JWT Authentication and Authorization with Spring Boot and Vue.js: Complete Guide


Here's a brief explanation of the diagram's flow:

Actors:

  • User (U): Represents the end user interacting with the application.
  • LoginComponent (LC): The component in the frontend (Vue.js) where the user enters login credentials.
  • AuthService (AS): A service in the frontend responsible for handling authentication, such as calling the backend to log in and storing the JWT token and user roles in local storage.
  • LocalStorage (LS): A storage mechanism for saving the JWT token and user roles in the frontend.
  • AuthController (AC): The backend controller responsible for handling authentication requests (e.g., login).
  • JwtTokenUtil (JTU): A utility in the backend that generates and validates JWT tokens.
  • UserController (UC): A backend controller that handles user-related routes.
  • SecurityConfig (SC): A backend configuration that defines security rules and role-based access control.

Flow:

  1. User Login:

    • The User enters their credentials into the LoginComponent (LC).
    • The LoginComponent sends the credentials to the AuthService (AS).
    • AuthService calls the AuthController (AC) with the login request.
    • The AuthController uses JwtTokenUtil (JTU) to generate a JWT token and returns it to AuthService.
    • AuthService stores the JWT token and the user's roles in LocalStorage (LS).

  2. User Accessing Protected Routes:

    • The User navigates to protected routes, such as the user or admin dashboard.
    • AuthService checks if the JWT token is valid by retrieving it from LocalStorage and validating it with JwtTokenUtil.
    • If the token is valid, the User can access the routes.

  3. Admin Role Validation:

    • When accessing an AdminComponent, AuthService verifies that the user has the admin role by checking the stored roles in LocalStorage.
    • If the role is valid, access is granted; otherwise, access is denied.

  4. Backend Security:

    • The UserController checks if the user is authenticated and authorized to access routes like /user/home.
    • For routes requiring admin privileges (e.g., /admin/home), SecurityConfig ensures the user has the correct role (admin) before granting access.

Complete Solution: JWT Authentication & Authorization

1. Backend: Spring Boot 3.x (JWT Authentication & Authorization)

Step 1: Create the Spring Boot Project

Create a Spring Boot project with the necessary dependencies.

In pom.xml:

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>io.jsonwebtoken</groupId>
        <artifactId>jjwt</artifactId>
        <version>0.11.5</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-jpa</artifactId>
    </dependency>
    <dependency>
        <groupId>com.h2database</groupId>
        <artifactId>h2</artifactId>
        <scope>runtime</scope>
    </dependency>
</dependencies>

Step 2: Configure application.properties

Configure the H2 database for testing.

spring.datasource.url=jdbc:h2:mem:testdb
spring.datasource.driverClassName=org.h2.Driver
spring.datasource.username=sa
spring.datasource.password=password
spring.jpa.database-platform=org.hibernate.dialect.H2Dialect
spring.jpa.hibernate.ddl-auto=update
spring.h2.console.enabled=true

Step 3: Create JWT Utility Class

The JwtTokenUtil class handles generating, validating, and extracting information from JWT tokens.

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.stereotype.Component;

import java.util.Date;
import java.util.List;

@Component
public class JwtTokenUtil {

    private String secretKey = "secret";  // Use a stronger key for production

    public String generateToken(String username, List<String> roles) {
        return Jwts.builder()
                .setSubject(username)
                .claim("roles", roles)  // Include roles in the token
                .setExpiration(new Date(System.currentTimeMillis() + 600000)) // 10 minutes
                .signWith(SignatureAlgorithm.HS512, secretKey)
                .compact();
    }

    public Claims extractClaims(String token) {
        return Jwts.parser()
                .setSigningKey(secretKey)
                .parseClaimsJws(token)
                .getBody();
    }

    public boolean isTokenExpired(String token) {
        return extractClaims(token).getExpiration().before(new Date());
    }

    public String getUsernameFromToken(String token) {
        return extractClaims(token).getSubject();
    }

    public List<String> getRolesFromToken(String token) {
        return (List<String>) extractClaims(token).get("roles");
    }

    public boolean validateToken(String token, String username) {
        return username.equals(getUsernameFromToken(token)) && !isTokenExpired(token);
    }
}

Step 4: Security Configuration with Role-Based Access

The SecurityConfig class configures role-based authorization in Spring Security.

