402 thoughts to “Spring Boot Token based Authentication with Spring Security & JWT”

  1. Thanks BezKoder for the tutorial, it was very helpful.
    And for every one who has an error with getting some data, getting “Unauthorized” error, just change :
    @PreAuthorize(“hasRole(‘Admin’)”)
    to :
    @PreAuthorize(“hasRole(‘ROLE_ADMIN’)”)
    This is how i resolved the issue, and it may depend on how roles are saved in your database 🙂

  3. Hi, thanks for this helpful tutorial, my question is about disabling csrf (….csrf().disable ).
    By using spring boot security with JWT, do we need to disable csrf? isn’t my application vulnerable to csrf attacks by doing so? If not is it vulnerable to Xss attacks and how can I protect it ?

  4. hello and thx for this tuto.
    After signin up and signing in (as admin) i’ve got this token “eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImlhdCI6MTY0NjEzOTg2NywiZXhwIjoxNjQ2MjI2MjY3fQ.Yc14R2gDZWlPQmxmRQ4TnPPJ73eI8pv–QTovuHZVEFf_-otD8Wkeso6OVn6xYm5LgIhiqtNp_RTExCZmCp_UA”
    when i tried to access to “localhost:8080/api/test/admin” with value “Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImlhdCI6MTY0NjEzOTg2NywiZXhwIjoxNjQ2MjI2MjY3fQ.Yc14R2gDZWlPQmxmRQ4TnPPJ73eI8pv–QTovuHZVEFf_-otD8Wkeso6OVn6xYm5LgIhiqtNp_RTExCZmCp_UA” i’ve got 403 Forbidden error
    Any help please

    1. Hi, you need to add “Bearer [token]” on your HTTP request Authorization header.

  5. (My English is not very well.)
    I got the token = “undefined” issue too.
    And I compared all the code between my code and this example code.

    I found this.
    I use lombok in my project.
    In the “public class JwtResponse” .
    It use different name of the
    “private String token;”
    but constructor use below:
    ///
    public JwtResponse(String accessToken, Long id, String username, String email, List roles) {
    this.token = accessToken;
    this.id = id;
    this.username = username;
    this.email = email;
    this.roles = roles;
    }
    ///

    I remove the lombok and use the same code with the example.
    or I keep my lombok and change my field name form “private String token;” to “private String accessToken;”.
    Both can resolve my problem.

    Hope it will help.

  6. Hi!

    Thank you for your tutorial it helped me a lot!nWould it be possible from your side to guide me with some additional case related to this tutorial? I want to create put request – editing username. I was trying to do something like this:

        @PutMapping("/usernameupdate/{id}")
    public ResponseEntity updateUsername(@PathVariable("id") long id,@Valid @RequestBody UsernameUpdateRequest usernameUpdateRequest) {
        Optional user = userRepository.findById(id);
        if (userRepository.existsByUsername(usernameUpdateRequest.getUsername())){
            return ResponseEntity
                    .badRequest()
                    .body(new MessageResponse("Error: Username is already taken!"));
        }
        else{
		user.setusername(usernameUpdateRequest.getusername())
                     return ResponseEntity
                    .body(new MessageResponse("Username is updated!"));
        }
    }

    but i have issues. I added usernameUpdateRequest class and added findById in userrepo. Problem is, that findbyId returns User instead of user and it complicates the whole thing. Best regards!

  8. Thank you for great example, but i can’t find, where the configuration for “Forbidden” error handling class?

  9. Hi, bezkoder, useful tut!

    What about adding next entities to this REST API?

    For example, adding that https://www.bezkoder.com/spring-boot-file-upload/ to this auth app

    1. We should add “token: xxxxxxxxxxxxxx” to request body, and that`s enough?

    2. What kind of checking process we should follow for token confirmation in Controller before any endpoint getting handled?

    Thanks a lot?

  10. Hi,
    I have implemented the above for my project . I need to write test cases but am getting “Error :unauthorised” ,which I think is coming security/jwt/AuthEntryPointJwt.java.
    I have annotated other end points with @PreAuthorize(“hasRole(‘XYZ’)”) .
    What should I mock to avoid this error ?

  11. Hello Guys, Hope that y’re fine!!
    Firstly, I want to inform that my english isn’t good, but Plz I will try to explain my problem like that:

    After sigin success, I have this Response

    {
    "id": 1,
    "username": "mod",
    "email": "[email protected]",
    "roles": [
        "ROLE_MODERATOR",
        "ROLE_USER"
    ],
    "accessToken": "eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJtb2QiLCJpYXQiOjE2Mzk0NTg3MDYsImV4cCI6MTYzOTU0NTEwNn0.uue5gH2HX9R8Wdxp7xP2cNMXPI3uRVsFgmdGVzG77QQsxL9AUFfwT3W_RTyWaoKHCTyfPKr8KuvNaoJQNz_-nA",
    "tokenType": "Bearer"
}

    But when I want to access to the mod or user content, I’m not able to see it!!
    Response of access:

    {
    "path": "/api/test/mod",
    "error": "Unauthorized",
    "message": "Full authentication is required to access this resource",
    "status": 401
}

    I also note that on my logger console, i have this message “Unauthorized error: Full authentication is required”

    Plz, I have done the tutorial several times, but I don’t see where is the problem
    Regards,

    1. Hi, you can check your HTTP Authorization Headers with Bearer Token. IT should be:
      Bearer eyJhbGciOiJ...

  13. Hi, very good article.

    Can the roles get from database?
    @PreAuthorize(“hasRole(‘USER’) or hasRole(‘MODERATOR’) or hasRole(‘ADMIN’)”)

    Thank you

  14. what is “Bearer token” in header
    when i call “localhost:8080/api/auth/signin” i am getting error;

    “timestamp”: “2021-11-15T06:07:11.934+00:00”,
    “status”: 500,
    “error”: “Internal Server Error”,
    “path”: “/api/auth/signin”

    AuthTokenFilter->request: org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@22a6d
    AuthTokenFilter->headerAuth: null
    AuthTokenFilter->jwt: null

  16. Great tutorial(s)!

    Question around best practices. For the signup, could you also return a token or is it better to keep them separate and have the client app (angular in this case) call login after a successful signup?

    Thanks!

  17. Hi, thank you for the excelent tutorial!
    I have a problem, when i signup/signin with postman all work well, but when i do a GET request api/test/…, I receive UNEXPECTED ERROR, access denied, the error is on the line filterChain.doFilter(request, response); in AuthTokenFilter class, can you help me?

    thank you

  20. Hello bezkoder,

    Thanks for the tutorial ! I have followed it, and application starts well, test data entered. When I try to sing up, I am getting a 401. Not sure what’s wrong in my request, should be something small, someone reading this could also help to solve the issue, TIA !

    URL – http://localhost:8080/api/auth/signup
    Req – POST
    Payload
    {
    “username”:”testadmin”,
    “email”:”[email protected]”,
    “password”:”*****”,
    “role”:[“admin”]
    }

  21. I have a classCastException when I use the UserDetailsImpl class for sign in request.

    It is saying can not cast String to UserDetails interface.

  22. hi i have a problem!
    all the requests that I make after my authentication do not go through in fact I do not have access to resources. all my API requests other than those from the Auth package do not pass authorization default.

  23. I solved it and to all my fellows peers looking for Full authentication is required to access this resource, i change the url to “/signup”. You have to add this “url” to WebSecurityConfig class as well. Cheers

  24. HI bezkoder ,

    Can you please help ? I received : Unauthorized error: Full authentication is required to access this resource for the signup API call to spring boot. This is the first initial sign up call. There should be no token available for the bearer during sign up right? Can please advise please?

    .security.AuthEntryPointJwt
    Unauthorized error: Full authentication is required to access this resource

  26. Hello, thank you for your tutorial, it helps me a lot.
    I want to ask, why you use Set instead of List for Roles mapping on user object? meanwhile, you convert it to list too…

  27. Thank you so much.
    I must have to say that this is a great tutorial and nicely explained.

  28. {
    “username”:”user”,
    “password”:”%&67#&46″
    }

    I am sending encoded password how can we decode and validate and successfully login?

  29. Hell, my IDEA ia angry about this: Field Injection is not Recommended
    Can i ignore this, or please give example of Constructor injection

    @Autowired
    UserDetailsServiceImpl userDetailsService;

    @Autowired
    @rivate AuthEntryPointJwt unauthorizedHandler;

  30. Hey fellow tutorial followers,

    I was also encountering this error:
    o.s.s.c.bcrypt.BCryptPasswordEncoder : Encoded password does not look like BCrypt

    I fixed it by changing the passwordEncoder method in the WebSecurityConfig from this:

    @Bean
public PasswordEncoder passwordEncoder() {
  return new BCryptPasswordEncoder();
}

    to this:

    @Bean
public PasswordEncoder passwordEncoder() {
  return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}

    Hope this helps some people.

