right and I got the token and

00:33

now let's say from the application if I

00:36

want to access any resource example if I

00:38

want to fetch students and I don't want

00:40

to pass the username password now so in

00:42

the earlier scenario we were sending the

00:45

username password but now we don't want

00:46

to do that we want to send a token which

00:48

is a better token and here we should be

00:51

able to paste it and we are doing that

00:53

but when you click on send this is not

00:55

working and we want to make it work so

00:57

generating token done but we have to WR

01:00

the token and give the access to the

01:02

user that's what you have to do in this

01:03

video okay u in fact this token is also

01:05

valid we have checked that on jw. we got

01:08

the details we got the claims and we got

01:10

other details so things are working out

01:12

it's just that now we have to validate

01:14

token and we have to make this work now

01:16

how we are going to do that so of course

01:17

there are multiple steps involved the

01:19

first thing you have to do is when you

01:20

send a request to the server by default

01:22

see one there's one thing uh I wanted to

01:24

point it out if you go to security

01:26

config we have mentioned that for this

01:28

two requests the register and and for

01:30

login you don't have to check for

01:32

authentication so basically they are

01:33

permitted but for the all the other

01:35

request it will be authenticated that

01:36

means when you request for the students

01:38

it will be authenticated and by default

01:41

the authentication we follow is user

01:43

password authentication so by default

01:45

that filter comes to picture now if you

01:47

remember we have talked about filters

01:48

right so in Spring Security we have

01:50

multiple filters one of the filter is

01:52

user password authentication filter this

01:54

is a filter which gets activated and

01:56

then it checks for username password now

01:58

what we are saying is hey you know I

01:59

don't don't want this filter to be

02:01

activated first before this filter I

02:03

mean I want to make this filter which is

02:06

UF as your second filter and the first

02:09

filter should be your JWT filter now

02:11

this will check for the token right now

02:13

once you verify token as a first filter

02:16

then it will send the request to the uh

02:18

UPA filter by saying hey I have verified

02:21

and this is a user already logged in so

02:23

I'm confirming that so you can just

02:25

continue with the other work so this is

02:26

what we want to do so that means we have

02:27

to add a filter before the user password

02:30

authentication filter and the way you

02:32

can do that is very simple it's not

02:33

actually you know this this video is

02:35

also very lengthy so just be with me and

02:37

there a lot of things going on and if

02:39

you watch it with me and if you write

02:41

the code with me it will make much more

02:43

sense so the first thing you do is

02:45

before you build you know I'm in the

02:47

security config and we are working with

02:49

security filter chain basically we're

02:50

working with Filter chain and before you

02:52

say build what you do is you add a

02:54

filter before the user authentication

02:56

filter right so you will say add filter

02:59

before so you can you can add filter

03:00

anytime you can add filter uh you can

03:02

add filter at particular point you can

03:04

add filter after or before so I want to

03:06

add before the user authentication

03:07

filter so I will do that uh the first

03:09

parameter is actual filter so let's say

03:11

I want to say this is a JWT filter so

03:13

that's the object we have to pass the

03:14

second one is the class the filter class

03:17

so I will say usern name password

03:20

authentication filter now this is what

03:22

we have to specify so what I'm doing is

03:24

I'm saying that hey you know before you

03:26

hit this particular filter use this

03:28

filter but what is this filter we have

03:30

to work with this so in that case you

03:32

will go up here and create the object of

03:36

private

03:37

JWT filter J filter so this is what so

03:41

we have created the object here I mean

03:43

we are doing Auto wire and then that

03:45

object would be used here okay but the

03:47

problem is and it says that uh this jwd

03:50

filter is not able to find it so it's

03:52

very simple you can just simply say

03:53

control space let's import the package

03:56

oh it says no suggestion that means in

03:58

your library of sping security we don't

04:00

have this filter by default and that's

04:02

where you get the opportunity to create

04:04

a new filter I know I'm using some

04:06

positive words here opportunity yeah we

