Spring Security JWT: How to secure your Spring Boot REST APIs with JSON Web Tokens 

Amazing, how simple it is when explained by experts. Thanks for the great content. Well explained, with the right level of details to understand without getting overwhelmed. I still have to review the blog post if I am not missing any details. Looking forward for the next video :)

Hello @Dan, it's amazing! Great video. Please keep producing videos regarding Spring Security, I think it's a black hole in the Spring modules. A lot of specific concepts and it deserves good videos with good explanations like yours. Congratulation and thanks for sharing the content.

Great video. This is like the only one guide about this topic that is quite easy to follow and does not break your spirit (I have tried to follow like 2 different videos just to realize half way into 3 hour videos that implementation was changed/got deprecated and I wasted my time).

Thank you for making this tutorial. As you mentioned in the beginning there are so many more complicated ways of doing out there because the are not using what is built in to Spring Security. I unfortunately had used one of those more complicated ways so now I'm going to use what I learned in your tutorial to simplify my project code!

Thanks for sharing this. I used your example to solve a problem I was working on and it worked. You are a lifesaver

Hi Dan, This is the tutorial that was missing in 2022. Thanks a lot. I was struggling with those outdated tutorials and dependencies to make a working solution. this saved me lots of time. Looking forward to your next videos.

Great video my start to spring security wouldn't have been great without this. A big salute.

Thanks a lot for this tutorial. I have been stuck in other tutorials for hours.

Thank you so much..I was just working on a project and had a lot of difficulties understanding JWT, I opened youtube and I found your video. How lucky I am!

These videos are so concise and easy to follow, appreciate you.

I really appreciated this video. Wishes your channel get bigger n bigger.

Straight to the point, no fluff. Looks looks like a bare-minimum implementation.

Thanks Dan, really educative content that's very well and clearly presented. Exactly what I was looking for!

I really enjoyed this video. Thank you for providing such great content.

finally up to date spring security tutorial :) very good explanation

thank you Dan, this video help me a lot to understand how to generate JWT in Spring. the only one site where I found the explanation with the new version of spring security and works. regards from Colombia

Amazing. I used to secure my smalls projects implementing jwt encoder/decoder with the help of libraries like jjwt directly, as well as overriding filter methods from classes/interfaces such as UsernamePasswordAuthenticationFilter, OncePerRequestFilter. But this way you showed us has simplified it a lot. One more subscriber!

Thanks for a great tutorial. The article is very useful and helpful.

Thank you Dan! Great work!

Many thanks, Dan. Your content is quite valuable for someone like me harnessing input to get better at building Enterprise grade applications. Merci beaucoup!!!

Awesome Dan! Thanks for the rich tutorial

Wow. Learned a lot of very relevant security implementation in a very smooth and clean fashion and in such a short time.

Nice tutorial Dan! Thanks a lot.

U have a nice way to explain, great work!!!

Thanks Dan. it was crystal clear

I am a nodejs and Golang API. I found this tutorial very help for my current work using Spring-boot. One thing about Spring-boot is that, when you use Spring-Boot with higher version some errors like this shows up: This error occurs in the NimbusJwtDecoder.validateJwt method of the org.springframework.security.oauth2.jwt.NimbusJwtDecoder class. The NimbusJwtDecoder class is used to decode JSON Web Tokens (JWTs) and is part of the Spring Security OAuth 2.0 framework.

Thank you very much! Greetings from Greece!!!

Great content, really helpful thank you

wonderful tutorial, thank toy very much 😊

Thanks for sharing dan !

Wonderful. Very helpful. Thanks for sharing!!

Thanks for this Dan.

Thanks for asymmetric rsakeys knowledge you've shared.

Nice video you just earn a subscriber I actually love the fact you don't define another class just to write another method like other youtubers do

Amazing !!!! Great video, Thanks 👌

Thank you Dan. nicely explained and Really helpful.

Thanks for the video ❤

Excellent video! Need to test spring security with Ping Federate.