    1. I am getting this error after changing like you suggested
      java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id “null”

      1. That is probably because you directly inserted your user data into the database. Therefore, the password is not encrypted. Use the signup API to create your user data.

  31. Hi Bezkoder,

    Thank you for you tutorial!

    I have an issue when I tried to register a new user into my database after a restart of the application.
    On the first launch I registered 3 account : admin, mod and user. Then I restarted the app and i tried to register the user temp wich gived me the following error : “query did not return a unique result: 2; nested exception is javax.persistence.NonUniqueResultException: query did not return a unique result: 2”.
    I can’t figure how to solve this problem…

    Thank you!

  32. Hi bezkoder, I have implemented the application and everything works fine in oracle DB 12c but there is a problem. I can successfully register user from postman and if I check my DB I can see the data saved including hashed password, when I try to login with the same credentials I get the error below:
    o.s.s.c.bcrypt.BCryptPasswordEncoder : Empty encoded password
    v.i.crm.security.jwt.AuthEntryPointJwt : Unauthorized error: Bad credentials.
    Please help thanks.

  33. Hi Bezkoder,

    First of all, thank you for you tutorial, it’s very clear !

    Do you plan to do a tutorial on the back and/or front side which present how to manage the users table ?
    From a production perspective, to my mind, it would complete this series of tutorials (The superuser would be admin which can manage moderators and users)

    Thank you!

  34. hello man why are the data not saved on the my db? I use the oracle 19c! after registration, no data is saved

    1. Hi, the source code configuration works with MySQL database, not Oracle. So you need to use Oracle dependency in pom.xml and configure data source and hibernate in application.properties file 🙂

  35. Hello, when I create a constructor in the sign in section return JwtResponse, what will the String correspond to jwt?

    @PostMapping("/signin")
    public ResponseEntity authenticateUser(@Valid @RequestBody LoginRequest loginRequest) {
	
	...
	
	
	
	return ResponseEntity.ok(new JwtResponse(jwt,
                userDetails.getUsername(),
                userDetails.getPassword(),
                roles));
	}

    public class JwtResponse {

    private String token;
    private String type = "Basic";
    private String username;
    private String password;
    private List roles;

    public JwtResponse(String jwt, String username, String password, List roles) {
	
	..........=jwt
        this.username = username;
        this.password = password;
        this.roles = roles;
    }
}

  36. Hello…,
    For sign in purpose….,
    Instead of UserName can we use email ID for sign in………….

  37. It has been best guide I have ever seen in my entire life! Great staff. Clearly explained.

  39. Hello,

    I always get 401 Full Authentication required when trying to get any protected resource. I have the Authorization Header and the Token on all requests, also the aplication-type JSON headers I still always get the error, both from Angular and from Postman.

    Please help me I need to implement this for a university project and your tutorial is the best I’ve found, but it just doesn’t work properly

      1. I have it, still have the same error.

        I think it’s a problem with creating the authentication, maybe there’s something that needs to be changed with the security config. The authentication seems to never be created and sending the token does nothing unfortunately.

        1. UPDATE:

          I found the problem. For anyone else having this problem:

          Make sure you DON’t add @Order(Ordered.HIGHEST_PRECEDENCE) to the security config or any of the jwt classes. I added it to avoid some error from csrf, but it ended up ruining the authentication.

  40. I got that error after sending
    {
    “username”: “mod”,
    “email”: “[email protected]”,
    “password”: “12345”,
    “role”:[“mod”,”user”]
    }

    to POST http://localhost:8080/api/auth/signup by Postman
    and im getting this kind of error

    {
    “timestamp”: “2021-04-19T08:47:32.067+00:00”,
    “status”: 415,
    “error”: “Unsupported Media Type”,
    “message”: “”,
    “path”: “/api/auth/signup”
    }

  41. Hi M8!
    Great tutorial!
    just one thing my spring runs fine and finds my database and all.
    It just does not add any tables to it at all.
    Any idea why?
    I get no error messages.
    Kind regards

    1. You should set hibernate ddl to create, or update. See the code below
      spring.jpa.hibernate.ddl-auto = update

  42. Hi man thanks , it was realy a nice tutorial ,but i need help i tested the /signup post request it did worked and i checked my data Base it was implemented with a user but when i try /signin with the same user that i just did i got {
    “timestamp”: “2021-04-17T05:12:02.331+00:00”,
    “status”: 401,
    “error”: “Unauthorized”,
    “message”: “”,
    “path”: “/pcd/auth/signin”
    }
    ps: i changed the path to (“/pcd/auth/**”).permitAll() in the webConfig the Jwt token is not generating its directly rendering into Authentication Entry point and displaying the message pleaase help

  43. Howdy! This post could not be written mᥙch better!
    Reading through this tutorial helps me alot about Spring Security with JWT!
    Thanks f᧐r sharing!

  44. I did everything the same but I get this error when I try to login

    2021-04-13 14:56:47.174 WARN 105872 — [nio-8080-exec-2] o.s.s.c.bcrypt.BCryptPasswordEncoder : Encoded password does not look like BCrypt
    2021-04-13 14:56:47.187 ERROR 105872 — [nio-8080-exec-2] c.a.A.security.jwt.AuthEntryPointJwt : Unauthorized error: Bad credentials

  45. Hi Sir,
    I am getting below issue while signup user:
    {
    “timestamp”: “2021-04-13T08:33:24.035+00:00”,
    “status”: 401,
    “error”: “Unauthorized”,
    “path”: “/app/auth/signup”
    }

    can you please help…

  46. My user not have enabled column and when i try to login, server said that can not authorization cause no enabled column, so how to get over it

  48. Hi! Thanks for this awesome tutorial!

    I have an issue with the http://localhost:8080/api/auth/signin. I have created the roles in the role table and I was able to create some users from http://localhost:8080/api/auth/signup. The problem comes when I want to sign in.
    I create an user with the following parameter -> {“username”: “admin”, “email”: “[email protected]”, “password”: “admin”, “role”: [“admin”, “mod, “user”]} and then when I tried to sigin with “username”: “admin” and “password”: “admin” I have a 415 Unsoported Media Type.

    I’m sure I am using the POST method, and I tried to change from application/json to application/x-www-form-urlencoded with no success.

    If you can help me I will be very thankful!

    Thanks anyway for this great tutorial. Your GitHub was very helpful

  50. Hi.
    I’m having this issue like when I try to fetch details roles are not coming. I’m getting an empty array. kindly help if someone knows how to resolve this issue.

    Thanks in advance

  51. Resolved [org.springframework.web.HttpMediaTypeNotAcceptableException: Could not find acceptable representation]

  52. Hallo Bezkoder …
    It greats tutorial, thanks a lot for your sharing.

    I have a silly questions but it make me confuse. User have 1 role, Moderator have 2 roles , and Admin have only 1 roles. Where I must set it? How do I set Admin with 3 roles ?

    Thank you in advance

  53. hello , thank you for these great tutorial .
    I changed in application.properties file :
    spring.datasource.url=jdbc:mysql://localhost:3306/testdb?serverTimezone=UTC
    spring.datasource.username=root
    spring.datasource.password=
    spring.datasource.driver-class-name= com.mysql.cj.jdbc.Driver

    spring.jpa.database= MYSQL
    spring.jpa.show-sql=true
    spring.jpa.hibernate.ddl-auto=update
    spring.jpa.properties.hibernate.dialect= org.hibernate.dialect.MySQL55Dialect

    spring.jpa.open-in-view=false

    # App Properties
    bezkoder.app.jwtSecret= bezKoderSecretKey
    bezkoder.app.jwtExpirationMs= 86400000
    so the tables were generated automaticly and i can open my database with phpMyAdmin ,but when i tried to send this request http://localhost:8080/api/auth/signup in Postman, i have this error :
    POST http://localhost:8080/api/auth/signup
    Error: connect ECONNREFUSED 127.0.0.1:8080
    Request Headers
    Content-Type: application/json
    User-Agent: PostmanRuntime/7.26.8
    Accept: */*
    Cache-Control: no-cache
    Postman-Token: bd8240e4-e192-41bb-9b10-477b324d7e0e
    Host: localhost:8080
    Accept-Encoding: gzip, deflate, br
    Connection: keep-alive
    Request Body
    {
    “username”: “mod”,
    “email”: “[email protected]”,
    “password” :”1234″,
    “role”: [“mod”, “user”]
    }

    can you help me please ?

  54. Great tutorial, thanks so much!

    Wondering what’s the difference between the following types of exports:
    export default new AuthService() vs export default App?