04:08

have to get another class to make it

04:10

work so let's do it you know anyway we

04:12

are doing this only once so I will just

04:13

click here and say hey create a class

04:16

and when I want to do that maybe in the

04:17

same package config logically it should

04:19

be in a separate package called filter

04:21

package but config works for this

04:22

example I will click on okay and we got

04:25

this new class now I want this to behave

04:28

like a filter okay how do we make make

04:29

something behave like a filter what you

04:32

do is you extend those properties right

04:34

so if I want to be rich I want to get

04:35

adopted by some Bia right so here I want

04:39

to extend I want to make this a child

04:41

class of some parent class which has a

04:44

filter capability so one of the filter

04:46

we are going to use here is I mean

04:47

that's one one of the class we're going

04:48

to extend is once per request filter I

04:51

know very nice name to give to a filter

04:54

or the class this is called once per

04:56

request filter see the reason is every

04:58

time you send a request you want want a

05:00

filter to get activated and in the

05:01

filter chain you want this filter to be

05:04

executed only once so for every request

05:07

you want this filter to be executed only

05:09

once and that's why you're saying once

05:10

per request filter now it is giving you

05:12

some error I was not expecting but let's

05:15

see this once per filter is actually an

05:18

abstract class which means there might

05:19

be some abstract methods which we have

05:21

to implement and if you scroll down down

05:23

down all the methods are defined but one

05:26

method is there yeah there's always one

05:28

so one method is there which is called

05:29

called do filter internal which is

05:31

abstract method that means if you want

05:33

this to work we need to we need to we

05:35

need to we need to implement it so let's

05:37

click on Implement and okay so this is a

05:40

filter we have to work with now if you

05:41

go back to our sessions on Spring web we

05:43

have talked about HTTP subet behind the

05:46

scene everything is sub right and it

05:47

gives you two objects to work with

05:49

request object to work with the data in

05:51

the request of the user response object

05:53

if you want to add something to the

05:54

response and here I just want to work

05:56

with a request so let's use request but

05:58

what I want to do that's a big question

06:00

see it's actually very simple see on the

06:02

client side you are sending a request

06:04

right for for the students and with that

06:06

request you are sending a token as well

06:08

now this token when you receive on the

06:10

server side you will not get to the

06:11

Token as this just the token what you

06:13

will receive is can I type here no I

06:15

can't type here uh maybe I will type in

06:17

body so what I receive from this server

06:19

not a good place to type right okay so I

06:21

will just go back here and I will write

06:23

a comment so from the client side what

06:24

you will get is better that's the first

06:26

word and then you will get the token I

06:28

think token is this yeah so this is what

06:30

you get from the client side so it

06:32

starts with better and then a space and

06:34

then it starts with the actual token

06:36

this is what you get from the client

06:38

side right now what you have to do is

06:40

you have to get this token and you have

06:41

to cut that better part you just have to

06:42

focus on this part get this token and

06:45

viate it so simple right okay not that

06:47

simple I mean breaking out is simple

06:49

viting is difficult so let's be with me

06:51

so how will I get this thing the entire

06:53

stuff and actually it's a part of

06:55

request so it sends the data this better

06:58

and the token in the request object in

07:01

the headers so what I can do is I can

07:02

get the headers so I will say security I

07:04

will say or header so header will have

07:06

lot of things I don't want everything so

07:09

from the request I just want a header

07:11

which talks about authorization this is

07:13

the only header I need it will have lot

07:15

of headers but I just want authorization

07:17

and once you got this Au header this

07:19

will have this token but I want only the

07:21

last part so I will save this token

07:23

somewhere in the token and by default I

07:25

will keep it null I want the username as

07:27

well because somewhere we have to work

07:28

with the username because because you

07:29

will generate a token you will verify

07:30

the token with the help of username and

07:32

now let's get started so first thing I

07:34

want to check is do we have any

07:36