Great tutorial and topic. Really clears things out. Would be great to show next how to update JWT to include user's roles and permissions. And of course looking forward for Spring Authorization server!

Hi Dan, can you also please talk about how spring mvc works internally, like dispatcher servlet, how by default exceptions are handled in rest apis etc.

Thanks for sharing about JWT

great tutorial thanks!

Thank you for this, Dan. I would love to see a follow up video for implementing "Refresh Token" on top of this :) I know people will love it.

Excellent! Thank you.

Thank you for the tutorial

Great Explanation

First, thank you for such a comprehensive explanation of the new spring security. I'm going to take minor issue with it because, as with just about every tutorial I've seen for spring boot security, the user logon and Jwt generation is in the same sever as the Jwt consumer for endpoint security. This would never happen in the wild and creates confusion as to which SecurityConfig configurations are needed for each.

I super like your video, I have learned a lot form it

Great video! Really helpful to get people started with latest Spring Security stuff and JWT! Few questions/comments though: 1. It would be good if you can extend the github repo and add a branch which shows the symmetric key approach - i guess it would be easy for the Decoder as u mentioned, but would like to see how to change the Encoder 2. Maybe to make it more realistic instead of HttpBasic - it would be good to have a UserNamePassword Authentication where the user calls an endpoint with username/password as body and the token generation happens based on that 3. Building on top of 2), it would be great if this gets connected to a database where hashing + salting is used as this can be used as a starter for real projects 4. Having roles in the example/video would be great Looking forward to your next video Dan!

Amazing, thanks a lot!

Great video! You make it so easy to grasp the concept. A quick question. How would you secure the APIs using JWT if the application is using (username & password) in some cases and also biometrics authentication in other cases.

Awesome tutorial as always. I have quick one... When using assymetric encryption do we use the private key to encrypt the data or the public key? With the little knowledge I have on encryption, I'm pretty sure we use the public key for encryption and the private key for decryption.

Very good your video!!! I have a question for you: since you said that this is the beginning with jwt and not the goal, what other functions can I do with jwt?

Thanks, very nice explaind.

Very good take there.

Thank you Dan. I meant A LOT! Would you consider to create a video for those like me with a title "How to read Spring documentation and connect things together"? Lol. Thanks again!

hello dan, thanks for such a good content, this topic is complex but thanks to you I have been able to understand it better. I only have a small question, why is it necessary to disable csrf?

Everything works great!

amazing as usual !

Great information. I think a simple video will also be helpful which explains how to protect API using Okta or Keycloak since in most situations you don’t write authorization server yourself.

First off awesome video Dan. I have seen no code/logic on the resource server side to validate token. Is this optional on resource server end or its a must.

You are right.... Spring Security tutorials shows that people try to understand but cannot make it working... Spring Security Team also makes it very challenging to build something with it. Thank you, Dave, for your tutorial - it really helped to make it working.

Very good video, if anybody haven't mentioned yet, it would be good to replace inMemory user with UserDetailsService on data base. Additionally securing rest api with roles. Video would be a bit longer than 1hours, but woud cover topic from A to Z

awesome video! subscribed!

your outro music is so good

Hi Dan, really a good video. One functionality which could be added is adding refresh token feature, thanks

Thanks a lot Dan!

Thanks you. Can please explain also keycloak with spring.

thank you so much ❤

Good video It's really useful🥰🥰!

Perfect video. Thank you, Dan! Like+Sub

You are great man

great video very useful

Great Video, keep up the good work

For me as a complete beginner it was so easy to follow. Thanks for this tutorial, it was really helpful.

finally, an informative tutorial that ACTUALLY uses BUILTIN jwt tools, and not some filters and JwtUtility classes to secure an app

THANK YOU THANK YOU!!!!

Are you able to create another video using the other method you mentioned. Where we do not manually create the keys?

That was great! What about video about OAuth2 with Auth/Resource/Client?

Hi Dan. Since we're already on Spring Boot 3.2+ would you mind an update video on this matter? Keep up the good work!