  55. what about payload package. i am beginer and dont know what will request and what response. please provide me

  56. Signup: http://localhost:8080/signup
    body:- {
    “username”: “kapil”,
    “email”: “[email protected]”,
    “password”: “12345”,
    “role”: [
    “ROLE_ADMIN”
    ]
    }

    Response:-
    {
    “timestamp”: “2021-01-30T21:15:37.537+00:00”,
    “status”: 401,
    “error”: “Unauthorized”,
    “message”: “Error: Unauthorized”,
    “path”: “/signup”
    }

  57. Hi, I have the following error when trying POST signup request:

    2021-01-24 16:32:42.688 ERROR 1136 — [nio-9095-exec-9] c.e.s.security.jwt.AuthEntryPointJwt : Unauthorized error: Full authentication is required to access this resource
    2021-01-24 16:33:24.495 ERROR 1136 — [nio-9095-exec-2] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception

    org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String “//”
    at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlocklistedUrls(StrictHttpFirewall.java:456) ~[spring-security-web-5.4.2.jar:5.4.2]
    at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:429) ~[spring-security-web-5.4.2.jar:5.4.2]
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:196) ~[spring-security-web-5.4.2.jar:5.4.2]
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) ~[spring-security-web-5.4.2.jar:5.4.2]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) ~[spring-web-5.3.3.jar:5.3.3]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) ~[spring-web-5.3.3.jar:5.3.3]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.3.3.jar:5.3.3]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.3.3.jar:5.3.3]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.3.3.jar:5.3.3]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.3.3.jar:5.3.3]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.3.3.jar:5.3.3] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.3.3.jar:5.3.3]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:888) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1597) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[na:na]
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[na:na]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-9.0.41.jar:9.0.41]
    at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]

    2021-01-24 16:33:24.547 ERROR 1136 — [nio-9095-exec-2] c.e.s.security.jwt.AuthEntryPointJwt : Unauthorized error: Full authentication is required to access this resource

    Would you please tell me what am I missing?

    Thanks!

    1. No worry, I figure it out. The issue is I am having // (instead of /) from my Post end-point url. After correcting, everything is working.

  59. Thanks a lot for the detailed explanation.
    Please if I want to use this as an auth server micro service, how do I go about that? Thanks

  61. Thank you for this tutorial. It was really easy to understand it.

    Can you upload a video or code on forgetting password in this code?

  63. Hi, I am wondering why your signin response is different compared mine, here is my signin response result:

    {
    "token": "eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJ1c2VyMSIsImlhdCI6MTYwOTMwMjEyOCwiZXhwIjoxNjA5Mzg4NTI4fQ.uPk3Fb8e9nIpfX67j1TLi5xv3NCXhziN9bnhjD_EgYrDx6SBMCIxVAen_0418sRNh_A1bNYIJ6lEtiesf6Sqyg",
    "type": null,
    "id": 5,
    "username": "user1",
    "email": "[email protected]",
    "roles": [
        "ROLE_USER"
    ]
}

    My type is always returns null “type”: null, (where did you define tokenType and accessToken? )

    1. Hi, you can find type = "Bearer" in payload/response/JwtResponse.java:

      public class JwtResponse {
	private String token;
	private String type = "Bearer";
	private Long id;
	...

  64. good evening, i did exactly the same as you but when i run my application i get the following error:

    sun.misc.Unsafe.park(Native Method)
    java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:215)
    java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2078)
    java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1093)
    java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:809)
    java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1067)
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1127)
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    java.lang.Thread.run(Thread.java:745)
    2020-12-28 20:20:04.631 WARN 44708 — [ main] o.a.c.loader.WebappClassLoaderBase : The web application [ROOT] appears to have started a thread named [HikariPool-1 connection adder] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
    sun.misc.Unsafe.park(Native Method)
    java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:215)
    java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2078)
    java.util.concurrent.LinkedBlockingQueue.poll(LinkedBlockingQueue.java:467)
    java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1066)
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1127)
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    java.lang.Thread.run(Thread.java:745)
    2020-12-28 20:20:04.633 WARN 44708 — [ main] ConfigServletWebServerApplicationContext : Exception encountered during context initialization – cancelling refresh attempt: org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat
    2020-12-28 20:20:04.634 INFO 44708 — [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 – Shutdown initiated…
    2020-12-28 20:20:04.642 INFO 44708 — [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 – Shutdown completed.
    2020-12-28 20:20:04.666 INFO 44708 — [ main] ConditionEvaluationReportLoggingListener :

    Error starting ApplicationContext. To display the conditions report re-run your application with ‘debug’ enabled.
    2020-12-28 20:20:04.694 ERROR 44708 — [ main] o.s.b.d.LoggingFailureAnalysisReporter :

    ***************************
    APPLICATION FAILED TO START
    ***************************

    Description:

    An attempt was made to call a method that does not exist. The attempt was made from the following location:

    org.hibernate.validator.internal.engine.ValidatorFactoryImpl.(ValidatorFactoryImpl.java:153)

    The following method did not exist:

    javax.validation.spi.ConfigurationState.getParameterNameProvider()Ljavax/validation/ParameterNameProvider;

    The method’s class, javax.validation.spi.ConfigurationState, is available from the following locations:

    jar:file:/C:/Users/hp/.m2/repository/javax/validation/validation-api/1.0.0.GA/validation-api-1.0.0.GA.jar!/javax/validation/spi/ConfigurationState.class
    jar:file:/C:/Users/hp/.m2/repository/jakarta/validation/jakarta.validation-api/2.0.2/jakarta.validation-api-2.0.2.jar!/javax/validation/spi/ConfigurationState.class

    The class hierarchy was loaded from the following locations:

    javax.validation.spi.ConfigurationState: file:/C:/Users/hp/.m2/repository/javax/validation/validation-api/1.0.0.GA/validation-api-1.0.0.GA.jar

    Action:

    Correct the classpath of your application so that it contains a single, compatible version of javax.validation.spi.ConfigurationState

    can someone help me please ?

    1. Hi, first remove in your repository maven the directory hibernate and then make a maven clean install to reimport correctly your dependencies.

  66. I’m thoroughly enjoying your tutorial. I’m still new to the whole thing about Spring Boot and you made my day.
    Thanks a lot!

  67. Thanks for this amazing tutorial. It was really easy to understand it.

    I have a question, If I have a case that some users (from the database) require password from the database or some user required password from Ldap. Can you give me a hint?

  68. Thank you for this excellent tutorial! I was getting lost with other more complex tutorials and having trouble understanding how everything connected, but when I followed this one my authentication worked.

      1. Hi, thank you for the very detailed tutorial!
        Have a question:
        Why you user ‘parseClaimsJws’ in function validateJwtToken of JwtUtils class
        instead of ‘parseClaimsJwt’?

  69. Hi, I followed the tutorial, it runs but the tables are not being created.

    I already tested the connection to postgres, checkt in the browser for the login. Everithing looks good but the tables are not being created, I changed the spring.jpa.hibernate.ddl-auto to create but still nothing.

    I apreciate any guidance, thanks.

  70. Hi,

    I cloned your code and the frontend too
    it works fine
    I added a user made him an admin and mod and user
    and was added successfully but when I sign in and click on user or admin board they both say UNAUTHORIZED
    although im signed in
    why is that?

  72. hello bezcoder ,thank you for this amazing tutorial !! but if i want to add new class (Employee) and make this class as a User .. what i have to do ..should i use inheritance or relationship between them ?

  74. I’m getting the following error when running mvn spring-boot:run -debug
    WARN 8120 — [ main] ConfigServletWebServerApplicationContext : Exception encountered during context initialization – cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘userReposi tory’ defined in com.bezkoder.springjwt.repository.UserRepository defined in @EnableJpaRepositories declared on JpaRepositoriesRegistrar.EnableJpaRepositoriesConfiguration: Cannot create inner bean ‘(inner bean)#6b2e46af’ of type [org.springframework.orm.jpa.SharedEntityManagerCr eator] while setting bean property ‘entityManager’; nested exception is org.springframework.beans.factory.BeanCreationException: Error creat ing bean with name ‘(inner bean)#6b2e46af’: Cannot resolve reference to bean ‘entityManagerFactory’ while setting constructor argument; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named ‘entityManagerFactory’ available
    2020-11-26 07:14:03.393 INFO 8120 — [ main] o.s.s.concurrent.ThreadPoolTaskExecutor : Shutting down ExecutorService ‘applicationTaskExecutor’
    2020-11-26 07:14:03.527 INFO 8120 — [ main] o.apache.catalina.core.StandardService : Stopping service [Tomcat]
    2020-11-26 07:14:03.580 INFO 8120 — [ main] ConditionEvaluationReportLoggingListener :

    Error starting ApplicationContext. To display the conditions report re-run your application with ‘debug’ enabled.
    2020-11-26 07:14:03.595 ERROR 8120 — [ main] o.s.b.d.LoggingFailureAnalysisReporter :

    ***************************
    APPLICATION FAILED TO START
    ***************************

    Description:

    A component required a bean named ‘entityManagerFactory’ that could not be found.

    Action:

    Consider defining a bean named ‘entityManagerFactory’ in your configuration.