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public HttpSecurity configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/api/auth/login", "/register").permitAll()
            .antMatchers("/admin/**").hasRole("ADMIN")  // Restrict admin endpoints
            .antMatchers("/user/**").hasRole("USER")   // Restrict user endpoints
            .anyRequest().authenticated()
            .and()
            .addFilter(new JwtAuthenticationFilter());  // Add JWT filter here
        return http;
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    public UserDetailsService userDetailsService() {
        return username -> {
            if ("admin".equals(username)) {
                return User.withUsername(username)
                        .password(passwordEncoder().encode("admin"))
                        .roles("ADMIN")
                        .build();
            } else if ("user".equals(username)) {
                return User.withUsername(username)
                        .password(passwordEncoder().encode("user"))
                        .roles("USER")
                        .build();
            } else {
                throw new UsernameNotFoundException("User not found");
            }
        };
    }
}

Step 5: Authentication Controller

The AuthController generates a JWT token after successful login, including user roles.

import com.example.demo.security.JwtTokenUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.web.bind.annotation.*;

import java.util.List;
import java.util.stream.Collectors;

@RestController
@RequestMapping("/api/auth")
public class AuthController {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private JwtTokenUtil jwtTokenUtil;

    @PostMapping("/login")
    public String login(@RequestBody LoginRequest loginRequest) {
        var authenticationToken = new UsernamePasswordAuthenticationToken(
                loginRequest.getUsername(), loginRequest.getPassword());
        var authentication = authenticationManager.authenticate(authenticationToken);

        // Get roles for the authenticated user
        List<String> roles = authentication.getAuthorities().stream()
                .map(authority -> authority.getAuthority())
                .collect(Collectors.toList());

        // Generate and return JWT token
        return jwtTokenUtil.generateToken(authentication.getName(), roles);
    }
}

Step 6: User Controller with Role-Based Access

Define the UserController to restrict access to endpoints based on roles.

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class UserController {

    @GetMapping("/user/home")
    public String userHome() {
        return "Welcome, User!";
    }

    @GetMapping("/admin/home")
    public String adminHome() {
        return "Welcome, Admin!";
    }
}

2. Frontend: Vue.js (JWT Authentication & Authorization)

Step 1: Create Vue.js Project

Start by creating a new Vue.js project using Vue CLI:

vue create jwt-auth-frontend

Install Axios and jwt-decode:

npm install axios jwt-decode

Step 2: Auth Service

Create an auth.js service to handle JWT login, logout, and storing roles.

// src/services/auth.js
import axios from 'axios';
import jwtDecode from 'jwt-decode';

const API_URL = 'http://localhost:8080/api/auth';

export default {
  login(credentials) {
    return axios.post(`${API_URL}/login`, credentials)
      .then(response => {
        const token = response.data.token;
        localStorage.setItem('jwt', token);  // Save JWT token

        // Decode the token to extract user roles
        const decodedToken = jwtDecode(token);
        localStorage.setItem('roles', JSON.stringify(decodedToken.roles));  // Store roles

        return response.data;
      });
  },

  logout() {
    localStorage.removeItem('jwt');
    localStorage.removeItem('roles');
  },

  getAuthHeader() {
    const token = localStorage.getItem('jwt');
    return token ? { Authorization: `Bearer ${token}` } : {};
  },

  isRole(role) {
    const roles = JSON.parse(localStorage.getItem('roles')) || [];
    return roles.includes(role);
  }
};

Step 3: Vue Router with Role-Based Access

Configure the Vue Router to protect routes based on roles.

// src/router/index.js
import { createRouter, createWebHistory } from 'vue-router';
import Home from '../views/Home.vue';
import Login from '../views/Login.vue';
import auth from '../services/auth';

const routes = [
  { path: '/', component: Home, meta: { requiresAuth: true, requiredRole: 'USER' } },
  { path: '/admin', component: () => import('../views/Admin.vue'), meta: { requiresAuth: true, requiredRole: 'ADMIN' } },
  { path: '/login', component: Login },
];

const router = createRouter({
  history: createWebHistory(),
  routes,
});

router.beforeEach((to, from, next) => {
  if (to.meta.requiresAuth) {
    if (!localStorage.getItem('jwt')) {
      next('/login');
    } else if (to.meta.requiredRole && !auth.isRole(to.meta.requiredRole)) {
      next('/login');
    } else {
      next();
    }
  } else {
    next();
  }
});

export default router;

Step 4: Login Component

Create a login form in Login.vue.

<template>
  <div>
    <h1>Login</h1>
    <form @submit.prevent="handleLogin">
      <input v-model="username" type="text" placeholder="Username" required />
      <input v-model="password" type="password" placeholder="Password" required />
      <button type="submit">Login</button>
    </form>
  </div>
</template>

<script>
import auth from '../services/auth';

export default {
  data() {
    return {
      username: '',
      password: ''
    };
  },
  methods: {
    async handleLogin() {
      try {
        await auth.login({ username: this.username, password: this.password });
        this.$router.push('/');
      } catch (error) {
        alert('Login failed');
      }
    }
  }
};
</script>

Step 5: Admin and User Components

Create the protected pages for Admin and User.