authorization header so let's check that

07:37

so if there is a o header which is not

07:40

equal to null in that case you have to

07:42

continue so that's the first thing you

07:43

want to check you you want to make sure

07:44

that this is not null and you have to

07:46

also verify do we have a better token so

07:49

again I will check Au header so it

07:52

starts with it should start with better

07:54

so you can even say B but to be on safe

07:56

side I will say it should start with

07:57

better in case if it is starting with

07:59

that I will set the token and I want to

08:01

fetch the token now and fetching token

08:03

is very easy you will say Au header dot

08:06

uh you want you don't want the entire

08:07

string right you just want this

08:09

particular token here so I want to skip

08:10

these letters now what are this letters

08:12

so I will start with index of zero so

08:14

this is b is0 1 2 3 4 5 and then six the

08:20

space is also there right so I want to

08:22

start from seven so it should start the

08:25

substring from Seven index number seven

08:27

and I want to get the username from the

08:29

token so I will say username equal to

08:31

now how will you get the uh username

08:33

from the token because token is encoded

08:35

right so you can see this you have to

08:37

find usern from this as a human also you

08:38

can't do that so we have to do something

08:40

for the program to work but I will make

08:42

sure that I do that in the service so I

08:44

will use Service uh object and we don't

08:46

have the service auto autowired here so

08:49

I will say autowired private JWT service

08:53

service okay so I will use this and in

08:57

this I will make sure that I have an

08:58

object I have I have a method called

09:00

extract username maybe it will have

09:02

username so for where exactly it will

09:04

extract the to extract the username from

09:06

the token and you can see there's a red

09:07

here because we don't have this method

09:08

in the service yet so what I will do is

09:10

I will say okay uh create this method of

09:12

uh extract token and at this point I

09:14

will just return empty we'll code it

09:16

later so this is empty so so that we

09:18

will not get any error and you can see

09:19

there's no error here now once you got

09:21

this two now we have to verify so once

09:22

you got the details you got the token

09:24

now you got username so I will check if

09:26

so the username should not be equal to

09:28

null that's the first thing I to check

09:29

and I also want to make sure that

09:31

there's no it's not already

09:32

authenticated so if the object is

09:34

already authenticated why you have to

09:35

verify all those things so I will say

09:37

security context holder dot get

09:41

context. get authentication and this

09:44

should be null so if it is not null then

09:46

I don't want to continue because it's

09:47

already auth authenticated so I will

09:49

just continue with this so this should

09:50

be null if these two are matching see

09:52

ultimately what you have to do is we

09:54

have to validate token see we into

09:55

filter now right so see if this filter

09:57

is Success then we'll forward it to the

09:59

user pass authentication filter right

10:01

now how do you specify that is this is

10:02

Success the first thing you have to do

10:03

is you have to validate the token if the

10:05

token is valid valid in that case you

10:07

will create the authentication object

10:09

and that's what you have to do here so

10:11

to do that I want to verify right so I

10:13

will say JWT service dot in this

10:15

particular class I want a method which

10:17

will validate the token because all the

10:19

things we are doing in the JW service

10:21

right so let's do that so there should

10:22

be a method called validate token and

10:24

you have to pass the token now when

10:25

you're validating you have to check two

10:27

things one in the token the token should

10:29

be valid and second the username which

10:31

is it is mentioning it should be part of

10:33

a database right and to refer to

10:35

database I will pass the object of user

10:37

details and we have to create this

10:39

object somewhere now where should I

10:40

create the object I can do that here so

10:42

I can say user details we have to import

10:45

the package use it details and then I

10:49

can actually Auto if you keep it on top

10:51

but I think it will create a cyclic

10:52

redundancy so what you can do is you can

10:54

get the hold on the application context

10:56

object so I will say autowire and applic

10:59

context context remember when we were

11:02

running about spring framework we have

11:04

used this application context to get the

11:06

bean so here also I will say context.