    [INFO] ————————————————————————
    [INFO] BUILD FAILURE

  75. Hi, first of all I would like to say its great article, thank you for your effort.

    I have one question: how to change login field to another field from User entity? E.g. I want to use email and password for login. How to force UsernamePasswordAuthenticationToken to get as principal email instead of username ?

  76. Hi, I have registered a new user with role “mod”. When I sign in with it and calling a GET http://localhost:8080/api/test/mod URL, I am getting an error in “postman”
    {
    “timestamp”: “2020-11-23T17:58:29.065+0000”,
    “status”: 401,
    “error”: “Unauthorized”,
    “message”: “Error: Unauthorized”,
    “path”: “/api/test/mod”
    }
    Can you help me? I have taken this tutorial with git clone and I was doing everything step by step. Some people got into the same trouble above in comments but didn’t get the answer.

    Also, thanks for this tutorial. 10/10!

    1. Hi, first you need to signin the user. Then you must use Bearer Token from the response data of the signin resquest 🙂

      1. Hi Bezkoder,

        So that means that I need to login, but because there is no usere created yet, I need to create the first one to login and to be able to get a token ?

        If I do that, by curl it would be something like this ? (I think the confussion is because following the tutorial some of us assume that we can use the signup with no need for credentials…that make sence?, thank you.)

        TOKEN=$(curl -s -X POST -H ‘Accept: application/json’ -H ‘Content-Type: application/json’ –data ‘{“username”:”{username}”,”password”:”{password}”,”rememberMe”:false}’ https://{hostname}/api/authenticate | jq -r ‘.id_token’)

        curl -H ‘Accept: application/json’ -H “Authorization: Bearer ${TOKEN}” -d ‘name=the_name’ -d ’[email protected]’https://{hostname}/api/myresource

  77. Hello, thank you for your great tutorial.
    I have one question. This part of code shouldn’t return error code when validation is false?
    This code does nothing even if validation fails.

    try {
			String jwt = parseJwt(request);
			if (jwt != null && jwtUtils.validateJwtToken(jwt)) {
				String username = jwtUtils.getUserNameFromJwtToken(jwt);

				UserDetails userDetails = userDetailsService.loadUserByUsername(username);
				UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
						userDetails, null, userDetails.getAuthorities());
				authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));

				SecurityContextHolder.getContext().setAuthentication(authentication);
			}
		} catch (Exception e) {
			logger.error("Cannot set user authentication: {}", e);
		}

    1. Hi, you can look at the next line after this block of code:
      filterChain.doFilter(request, response);

      Spring Security filter chain will validate and return error code automatically.

  78. Hello bezkoder, i dont want signup page only i need is signin page so what should i change ithe source code

  79. Hola bezcoder , amazing tutorial. Applying your tutorial i did try to implement the process in my app , but keep, but trying to access the user data i got a anonymous user, thus i dont know what to do!
    Any sugerence?

      1. the point is the user get logged and all works fine .. if i check my login method service implementation all data is there .
        When the user logs in the app works .
        But when trying to access that logged user from other method in other class through SecurityContextHolder i got an anonymous user
        Please help….a better idea i set here:
        https://stackoverflow.com/questions/64927997/how-to-receive-the-authenticated-user-from-springsecurity-in-other-service-imple

        Thanks in advance

  80. Man you are those people with god level explanation, I was struggling with implementation in React at the auth states, i love you.

    1. I suggest you all noobs to avoid ask low level questions since this man did not develop a low level API, just learn by yourselves all low level questions could be solved by google, trust me

      I am sure that this quite polite gentleman developer want to help all of us, but it is annoying explaining all questions, he did a lot just sharing his code <3

    2. I do have same questions. Do I need to have CSRF protection enabled? Any additional checks required for CSRF?

  82. Hi,

    I’m a beginner on spring security and JWT. I am so glad that I found your tutorial and I am following it now. It’s really well explained with great structure. However, I am having a small problem with the post method for /signup.
    When I ran the application in local and made a post request on endpoint /api/auth/signup, it returned a successful message. But when I checked the database, it shows empty cells on other columns of the table users apart from the id column.

    id | email | password | username
    —-+——-+———-+———-
    6 | | |
    7 | | |
    (2 rows)

    Do you think what could be the possible causes for this problem?
    Many thanks in advance.

      1. Here is a sample of my body data with JSON format. Should be fine I think ?
        {
        “username”: “eduard”,
        “email”: “[email protected]”,
        “password”: “12356547567”,
        “role”: [“user”, “mod”]
        }

  84. I have got the problem at the signup. All things seems good but not working. Please help.

    {
    “timestamp”: “2020-11-05T06:04:19.643+00:00”,
    “status”: 404,
    “error”: “Not Found”,
    “message”: “No message available”,
    “path”: “/api/auth/signup”
    }

    1. Doing silly mistake that i cannot keep @RequestMapping(“/api/auth”).

      Thank you for the great tutorial.

  85. Hi bezkoder !
    Thanks a lot for this very good tutorial ! I am a beginner and this helped me a lot !
    Now, I would like to add swagger-ui to my project and I have this error when I want to access to url localhost:8080/swagger-ui.html :
    c.m.d.a.m.s.jwt.AuthEntryPointJwt : Unauthorized error: Full authentication is required to access this resource

    I tried to add .antMatchers(“/swagger-ui.html”).permitAll() to WebSecurityConfig but it’s the same… I know it’s outside of this tutorial but maybe you can help me and tell me what do I need to edit to make it work ?
    Thanks !

  86. Hi ,very good tutorial! But i’m having trouble when I call “signup”. Inside “doFilterInternal”, after verify if “jwt != null && jwtUtils.validateJwtToken(jwt)”, this line is called: “filterChain.doFilter(request, response)” and bring me back an Unauthorized error.
    I don’t understand what exactly do this line, can any one help me?
    I think is important to say that I’m not passing any value on my header(besides the postman defaults). I see in the example above that the header has 9 fields, but mine has 8. Do I need to send something in my header when I’m siningUp?

    1. here I have a better error description:InsuficientAuthenticationException, messageDetails:”Full authentication is required to access this resource”

  87. Hello there,
    First of all thank you so much for your tutorial, it is very clear and it helped me a lot !

    The only question that remains for me is where are stored the tokens in this configuration ? Are they stored inMemory and if so, how could we change this aspect of your code ?

    1. +1
      Does someone has the answer to that question ? I am trying to had an api logout
      Wonderful tutorial indeed

  89. Hello, thank you very much for sharing, excellent tutorial.
    I did my project guiding me around here and it works fine for me except when I use the @PreAuthorize notation, it throws me the error:
    Postman
    {
    “date”: “2020-10-21T18:22:06.284+0000”,
    “code”: 500,
    “message”: “Internal server error”,
    “description”: “Access is denied”,
    “details”: []
    }
    Console
    2020-10-21 15:22:06.273 WARN 19507 — [nio-9091-exec-9] n.u.e.r.AEresponseEntityExceptionHandler : Exception.class -> (uri=/api/v1/users/4): Access is denied.
    2020-10-21 15:22:06.372 WARN 19507 — [nio-9091-exec-9] .m.m.a.ExceptionHandlerExceptionResolver : Resolved [org.springframework.security.access.AccessDeniedException: Access is denied]

    Any ideas? Thanks

    1. Hi, it didn’t work for me with @PreAuthorize (“hasRole (‘ADMIN’)”) but it work for me with @PreAuthorize (“hasAuthority (‘ADMIN’)”)

  91. When i invoke the api(protected by jwt) through browser can i have a login form if yes please help on how?

  92. If Admin has to access database, should I create in TestController several ‘access’ methods?
    For example, if Admin has to access users and orders, should I create GetMapping for users and GetMapping for orders by two different methods? Thank you.

  93. Hi, thanks for this tutorial.
    I’m in trouble, java throws an exception of 401:
    08:41:37,931 ERROR [co.com.activacredito.AuthEntryPointJwt] (default task-2) Unauthorized error: Bad credentials

    I’m working with a simple login form with Thymeleaf and Spring Boot
    What could it be?
    Thank you!

  94. Hello. Why I can’t reach localhost:8080/register nor any other link? It says: log shows: “Unauthorized error: Full authentication is required to access this resource”. Hope you could help me. Thanks.

    1. Hi, you should check if http header is correct or not (Bearer for Spring Server and x-access-token for Node.js server)

  95. Hi,

    Excellent tutorial, easy to understand the concept.
    I tried to implement the same, except that I do not want the signup page/utility. i.e. assume the user table will be populated bu some other means. So I implemented everything as the tutorial except signup utility. When I try to login (signin) it fails even though record is fetched correctly.