Admin.vue:

<template>
  <div>
    <h1>Admin Dashboard</h1>
    <p>Welcome, Admin!</p>
  </div>
</template>

Home.vue (User Dashboard):

<template>
  <div>
    <h1>User Dashboard</h1>
    <p>Welcome, User!</p>
  </div>
</template>

Final Notes

This is a fully functional, end-to-end JWT Authentication and Authorization solution with Spring Boot and Vue.js:

  • Backend:
    • JWT Authentication is implemented, and the token contains user roles.
    • Role-based authorization restricts access to specific endpoints.
  • Frontend:
    • After logging in, the JWT is stored and decoded to access roles.
    • Vue.js routes are protected based on user roles.

This example can be expanded to include database-backed user authentication, custom error handling, and better security practices (e.g., refresh tokens).

Popular posts from this blog

Learn Java 8 streams with an example - print odd/even numbers from Array and List

Image
Example 1: Java 8 program to print odd numbers from a List   import java.util.Arrays; import java.util.List; import java.util.stream.Collectors; /*Java 8 Program to find Odd Numbers from a List*/ public class DriverClass { public static void main( String [] args) { List < Integer > numbers = Arrays. asList( 1 , 4 , 8 , 40 , 11 , 22 , 33 , 99 ); List < Integer > oddNumbers = numbers.stream(). filter(o -> o % 2 != 0 ). collect(Collectors.toList()); System.out.println(oddNumbers); } } 1. Initialize List using Arrays.asList() method. Java's built-in Arrays.asList() method converts an array into a list. This method takes an array as an argument and returns a List object. 2.  Java List interface provides stream() method which returns a sequential Stream with list of Integer as its source. 3. The Java stream filter(...
Read more

Java Stream API - How to convert List of objects to another List of objects using Java streams?

Image
In this section, we will show you how to convert a List of objects to another List of objects in Java using the Java streams map(). The ‘map’ method maps each element to its corresponding result. Java Stream API   The Java Stream API provides a functional programming approach over the object oriented capabilities of Java. It is used for processing collections of objects. The Stream in Java can be defined as a sequence of elements from a source List, Set or Array. Most of the stream operations return a Stream. This avails engender a chain of stream operations(stream pipe-lining). The streams withal support the aggregate or terminal operations on the elements. for example, finding the sum or maximum element or finding the average etc...Stream operations can either be executed sequentially or parallel. when performed parallelly, it is called a parallel stream.   Stream map() Method   The Java 8 Stream map() is an intermediate operation. It converts Stream<obj1> to Str...
Read more

Registration and Login with Spring Boot + Spring Security + Thymeleaf

Image
In this section, we will learn how to create user registration and login using Spring boot, Spring security, Thymeleaf, JPA, and H2DB. The GitHub repository link is provided at the end of this tutorial. You can download the source code. Technologies used: Spring Boot 2.5.5  Spring Data JPA  Spring Security  Thymeleaf  Maven 3+  Java 17  H2 Database   User Interface User Registration Authentication Failed Authentication success Sign out Final Project Structure: Complete pom.xml: <? xml version ="1.0" encoding ="UTF-8" ?> < project xmlns ="http://maven.apache.org/POM/4.0.0" xmlns: xsi ="http://www.w3.org/2001/XMLSchema-instance" xsi :schemaLocation ="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd" > < modelVersion >4.0.0</ modelVersion > < parent > < groupId >org.springframework.boot</ groupId > < artifactId >spring-boot-starter-pare...
Read more

Java, Spring Boot Mini Project - Library Management System - Download

Image
Hello everyone, Hope you are doing well. Here, we provide a Library Management System mini-project for beginners, it's free for download. Maybe you can build more on top of this project and create your own product, that's all about you. The source code download link is provided at the end of this post. 1. Benefit of this project You could cover the following technologies and features by learning and debugging this mini project. Java 17 Java Stream Java Lamda Expressions Java Records Functional programming Object-oriented programming var Keyword in Java Generics in Java Java Switch Spring boot 2.6.4 Spring Security Thymeleaf template engine OpenCSV Spring Data JPA Server Side Pagination H2 Database  Bootstrap HTML CSS and more... 2. Objective Of Spring Boot On Library Management System The main objective of this project is to manage the details of the books, author, category, and publisher. Only Admin/Librarian will manage all these activities. Also, they can export the data in ...
Read more