I'm guilty of rolling up my custom solution, pulling in a third party library. Thanks for this video, Dan! Gotta refactor a bit!

Hi! Great video, like all your videos! Especially now that Spring Security 6 is mixed in with older tutorials on the web this is very helpful. A suggestion: this is now already deprecated: ".oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)" and has to be replaced with ".oauth2ResourceServer((oauth2) -> oauth2.jwt(Customizer.withDefaults())". Also a question, how do you get this snippet-functionality at 30:00?

Thank you teacher

Hey! Great video! But how did you do to autogenerate code just by typing jwt? Thanks a lot!

Hey, great video. I learned very valuable things from your videos. I was wondering how can I do the following: I have a 'tokenVersion' column in my users table. Every time User logs out or refreshes the token I'm going to increase it by 1. When the JWT is decoded and if it's valid I want to check if the tokenVersion in the JWT and in the DB matches. If it matches request can continue if not I want to throw 401.

Hey Dan, New question, obviously us as viewers are following along and just basically copying the code that you write down - but you seem to know exactly what we need and why we need it. Are there any resources you can point me to that could potentially help me understand the architecture of spring security in more detail but also how you learned this to a point where you just know what you need to use? Bit of a loaded question, but i’m keen to learn as much as possible. Right now all it feels like is that i’m copying code from you without truly understanding why we’re doing certain things. Cheers

Thank you Dan, it's a greate tutorial for beginners. Can you please make a guide about refreshing jwt please.

I love your videos! I had a question on how you would approach deploying this application. I am trying to deploy to AWS beanstalk, but I'm having difficulties with the RSA .pem files. I have been trying to add the public and private keys as an environment property in elastic beanstalk, but am having difficulties because it is a string value and not a file. I also tried to add a key converter with @Component and @ConfigurationPropertiesBinding, but I still get a failed convert from string to RSAPublicKey. What do you think should be the approach/best practice to remedy this?

Hii Dan, I love ur tutorials.. my question is how can i create a seperate authentication servuce using jwt. And then use that is a seperate client service to secure endpoint? Thanks..

Great video! Is there a way to user roles with the currente JWT configuration in this video?

Also to use the authorization as a micro service and export it, import it in multiple application across the company portfolio for a aligned one platform!

Hey Dan, it's amazing, but is there any mechanism in order the user logged out of the system, how we can invalidate the user token?

Thanks for this video, it is like a revelation for me. But I think it would be better if we used HTTPS instead of HTTP for our endpoint URLs because of the BASIC type login.

hello great video btw can you do a video on opaque token that are stock in database

Great video as always! I got two questions though: Why does it needs to be annotated with @EnableWebSecurity. Is it like automatic once you added SecurityFilterChain in the app context? Can I create public and private key using keytool instead of openssl?

Great video! Thanks! Could you explain: you have showed the project creation with the spring starter io source. But, after project was created, you show 2 pom files - problem in that the spring.starter actually created only one single pom. How to I have to understand and follow your solution? And the main issue - I have implemented all steps and this solution doesn't work: yes, I received token, but this token doesn't work for other requests - I have receiving 401 error for all following requests. Now I try to understand the difference - and the difference only in the pom files between your and my code. But you are not explained them

Sir, how did you automatically generate the tests? Was it the Copilot?

Thanks a lot, can you create new video for spring boot 3

Dear Dan, I followed your tutorials to set up the new Spring security. Helas, the one thing I cannot get working is that the roles get authenticated. Is it possible to make a video in which you explain the spring security setup with jwt tokens and a hiberante database authentication with roles?

Hi Dan , glad i found your tutorial but my problem is the spring's documentation. It is awful . How do you go about in reading the documentation. I have a question , I want to implement this as a microservice , so what should be the logic behind it ? Everytime a user hits my request he/she will be entering username and password and I will be granting a token to the client. Once the client gets that token how will i forward that token from my microservice to this authentication microservice ?