    2020-10-05 15:51:54.346 INFO 17544 — [nio-8071-exec-3] com.example.controller.AuthController : Login….
    2020-10-05 15:51:54.346 INFO 17544 — [nio-8071-exec-3] com.example.controller.AuthController : User: mihir
    ..hibernate logs from user table fetched the row correctly.
    ..hibernate logs from role table to get the role correctly.
    2020-10-05 15:51:54.750 WARN 17544 — [nio-8071-exec-3] o.s.s.c.bcrypt.BCryptPasswordEncoder : Encoded password does not look like BCrypt
    2020-10-05 15:51:54.759 ERROR 17544 — [nio-8071-exec-3] c.b.iris.security.jwt.AuthEntryPointJwt : Unauthorized error: Bad credentials

    Basically, I have simple text put it DB table for password column.

    In Postman the body is as below:

    {
    “username”: “mihir”,
    “password”: “test”
    }

    “test” is also saved (and returned in logs) from database.

    What am I missing here?

  97. ***************************
    APPLICATION FAILED TO START
    ***************************

    Description:

    Field userRepository in com.bezkoder.springjwt.security.services.UserDetailsServiceImpl required a bean of type ‘com.bezkoder.springjwt.repository.UserRepository’ that could not be found.

    The injection point has the following annotations:
    – @org.springframework.beans.factory.annotation.Autowired(required=true)

    Action:

    Consider defining a bean of type ‘com.bezkoder.springjwt.repository.UserRepository’ in your configuration.

  98. Hi,
    private String parseJwt(HttpServletRequest request) {
    String headerAuth = request.getHeader(“Authorization”);
    System.out.println(request.getHeaderNames());

    if (StringUtils.hasText(headerAuth) && headerAuth.startsWith(“Bearer “)) {
    return headerAuth.substring(7, headerAuth.length());
    }
    logger.error(“Something went wrong! headerAuth = null: “, headerAuth);
    return null;

    headerAuth is null, that is my problem.. Any idea?

  100. hi bezkoder
    – this is great tutorial, it’s worked for me,. But can i ask:
    + Why do you have to create and use “SignupRequest” and “LoginRequest” for Signing Up and Login request, is it OK if use User entity for this purpose?

    Many thanks for your help!

    1. Hi, User entity is highly related to database model, while “SignupRequest” and “LoginRequest” stand for Http request data. That means, you can add or change data of the request body by changing “SignupRequest” and “LoginRequest” class, but the persistence of table in database (corresponding to User entity) should not be changed regularly.

    1. Hi, please check the HTTP request Authorization Header. Also don’t forget to login a user account to get the Token.

  102. Hi, Thank you a lot for this tutorial. But I have a problems when I run your project and it still ok. But I found on my eclipse log that:
    io.jsonwebtoken.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.
    It has this error. Can you help me fix this

  104. Hi Bezkoder, Your codes really helped me alot .It is such a awesome code. I just loved it.
    It was working fine earlier but recently i got this error while trying to login and i am stuck for a while :
    “The signing key’s size is 104 bits which is not secure enough for the HS512 algorithm. The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HS512 MUST have a size >= 512 bits (the key size must be greater than or equal to the hash output size). Consider using the io.jsonwebtoken.security.Keys class’s ‘secretKeyFor(SignatureAlgorithm.HS512)’ method to create a key guaranteed to be secure enough for HS512. See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.”
    What may be the solution for this? Please help!

    1. The secret key i was giving was short length , i changed the secret key and it worked.Thanks!!!!!

  105. Good Morning

    The tutorial is very cool, but I have a problem registering

    Give me error 500
    I downloaded your code, changed the database and still give me the same error

    follow a code

    I hope I can help

    http://localhost:8080/api/auth/signup
    {
    “username”:”mod”,
    “email”:”[email protected]”,
    “password”:”123456789″,
    “role”:[“mod”,”user”]
    }

    {
    “timestamp”: “2020-09-04T10:20:52.561+0000”,
    “status”: 500,
    “error”: “Internal Server Error”,
    “message”: “Error: Role is not found.”,
    “path”: “/api/auth/signup”
    }

  107. Such Helpful article explained very well and it is saying “it took lot of effort to make it understandable” .

    I’ve given time to understand article and able to relate the terminologies regarding spring security – authentication, authorization, principal and grant authorities. also leveraged jwt token-based-authentication mechanism with difference of session-based authentication.

    After that i able to create custom project with no difficulties and that because of this article reference.

    Thank You
    God Bless bezkoder 🙂

  108. There is a problem in many to many part.

    Values cannot be inserted to USER_ROLES table.

    How can I fix it?

  109. It’s an amazing tutorial for me. I wanted to try it but there is a problem.

    In signup method of AuthController, roles cannot be defined. It assigns a message “Error: Role is not found.”

    Here is my ROLES_JWT Table

    ID ROLE

    1 ROLE_USER

    2 ROLE_ADMIN

    3 ROLE_MODERATOR

    When I wrote a json object for signing up, it throws 505 internal error message because of this reason.

    {

    “username” : “user1”,

    “password” : “user123456789”,

    “email” : “[email protected]”,

    “role” : [“user”,”mod”]

    }

    Where is the problem ? How can I fix it?

    I use Oracle 11g Database

    I hope you can reply my question

    Thank you

  110. Although I added 3 rows (ROLE_USER,ROLE_MODERATOR and ROLE_ADMIN) in roles table , it still throws an error . (java.lang.RuntimeException: Error: Role is not found.). I use Oracle Database

  111. Hi bezkoder,

    Thanks for tutorial , I am able to call all APIs through Postman, But in browser i am unable to access this application. I am getting below error page. i used the # App Properties
    bezkoder.app.jwtSecret= bezKoderSecretKey
    bezkoder.app.jwtExpirationMs= 86400000

    Can you please help on this. did i missed any thing.

    Whitelabel Error Page
    This application has no explicit mapping for /error, so you are seeing this as a fallback.

    Sat Aug 15 23:40:56 IST 2020
    There was an unexpected error (type=Method Not Allowed, status=405).
    Request method ‘GET’ not supported

  112. Amazing tutorial bezkoder! My only issue is the fact that it appears too low in Google Search.
    I tried DZone’s tutorial for Bootiful App but yours is much more understandable and well-written.

    Thanks for the effort!

  113. public class AuthTokenFilter extends OncePerRequestFilter {
    // …
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
    throws ServletException, IOException {
    // …
    UserDetails userDetails = userDetailsService.loadUserByUsername(username);
    // …
    }

    Well, it will hit the database everytime when a request comes in, basically every click on the UI, every incoming api call, etc triggers a select query against the DB in order to fetch the user data again and again and again…

    I know, I know security is important, but don’t you think it is a little resource consuming way to maintain security? I imagine, the user logs in, the backend checks that everything is OK, returns the token, and that’s it. No more DB harassment for finding out that the user and its roles are still existing and intact… in the same session… in every couple of seconds. If the user holds the token (and it is not expired) the backend should accept that tokenas a valid one – without checking the user data in the db.

    What are the good ways to keep it still secured but skip the unnecessary resource consuming calls?
    Storing the Authentication object in the session? Why not? Spring must have some tools to manage this.
    Storing every user detail (password included) in the encoded jwt? Ok, it seems not so secure. 🙂
    AuthProvider with caching functionality? And with cache invalidation ofc.
    Other solutions?

    Cheers!

    1. I have the same question. It seems to me that the logic behind JWT would be to store the user authorisation in the token (hence the name “claims”). They are as secure (or as insecure) as the token itself. Obviously,
      it makes changing user rights somehow difficult, but you could use the expiration date to set a limit.

  114. Dude, great tutorial.. I’ve tested it out and worked perfectly on postman… However, if I create an account using the interface on the browser and I log in with user role, when I try accessing “User content” it shows me an error message with “Unauthorized”, even though I’m logged in with user role… Same it is for mod/admin. Any idea what that might be? Thanks!

  115. hey , great job but am sorry where did you specify the roles that can access a specific url for exp (the user can access the /user and cannot access the /admin )

  118. Hello!!Very nice tutorial you open my mind!!
    I have 1 question for you if i want to add more than one restcontroller just to get some data from database , i added @PreAuthorize annotation and configured security config properly but i am getting 401 error???
    My question is do i need every time that i make a post request to sent header so i can get authorized ??? or when i log in automaticly from sesion storage server knows that i am authenticated…????

  120. Hi Thanks for this tutorial, I have just one easy query on how to get current user object here in backend

  121. Hello,
    thanks for your tutorial. I have a question: why does the statement “filterChain.doFilter(httpServletRequest, httpServletResponse)” call the authentication process again? Actually, in the method “doFilterInternal”, it has already authenticated the token.
    In my log, there are SQL of authentication process called twice, so I debug the programme, and find the doFilter method call the UserDetailsImpl once again. How do I avoid this? or is it normal?
    I hope my question is clear.
    thanks
    ps: my log like this:
    Hibernate: select * from user where username=?
    Hibernate: select * from user where username=?

  122. Hello,

    for logout it is really usefull to create it or just remove cookies from front is enough ?

    because i did not see a great implementation of logout….
    is there ip verification in your code (i dit not analyzed all code)

    thank you!