11:09

get bean of type user

11:13

details. class but the problem is it

11:15

will give you a empty object I don't

11:17

want empty object what I want is I want

11:20

the object of user details which will

11:21

have the user data now if you go back to

11:23

my Detail Service in this you have this

11:25

method called load user by username and

11:28

this will give you the object of us

11:29

details that means if I ask for the

11:32

object of my user details service dot

11:36

class and from this object if I can get

11:38

load by username and if I pass the

11:40

username here it will file database and

11:43

it will get me the username right and

11:45

not just username it will give me the

11:46

entire user D object okay so that's what

11:48

we are doing here but if you can see in

11:50

JW service we don't have this method so

11:52

I will just create one so the method

11:54

name is Ved token and at this point I

11:55

will return true okay let's go back to

11:57

the filter now if the token is valid it

11:59

in that case remember we have the next

12:01

filter we have to make it work so the

12:03

next filter is next next filter will

12:05

work with the username password

12:06

authentication filter but I want to pass

12:08

a token there so I will create a token

12:10

and I will say new username password

12:12

authentication token now this token asks

12:14

you for three things one is a principal

12:17

next is a credentials and third is

12:19

authorities so user principles we

12:20

already have which is the object of user

12:22

details which will have all the details

12:23

about the user credentials I don't want

12:25

to mention so I will keep it null

12:26

authorities I have is so will get it

12:29

from user details. getet authorities

12:32

okay that is that that is what it was

12:34

asking and we are getting is it a

12:36

warning variable token is already

12:38

defined in the scope where exactly I'm

12:40

using token okay so I will use something

12:43

else okay toen token we already have it

12:45

here right so this should be Au token if

12:48

it makes it happy now o token knows

12:51

about the user but or token has no idea

12:53

about the request object right so this

12:55

request object will have lot of data and

12:56

we are just creating this object and we

12:58

are passing it so this object should

12:59

also know about the uh request object so

13:03

you will say set details and to specify

13:05

that you have to use web authentication

13:07

details Source sometime you have to just

13:09

remember the class names and stuff it

13:11

becomes very complex you just get get

13:13

into it and with this object you will

13:15

say build details and you will pass the

13:17

request object and now once you have

13:19

this OD token ready is just you have to

13:21

set this in the context so this

13:23

particular thing which is authentication

13:24

should not be there by default and

13:25

that's what we are taking for null now

13:27

once it is verified you have to set the

13:28

Authentication so you will say secur the

13:30

context holder dot now instead of saying

13:32

get authentication you will say set

13:34

authentication and you will pass the a

13:36

token object so by doing this you are

13:38

adding the token in the chain and once

13:40

it is ready you will simply pass the

13:42

request or the filter so now you will

13:44

say filter chain. do filter so continue

13:46

the filter because this is one filter go

13:48

for the next filter once it is done and

13:50

by doing this you'll pass to objects

13:51

request and response and done so filter

13:54

work is done so the JWT filter it will

13:57

valid the token it will uh create the

13:59

authentication object it will pass it

14:00

next so now it will we not we don't have

14:03

to pass the username password now if

14:04

you're thinking this is done uh not

14:06

exactly what is missing now is this if

14:10

you go back to your jbu service we do

14:12

have two methods which are empty you

14:14

need to make sure that this is completed

14:16

now of course we can type the entire

14:18

code here but then when you want when

14:20

you got a token and when you want to

14:22

extract the usern name it's not a simple

14:24

process we have to decode it we have to

14:25

fetch the claims from that we have to

14:27

fetch the username for valid token we

14:30

have to do M lot of steps you have to

14:31

check for the expiration time uh you

14:33

have to check if the account is not I

14:35

mean lot of things are involved right so

14:37

we can do that here but I what I want to

14:39

do is I just want to copy paste so that

14:41

we can save some time so basically this

14:43

is the thing we do so I will explain the

14:44

code to you don't worry okay so this is

14:46

the code which you have to work with so

14:48

if you can see if you go up this is what

14:50

we have done before but now we are

14:52

saying that you have to extract the

14:53

username now to extract the username

14:55

it's not just extracting a username

14:56

right first you have to get the claims

14:57

because username is is a part of the

14:59

claim and that's what you can see here

15:01

so we we creting a method called extract

15:03

claims in which you are passing the

15:05

claims and you're passing the token now

15:07

in this extract claim basically it will

15:09

fetch the claim it will extract all the

15:11

claim and that's what we are doing here

15:13

extracting the claim with the help of

15:15

signing key because you have to also use

15:16

the key to do that and we are fetching

15:20

it here in the claims and that's what

15:22

you are returning it here so from that

15:24

you will get the username so you can see

15:26

from the claim we getting the subject

15:27

and if you go down we are also we also

15:29

have a meod called validating but for

15:31

validity of course you have to check if

15:32

the token is expired or not and that's

15:34

what we are doing here so it's checking

15:35

if the expiration time is before this

15:38

then it will give you false otherwise it

15:39

will give you true and uh I mean of

15:42

course it will return true if it is

15:43

expired then we have to check it should

15:45

not be expired and this is how you're

15:47

extracting the expiration time so

15:49

basically what you're doing is you are

15:50