ReactJS, Spring Boot JWT Authentication Example

Image
In this tutorial, we’ll create a user registration & login example using ReactJS, Spring Boot, Spring Security, and JWT authentication. You could download the source code from our Github repository, the download link is provided at the end of this tutorial. Technologies used Backend Technologies: Java 17 Spring Boot 2.7.0 Spring Security Spring Data JPA JWT H2 Database Frontend Technologies: React 17.0.1 Axios 0.27.2 Redux 4.0.5 Bootstrap 4.5.2 ReactJS - SpringBoot - JWT - Flow Backend Project Directory: Frontend Project Directory: Following is the screenshot of our application - User Registration: User Signin: Profile View: Access Resource: We will build two projects:  1. Backend:   spring-boot-security-jwt 2. Frontend: react-redux-jwt Project 1: spring-boot-security-jwt Pom.xml <?xml version = "1.0" encoding = "UTF-8" ?> <project xmlns = "http://maven.apache.org/POM/4.0.0" xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"...
Read more

Top 5 Java ORM tools - 2024

Image
  The term ORM refers to object-relational mapping, which uses objects to adapt programming languages to database systems while allowing them to function with SQL and object-oriented programming ideas. Any kind of database management system that can accomplish object mapping to the table in the virtual system is suitable for the implementation of ORM. Java has a wide variety of ORM tools, some of which are mentioned below: 1. Hibernate Hibernate is a lightweight, open-source, non-invasive Java ORM (Object-Relational Mapping) framework that allows developers to create objects that function independently of database software and create persistence logic in any Java or JavaEE application. It offers an abstraction layer, so developers don't have to bother about implementations; Hibernate handles these tasks internally, such as connecting to databases and creating queries to carry out CRUD operations, among other things. Persistence logic development is done with it. Persistence logic r...
Read more

Java - Blowfish Encryption and decryption Example

Image
Blowfish is an encryption method developed by Bruce Schneier in 1993 as an alternative to the DES encryption method. It is significantly faster than DES and provides good encryption speed, although no effective cryptanalysis technique has been found to date. It is one of the first secure block ciphers that is not protected by any patents and is therefore freely available for anyone to use. This is a symmetric block cipher algorithm. Block size: 64 bits Key size: variable size from 32 to 448 bits number of subsections: 18 [P-array] number of rounds: 16 number of substitution blocks: 4 [each with 512 records of 32 bits each] develop  Example 1: Encryption and decryption using Blowfish import java.io.UnsupportedEncodingException; import java.nio.charset.Charset; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.util.Base64; import javax.crypto.BadPaddingException; import javax.crypto.Cipher; import javax.crypto.IllegalBlockSiz...
Read more

Spring boot video streaming example-HTML5

Image
Hello everyone, Today we will learn how to stream MP4 video using Spring Boot and Spring Web Flux.  The Source code download link is provided at the end of this post. New, Quarkus Practice User Interface   Project Structure: G radle(build.gradle) plugins { id 'org.springframework.boot' version '2.5.4' id 'io.spring.dependency-management' version '1.0.11.RELEASE' id 'java' } group = 'com.knf.demo' version = '0.0.1-SNAPSHOT' sourceCompatibility = '11' repositories { mavenCentral() } dependencies { implementation 'org.springframework.boot:spring-boot-starter-webflux' testImplementation 'org.springframework.boot:spring-boot-starter-test' testImplementation 'io.projectreactor:reactor-test' } test { useJUnitPlatform() } Service (VideoStreamingService.java) package  com.knf.demo.service ; import org.springframework.beans.factory.annotation. Autowired ; import org.springframework...
Read more

Google Cloud Storage + Spring Boot - File Upload, Download, and Delete

Image
In this section, we will learn  how to  create a simple spring boot application to perform different file operations such as upload, download, list, and delete files from the Google Cloud Storage. 1.  A little bit of Background Google Cloud Storage Cloud Storage is a managed service for storing unstructured data. Store any amount of data and retrieve it as often as you like. More Info - click here! Spring Boot Spring Boot makes it easy to create stand-alone, production-grade Spring-based Applications that you can "just run".  More Info - click here! 2. Create a GCP Project First, Sign into the Google console at  https://console.cloud.google.com . You can create a new project by first selecting the project dropdown in the top left and selecting " New Project ". Next, specify your GCP  Project name  and  Project ID . Then  Click on the " CREATE " button. Copy " Project ID " and keep it for future purposes. 3. Create a Google Cloud Storage bucke...
Read more