  123. Hi,
    Can i use h2 database for this?
    If it’s possible, can someone tell me what do i need to change for h2?
    I tried to change it but i can’t open h2 and insert roles.

    1. you just have to change the driver in pom.xml and in application.properties, then change jdbc url in application properties

  125. Great tutorial, just having issue with one bit…AuthEntryPointJwt class.

    I’m building a multi-module project using Gradle. When I build the application and attempt to run it it fails saying “WebSecurity required a bean of type “AuthEntryPointJwt” that could not be found.”

    Wondering if you had seen such an issue before?

  126. Works perfectly, Thank you! That was one of the best tutorials I have seen about this subject

  127. Hi thank you for your post, it really helps me.
    I’m stuck at creating a new user, The user table is created but user_role is null.
    Can you help me with it?

  129. Hi, thank you for this great tutorial;
    I have one question about UsernamePasswordAuthenticationFilter, Do we only use it in the http.addFilterBefore()
    I thought that we will use it for each request (Endpoint of the Test Controller for exampl).
    Thank you so much.

  130. Hello and thank you for this great tutorial!

    I tried to get it running with openjdk 14 and get following error when trying to authenticate:

    FilterChain java.lang.NoClassDefFoundError: javax/xml/bind/DatatypeConverter

    Could found help here:
    https://stackoverflow.com/questions/43574426/how-to-resolve-java-lang-noclassdeffounderror-javax-xml-bind-jaxbexception-in-j

    So by adding following dependency to pom.xml:

    jakarta.xml.bind
    jakarta.xml.bind-api
    2.3.2

    everything works fine.

  131. Hi,
    when i try to run the app i get this error Consider defining a bean of type ‘org.springframework.security.authentication.AuthenticationManager’ in your configuration.
    This happens in authController
    I know you defined a bean and wired it in the controller, but i dont get it.
    Can you explain please?

  132. Hi,
    I want to host some static content from the application build, but i am not able to allow publicly accessible content from static directory.
    can you suggest something.
    Thanks
    pavan

  134. What can be the reason why I’m not receiving ANY response from server?
    I’ve made everything as in tutorial step by step…It’s very weird.

  135. Hey again,
    I want to sign up and sign in using also the email address. Any help please?
    (Spring boot / Angular)

  136. Sir How To Add The Data i DataBase using Postman Will You Please Explain The Example

  139. Hi, I’ve downloaded this repo from github and upgraded it to use spring boot 2.3.0 but now whenever i try to login using wrong credentials the message property on the response is empty.
    This is what I get, it happens with every unauthorized response:
    {
    “timestamp”: “2020-06-13T16:12:23.219+00:00”,
    “status”: 401,
    “error”: “Unauthorized”,
    “message”: “”,
    “path”: “/api/auth/signin”
    }
    The logger by the way display the correct message in the console (“Unauthorized error: Bad credentials”).
    Do you happen to know the reason?

  140. Hey,
    thank you for this great tutorial.
    I got the following error:

    Field jwtUtils in com.ingokoepp.xsamples.security.jwt.AuthTokenFilter required a bean of type ‘com.ingokoepp.xsamples.security.jwt.JwtUtils’ that could not be found.

  141. Hey thanks for this tutorial. But I added course model(id,name,description) and controller doing crud operations. But when i authorize and then add values to the course using postman , its getting added but the name and description fields are displaying null. May i know whats the problem

  142. Hi, I have problem with application, because app throw “Unauthorized error: Bad credentials”. And above is “Empty encoded password”.

    o.s.s.c.bcrypt.BCryptPasswordEncoder : Empty encoded password
    p.z.l.security.jwt.AuthEntryPointJwt : Unauthorized error: Bad credentials

    1. check UserDetailsImple.java Constructor 

          public UserDetailsImple(Long id, String username, String email, String password,
                            Collection autorities)
    {
        this.id = id;
        this.username = username;
        this.email = email;
        this.password = password;    <===== this one
        this.authorities = autorities;
    }

  143. Request
    {
    “username” : “mod”,
    “email”: “[email protected]”,
    “password” : “123456”,
    “role” : [“mod”, “user”]
    }
    Response
    {
    “timestamp”: “2020-06-04T03:31:19.290+0000”,
    “status”: 500,
    “error”: “Internal Server Error”,
    “message”: “Error: Role is not found.”,
    “path”: “/api/auth/signup”
    }
    PS : I’m running the code you have provided in github.

  144. Thank you very much for the effort to create such a jewel.

    I’ve been looking for something like this for a long time.

    There are many who have dealt with this subject, but most of the time they have left it half, incomplete or not refreshed.

    Man, you found a niche that is highly sought after and appreciated by boot-spring developers.
    The secret is the richness of details and the fact that it works!

    I recommend adding Lombok and keeping it updated.

    Success!

  147. Hi! This is an amazing article, thank you for your job.
    I’ve written all the same. But I have one problem. If I want to get properties of the current user in my own method, I write this:

    CustomerDetailsImpl currentCustomer
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (!(authentication instanceof AnonymousAuthenticationToken)) {
    currentCustomer = (CustomerDetailsImpl) authentication.getPrincipal();
}

    In headers from Postman I send my bearer token after login.
    But in authentication I get anonymousUser.
    Why is this happening?

        1. Hi @Enrique Gordon, My solution was:

          Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
          UserDetailsImpl currentUser = (UserDetailsImpl) authentication.getPrincipal();

          This way you can get data current user in any class or method.

          Regards.

  148. You’re the best teacher that I’ve ever come across in my coding journey who can explain in detail what spring security and jwt are all about. I don’t know how I can describe you but you’re genius. This is an inspirational tutorial and I look forward to see more powerful tutorial of this type. Once again, I will say big thank you

  149. Hi, how can I add a cascading dropdown in the signup page , and the data’s in the dropdown from the database. How it is possible in the backend and frontend?

  150. I’ve implemented jwt with spring security and work’s fine, but when I’m trying to access the API those have @preAuthorize it’s giving me unauthorized when hitting from angular(v9) but it’s working fine in postman!
    I have ensured that the login role and preAuthorize api roles are same.
    Why is this happening? I have no idea…
    Please help…

  151. Hello, Thank you so much for this great tutorial !
    I have implemented this tutorial, but I have a problem.
    when i call:
    POST: http://localhost:8080/api/auth/signin
    I filled out :
    {
    “username”:”user”,
    “password”:”123456″
    }

    and postman response:
    {
    “timestamp”: “2020-05-14T13:30:02.827+0000”,
    “status”: 401,
    “error”: “Unauthorized”,
    “message”: “Error: Unauthorized”,
    “path”: “/api/auth/signin”
    }
    and eclipse response: “Unauthorized error:User account is locked”
    Although I have filled in the correct information.
    How can I fix it? thanks

    1. Hi, “User account is locked” happens after a number of failed authentication events. So you need to check the issue why you couldn’t login with this account.

    2. In UserDetailsImpl.java:
      Switch from false to true by the following methods:
      public boolean isAccountNonExpired()
      public boolean isAccountNonLocked()
      public boolean isCredentialsNonExpired()
      public boolean isEnabled()
      Because if you automatically generated them by default they are false.

      PD: Sorry, I’m really not very good at English

  152. how can i implement the same in oracle database, i have some issues with this. if you can help me, i’ll be very greatful. i hear that the versions are the most current issue.

  153. Hey. Thank for the tutorial but I think there might be one problem or it’s only happening for me. But maybe you can reproduce it. I’m using the full tutorial of Angular and Spring Boot and if I register and directly login with this account I get 2020-05-12 23:20:09.452 ERROR 13476 — [nio-8080-exec-7] d.example.project.security.jwt.JwtUtil : Invalid JWT token: JWT strings must contain exactly 2 period characters. Found: 0
    The JWT token is undefined. So the typical Angular behaviour if something is not loaded. Is that a special case and should somehow be validated in Spring Boot? Or is anything wrong in Angular? The method doFilterInternal() in AuthTokenFilter.java is causing this.

    1. Okay I could fix it in a not very acceptable manner. In the authInterceptor in Angular you are using the line const token = this.token.getToken(); and this is giving me undefined and is not null and gives it to the Spring Boot backend. The only way to handle it is if (token != null && token != “undefined”) {

      1. If I clone your repo, the app is working fine. If I try to build the app after your’s, I got Invalid JWT token: JWT strings must contain exactly 2 period characters. Found: 0. I look forword to hear from you with a solution. Thank you

    2. I could not understand why token value is undefined as everything is running fine in postman

    3. Hello! Were you able to resolve the error caused by Invalid JWT token? I have the same problem and I couldn’t solve it with (token != null && token != “undefined”). Thank you

  154. Hello, Thank you so much for this great tutorial !

    I have implemented this tutorial, but I have a problem.
    When localhost:8080/api/expense/all called, it’s successfully as expected. But when localhost:8080/api/expense/76 (76 is ID for an expense), the expenseService always returns null (500 server error).

