QuantumAI

Your personal guide to Prabhat Kumar's portfolio.

Ask me anything about Prabhat's skills, experience, or projects.
Back to Home
Spring BootJWTSpring Security 6Java

Spring Boot JWT Authentication — Complete Guide with Spring Security 6

JWT authentication in Spring Security 6 becomes reliable when the filter chain, user loading, token validation, refresh flow, and role checks are designed as one system.

JWT Filter Chain

A stateless JWT setup disables sessions, allows authentication routes, protects application APIs, and inserts a JWT filter before UsernamePasswordAuthenticationFilter.

Examplejava
@BeanSecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {    return http        .csrf(AbstractHttpConfigurer::disable)        .sessionManagement(s -> s.sessionCreationPolicy(SessionCreationPolicy.STATELESS))        .authorizeHttpRequests(auth -> auth            .requestMatchers("/api/auth/**").permitAll()            .requestMatchers("/api/admin/**").hasRole("ADMIN")            .anyRequest().authenticated()        )        .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class)        .build();}

UserDetailsService and Token Generation

UserDetailsService should load users by email or username and return authorities that match the access rules. Token generation should include subject, expiry, issued date, and minimal role claims.

Examplejava
public String generateToken(UserDetails user) {    return Jwts.builder()        .subject(user.getUsername())        .claim("roles", user.getAuthorities())        .issuedAt(new Date())        .expiration(Date.from(Instant.now().plus(15, ChronoUnit.MINUTES)))        .signWith(secretKey)        .compact();}

Refresh Tokens, Roles, and Postman Testing

Use short-lived access tokens and longer-lived refresh tokens stored server-side or in a revocation-aware persistence layer. In Postman, test login, access with Bearer token, refresh, logout, expired token, and role-restricted endpoints.

Common 403 errors usually come from role prefix mismatches, missing Authorization headers, CORS preflight requests, CSRF being enabled for APIs, or filters running in the wrong order.

Work with Prabhat

Build production-grade backend systems, AI workflows, cloud automation, and high-signal engineering products with a developer who ships from architecture to deployment.

Work with PrabhatContact