fetching the claims I pasted this code

15:52

because it's more redundant code and

15:54

you'll be doing it only once that's why

15:56

you pasted it important point to observe

15:58

there are few changes from the last time

16:00

I did this so first of all let me just

16:01

import claims that's one and import this

16:04

function type and one more change they

16:06

have done some changes in the new

16:07

version so the code is for the older

16:10

version uh for the new version they have

16:12

made some changes the first thing they

16:13

did is if you go to pass a builder

16:14

there's no passer Builder so jws has a

16:17

it's a class and it has a method called

16:19

passer and then this passer has a method

16:22

so if you can see earlier we used to use

16:24

set signin key but now we have to use

16:26

something called it's verify with so in

16:28

of signing key we have to say verify

16:31

with uh but it takes the type of secret

16:33

key not the key because get key gives

16:35

you key so what I can do is I can just

16:37

change the type of it and this should

16:38

work so I will use secret key here so

16:40

that it will not give issue here so

16:42

remember this we have to make one change

16:44

uh in the get key you have to return

16:45

secret key now depend upon which version

16:47

you're using so if you're using the uh

16:49

version which I'm using then you have to

16:50

make this changes so anything before

16:52

this works perfectly for the earlier

16:53

code but since I'm using 0.12 and

16:56

anything after that you have to make

16:57

these changes so go back here to the JW

17:01

service okay there's also change in the

17:03

past claim so I will first of all do

17:06

enter here so in of past claim they they

17:08

made some good changes so now it is

17:11

signed claims because it makes sense

17:13

because it is already signed instead of

17:15

body they now call it as a payload and

17:17

how will you know all these things if

17:18

you go to the method documentation you

17:19

will see what they have replaced it with

17:22

again that code will work it's just that

17:24

it's good to go for the new versions a

17:26

new code don't go for dicated methods

17:28

and that's it that should work and where

17:31

you will find this code you will you can

17:32

check the description uh you will find

17:33

the link for the GitHub repository if

17:35

not there let us know we'll put it there

17:37

and now after making these changes I

17:39

hope this will work and if it it works I

17:41

will tell you the entire flow what we

17:43

are doing I hope nothing is null nowhere

17:46

okay cool so this got restarted and we

17:49

got an error it says okay I

17:53

think no filter we are using Auto but

17:57

this itself is not a component

17:59

component that's what it says Okay so

18:02

let's make this component just restart

18:04

and there's no error let's go back to

18:05

postman first of all let's do the login

18:07

so I will click on this and okay we got

18:10

the token though there's no problem with

18:11

the token I will just copy this and now

18:14

when you are sending a request for the

18:15

students you don't have to pass of

18:17

course the body is not import body is

18:19

important maybe you're getting the

18:21

you're getting it right so we don't I

18:22

have to pass the data uh in the

18:24

authorization we have to pass the token

18:26

we are not passing username password now

18:28

click on send it worked you can see it

18:30

says okay so what is happening behind

18:33

the scene let's go with the flow again

18:34

the first thing you're doing is you are

18:36

generating a token now who is

18:37

responsible to generate token if you go

18:39

back to your security config we are

18:41

saying that the authentication manager

18:43

now this time we have a hold on it and

18:46

we are creating something called login

18:47

form so if you see user controller we

18:48

got something a login and inside this

18:50

login we are doing verify and in verify

18:52

we are using this filter to achieve that

18:54

so once we got this we are generating a

18:57

token so once it is verified the user

18:58

ified we are generating a token right

19:00

now in this token generation what we are

19:02

doing is we are doing all those step

19:03

building a token with the help of claims

19:05

we are signing it where it's here we are

19:07

signing it we have subject issue date

19:09

expiration after doing all those things

19:11

what you get is the token right now next

19:13

time when you send a request you are

19:15

sending a token now since we are sending

19:17

a next new request and in that request

19:19

you are not passing username password in

19:22

that case you have to mention hey you

19:23

know don't go for username password go

19:26

with the jwd filter now what we doing in

19:27

filter is in the filter basically we are

19:30

saying that uh first of all get the

19:32

token from the user or the request check

19:35

if the token is not empty or token

19:37

starts with the better if it is there

19:39

get the username get the token get the

19:42

data from the database based on what

19:44

username is you are passing and verify

19:46

if the it is matching or not if it is

19:48

matching of course you have to write a

19:49

token if it is matching you have to

19:51

create a new authentication object and

19:53

you have to set that in the context once

19:55

it is done you through because in for

19:58

the next filter you have specified that

19:59

I do have the authentication but there's

20:01

one problem in the validate token we

20:02

have to actually validate token and to

20:04

do that you have to extract the username

20:05

to extract the usern we have to extract

20:08

the claims and to extract the claims lot

20:10

of steps are involved right so yeah

20:12

that's what we have done in the entire

20:13

flow and by doing this uh all this thing

20:16

have been done now you know what is

20:18

sping security now you know how to

20:20

generate a token how do you verify the

20:21

token now you can make your application

20:23

secure so I hope uh this all these

20:26

things make sense uh we'll try to

20:28

implement this in our project which we

20:30

are building and maybe it will take some

20:32

time see you in the next video till that

20:34

point keep learning bye-bye