    What could be the cause? and how to fix it?

  155. Hello, thank you for the tutorial. I keep getting “Error: Unauthorized” when I go to /user , /mod, or /admin and /all. Everything else seems to work okay. Do you have any idea as to why I might be getting this error?

      1. Hey there can u please help me with error ….
        “internal server error”

        when i m passing the jason body it is showing error as: Internal server Error
        and error message as : “Role not found”

  156. Hello!

    Amazing work, I used this implementation and everything works fine. Thanks for sharing.
    However, I have a question because I want to add the option remember me to login and I am not sure how to implement it in this case.

    I have API in spring boot and frontend in react. I tried to add rememberMe() function at configure(HttpSecurity http) function at WebSecurityConfig class, but after that i don’t see a remember-me cookie in the browser.

    Do you have any advice?

    Greetings
    Adrian

  157. main] o.s.b.web.embedded.tomcat.TomcatStarter : Error starting Tomcat context. Exception: org.springframework.beans.factory.UnsatisfiedDependencyException.

    M I the only one ?

  158. Apart from component scanning , if you missed web-starter dependency , it could cause a ripple , that is what i’ve done and failed me many times.

  159. Hello Sir
    Thank you so much for such a detailed tutorial. You made life very easy for more in learning spring authentication.

    However, I am facing two challenges; 1. I cant add more than one users because the in the user_roles table the ids for both user and the role are unique. I get an exception: java.sql.SQLIntegrityConstraintViolationException: Duplicate entry ‘1’ for key ‘UK_5q4rc4fh1on6567qk69uesvyf’

    2. After registering a user I get another exception on trying to login: 2020-05-07 13:05:36.007 WARN 12224 — [nio-8080-exec-7] o.s.s.c.bcrypt.BCryptPasswordEncoder : Encoded password does not look like BCrypt
    2020-05-07 13:05:36.008 ERROR 12224 — [nio-8080-exec-7] z.o.m.security.jwt.AuthEntryPointJwt : Unauthorized error: Bad credentials

    How best can I avoid roles column in the user_roles table to be non unique or is there a different approach.

    1. Hi, I don’t really understand your question.
      “I cant add more than one users because the in the user_roles table the ids for both user and the role are unique.”

      You can add user by sending HTTP request to /api/auth/signup endpoint (with role array in the payload).

      1. its about the relationship table. the one that has two columns for either ids (role_id and user_id). Since we created a table with 3 roles that have ids 1,2, and 3 in the table the ids are unique say if my first user has id=1 and role is ROLE_USER which has id=1 then if i wish to add another user with id=2 and role ROLE_USER again when added to the relationship table where role_id = 1 already exists. this will create a scenario like:

        user_id |role_id
        1 | 1
        2 | 1
        which then complains of constraint violation issues since role_id must be unique. well i had to create new roles with new ids.

        my question number 2
        After registering a user I get another exception on trying to login: 2020-05-07 13:05:36.007 WARN 12224 — [nio-8080-exec-7] o.s.s.c.bcrypt.BCryptPasswordEncoder : Encoded password does not look like BCrypt
        2020-05-07 13:05:36.008 ERROR 12224 — [nio-8080-exec-7] z.o.m.security.jwt.AuthEntryPointJwt : Unauthorized error: Bad credentials
        What could be the cause?

        1. 1. The relationship between User entity and Role entity is Many to Many.
          We don’t add any record to user_roles table directly. Please look at how we signup user in AuthController.
          I will write a tutorial for Spring JPA Many to Many Association when having time.

          2. I don’t really know what was wrong. You can debug yourself and notice these lines:

          User user = new User(signUpRequest.getUsername(), 
					 signUpRequest.getEmail(),
					 encoder.encode(signUpRequest.getPassword()));

          1. Thanks very much I will do that and check whats causing the exception

          2. Hey Bezkoder,
            i am not able to understand what might be the root of Empty coded password, i searched it everywhere,user has already been registered,but i am facing the above issue and error is coming as Bad credenetials

  160. Hello,

    I’m trying to follow your tutorial but I’d like to have a connexion without username (just email/password), what is the workaround for this? I’m in trouble when I need to implement the UserDetailsService because there is no loadByEmail method or something like this.

    1. Hi, you can treat ‘username’ as ’email’. That means, when saving user information to the database, the username column stores email.

  161. Best Tutorial!
    I have learned lot of new things.
    Can you explain to me the functionality of every role?

    1. Hi, it depends on your use cases. The roles in this tutorial is used for illustrating authority 🙂

  162. Really great tutorial, it helped me a lot, thank you very much! 🙂

    But one question:

    Why can you write @PreAuthorize(“hasRole(‘ADMIN’)”)
    and not @PreAuthorize(“hasRole(‘ROLE_ADMIN’)”)

    We neved used the string ADMIN anywhere, only ROLE_ADMIN as part of the enum.

    1. Hi, the ‘ROLE_’ prefix gets added automatically for hasRole. If you want to work with ROLE_ADMIN, just use hasAuthority('ROLE_ADMIN').

      1. ah, thank you so much, very simple explanation and it makes sense! I didn’t take a course on Spring Security yet, so I didn’t know that.

  163. Thanks for this amazing course. It was really easy to understand it.
    I have one question, given this example code, how could I implement an oauth2 login as well?

    E.g. : when the user visits /signin , I would like to provide the options of logging in either with jwt or oauth2 (github/google). Can you give me a hint?

  164. Thx for this tutorial, I looked through a lot of tutorials and couldn’t understand any of them until I found yours.

    Thank you so much

  165. Great tutorial!
    I have a question, How can I modify it to authenticate a user using its email and password instead of username and password ?

      1. Thank you for This Awesome Gift Tutorial 😉

        I have many other Application that use the same Table and there is no possible way to change table structure as it’s in production.

        We have email,password Field so can you please show me How to force UsernamePasswordAuthenticationToken to attempt auth using email instead of username please.

  166. Hello,
    I’m getting the following error, whenever I try to create a signup POST request:
    ERROR: insert or update on table “user_roles” violates foreign key constraint “fkrhfovtciq1l558cw6udg0h0d3”
    Detail: Key (role_id)=(2) is not present in table “role”.
    I’ve already inserted the 3 roles you mentioned.
    Do you know why I’m getting this error? Thank you for your help! 🙂

    1. Hi, I think you can drop user_roles table, then drop users and roles table.
      Just do everything from the beginning. Maybe you miss or make mistake in a certain step.

  168. Can you post here your headers in the request? I got i problem and i think the header is the cause.

    2. {
      “username”:”alphabank”,
      “password”:”alphabank”,
      “role”:[“mod”, “user”]
      }
      this is the request i am sending, and the header is content-type-
      application/json

    1. Hi, please make sure that you set the correct Authorization Header in HTTP request.

  171. Hello!
    it’s giving me this: “message”: “Error: Role is not found.” to refer to this one: case “admin”:
    Role adminRole = roleRepository.findByName(ERole.ROLE_ADMIN)
    .orElseThrow(() -> new RuntimeException(“Error: Role is not found.”));
    roles.add(adminRole);

    break;
    Can you tell me what’s the problem please? Thanks.

  172. I loved this Spring Boot Auth tutorial! I actually read your blog fairly often, and you’re constantly coming out with some great tutorials here.

  174. Excellent! It worked perfectly. That’s not the first time I found here exactly just what I looking for. Thanks for the good work.

  176. Hi BezKoder,

    Thank you so much for you posting such superb tutorial. And could you explain a little how this JWT token has secured in this api.

    1. Hi, JWT does not hide, obscure, secure data at all.
      You can see that the process of generating JWT (Header, Payload, Signature) only encode & hash data, not encrypt data.

      The purpose of JWT is to prove that the data is generated by an authentic source.
      If you want to know more details about JWT, you can visit:
      In-depth Introduction to JWT-JSON Web Token

  177. Ok, now I’ve got it. Testing this endpoint I tried to send token from Headers tab, instead using Authorisation tab. Everything is ok 🙂

  178. Hi bezkoder, thank you very much, you’ve done a great job!
    I have one problem with Postman.
    After signing in as “mod” I try to access resource: GET http://localhost:8080/api/test/user.
    I send value: Bearer {my token} with key Authorization (in section Header) and I receive this error:
    {
    “timestamp”: “2020-04-04T23:51:06.706+0000”,
    “status”: 401,
    “error”: “Unauthorized”,
    “message”: “Error: Unauthorized”,
    “path”: “/api/test/user”
    }
    What am I doing wrong?

    1. Hi, I’ve checked GET http://localhost:8080/api/test/user with ‘mod’ role and it works.
      Please make sure that you use the token correctly.

      1. Can you post me your PostMan requests? I still get the unauthorized error
        Thank you!

  179. Hi bezkoder i have a problem when i create a user and give him some roles on angular when i’m back in springBoot the role array is empty can you help please!!!

    Best regards !!

  181. Hi, im new with java language and this helped me a lot. Are there any way to support and
    appreciate your work?

    Thanks so much !!

    1. Hi Alberto,

      I’m so happy to know that this tutorial helps many people like you.
      If you want to donate, I have a Paypal account: [email protected] 🙂

      Best Regards,
      bezkoder.

  182. Hello Bezkoder thank you , you did a great job , but hasRole(..) it should be changed to hasAuthority right? because at first hasRole doesn’t work after that i tried with hasAuthority and it works..

    1. Hi, Roles and Authorities are similar in Spring.
      The difference is that the 'ROLE_' prefix gets added automatically for hasRole. That means, hasAuthority('ROLE_USER') is similar to hasRole('USER'). 🙂

      1. thank you bezkoder , i have a question i didn’t add the prefix ROLE_ when i added my roles (because i didn’t use enumarted strings ), so i think that’s why she doesn’t work in the first time with hasRole so did you think if that will causes a problems??

        1. You must add the prefix ROLE_ to make it work 🙂 Please follow step by step in the tutorial.

          1. ok thank you , what about the logout endpoint
            the method should have parametres?

            //tokenStore.removeAccessToken(accessToken);
            //tokenStore.removeRefreshToken(refreshToken);

          2. We’re gonna implement logout on frontend side (by removing token from localStorage/sessionStorage for example). So we don’t need logout endpoint here.

  183. where are payload classes, i didn’t find them com.bezkoder.springjwt.payload.*

  184. Hi, thanks for the tutorial I have this error that the postman shows me what do you know?

    “error”: “Bad Request”,
    “message”: “Invalid JSON input: Cannot deserialize instance of `java.util.HashSet` out of VALUE_STRING token; nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize instance of `java.util.HashSet` out of VALUE_STRING token\n at [Source: (PushbackInputStream); line: 5, column: 10] (through reference chain: com.ramajudicial.Solicitud.de.Informacion.payload.requet.SignupRequest[\”role\”])”

      1. Hi, thanks for answering if I had something wrong with the POST, now this error is generating, I am working with a sql server database

        Error: Cannot insert the value NULL into column ‘userId’, table ‘lramajudicialpru.dbo.user’; column does not allow nulls. INSERT fails.

        Do you know why you are sending me null?

        1. Hi, this Spring Boot Application is configured to work with MySQL or PostgreSQL database, so you need to modify application.properties file for SQL Server Database.

          1. Do you have any idea how to configure it? I have this configuration connected to the database but I don’t know why it gives the previous error

            spring.datasource.url=
            spring.datasource.username=
            spring.datasource.password=
            spring.datasource.driverClassName=com.microsoft.sqlserver.jdbc.SQLServerDriver
            spring.jpa.show-sql=true
            spring.jpa.hibernate.dialect=org.hibernate.dialect.SQLServer2012Dialect
            spring.jpa.hibernate.ddl-auto = validate
            spring.jpa.hibernate.naming_strategy = org.hibernate.cfg.EJB3NamingStrategy

            thanks.

          2. You should fill url, username and password.
            If you did it but the error still occurs, I’m so sorry because I’ve not worked with SQL Server now.
            I will check it and write another tutorial when having time 🙂

  187. Hello,

    Thanks for the great tutorial, but i have one problem. When sending a request to the API with the roles “mod”, “user” it always throws an exception that it could not find a role.

    This even happens when using your source code.

    {
  "username": "henk",
  "email": "[email protected]",
  "password": "keukentafel",
  "role": ["mod", "user"]
}

    1. Nevermind, as I was writing this comment I found the problem. Forgot to put the roles in the postgres database

    4. {
      “username”: “henk”,
      “email”: “[email protected]”,
      “password”: “keukentafel”,
      “role”: [“henk”, “user”]
      }

      please use above one. (insted of mod —-> henk)

  188. Hello, I am a beginner in the code do you create the fields of the database tables? or do you do manual in mysql?

      1. Thank you for your response, and if I have a database already created with the same data, should your code work well? Or do I have to skip somewhere?

        1. If you have the same database table, you don’t need to run SQL queries for inserting records to roles table 🙂

  190. The JwtResponse.type Bearer what is this? what does it mean? can it be changed to a custom one? can it be omitted?

  191. Hello, many thanks for these great tutorials!

    I think I’ll go this way to implement a simple app, but I have some questions.
    Is there a way to encrypt password in the POST request? I can see it is encrypted in database but requests can be intercepted and I’m new to angular.
    Do you plan to make a tutorial on deployment of a Spring boot app? I heard of solutions like heroku, azure, amazon.. but it’s still a bit confusing, I’d really like a guide made by you on this (you make things look really simple!).

    2. Definitely look into Heroku, which is part of Salesforce Inc apparently. They are by far the easiest and most user friendly hosting platform for Spring boot applications that I know of.

    3. You encrypt POST requests by using HTTPS with a valid certificate. If you do that, the whole POST request body will be encrypted. In order for your requests to not be intercepted, you should never send them over HTTP. This tutorial is good for setting it up in development, but when you go into live environment, it’s necessary to look into HTTPS as well.

      1. Hello, how can we do that easily ? Is there some simple tutorials like that ?

  193. Hi Bezkoden,

    Thank you for the great tutorial. I do have a question, though. The AuthenticationManager in the AuthController is not able to be autowired as there is no bean found for the AuthenticationManager. Do you have any idea as how to solve it?

    Thanks in advance!

    1. Hi, we have a bean in WebSecurityConfig:

      public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  ...
  @Bean
  @Override
  public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
  }
  ...

  195. Hi, great Tutorial. But if I want to register a user i get this Error:
    “timestamp”: “2020-02-06T15:14:41.823+0000”,
    “status”: 405,
    “error”: “Method Not Allowed”,
    “message”: “Request method ‘GET’ not supported”,
    “path”: “/api/auth/signup”

    The same for “path”: “/api/auth/signin”.
    Could you pls help me. Thank you very much

    1. Hi, please make sure you make a POST HTTP request (with payload) instead of GET request to /api/auth/signin endpoint.

  196. Hi bezkoder,

    Thank you for the tutorial!

    I have followed your instructions. However, for some reason in my WebSecurityConfig.java, I get an error on the following code block:

      @Override
  public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
    authenticationManagerBuilder.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
  }

    which underlines the userDetailsService in the brackets and says:

    userDetailsService (T) in AuthenticationManagerBuilder cannot be applied to
    (com.globomatics.portalproject.services.UserDetailsServiceImpl)
    reason: no instance(s) of type variable(s) exist so that UserDetailsServiceImpl conforms to UserDetailsService

    Do you have an idea why I might be getting this one and how could I fix it?

    Thank you in advance!

      2. How did you fix it?? Please in future comment the fix as well (for other people who have the same problem, like me)

        2. Hi, make sure that you’ve add @Service annotation for UserDetailsServiceImpl class.

      1. Make sure that you implemented UserDetailsService from org.springframework.security.core.userdetails.UserDetailsService.

        That worked for me.

  197. here is an overview of its code application.properties:

    spring.datasource.url= jdbc:mysql://localhost:3306/testdb?useSSL=false
    spring.datasource.username= root
    spring.datasource.password=

    spring.jpa.hibernate.ddl-auto= update
    spring.jpa.properties.hibernate.dialect = org.hibernate.dialect.MySQL5Dialect

    # App Properties
    example.app.jwtSecret= secretkey
    example.app.jwtExpirationMs= 123456789

    1. Please make sure that you’ve configured datasource in application.properties correctly.
      If the issue still exists, please show me your console log error.

    1. Hi, you must create testdb database with username & password first.
      Our Hibernate configuration only generates tables.

  201. Hi bezkoder! thank you very much for this awesome tutorial! I have a little question though.. It all worked perfectly, but when i create an user with 2 roles (as input I wrote: ‘ “role”: [“ROLE_MODERATOR”, “ROLE_USER]’ the app only associates the user with user role, but not with moderator role. I tried with my own code (following ur instructions) but when it didnt work, i cloned your repo, but i still have the same problem.. do u know what it could be?

    Thanks again for this amazing tutorial!

    3. Hello, can you help me to resorlve this problem, i can’t assign ROLE_ADMIN or ROLE_MODERATOR to user.when i add a user even i specify admin or role in dataBase it’s user role !!

        1. i did but i have the some problem :'( .in user_roles table i have:
          user_id role_id
          1 1
          2 1
          3 1
          4 1
          5 1
          THX U for your answer (f)

          1. We have 3 tables, and each row in user_roles was generated automatically 🙂

            So you should create user by sending HTTP request with payload containing role array.

        2. Pls can you tell me where to add role : [“admin” , “mod”] in payload . because even I am facing the same problem only one role is getting assign to user.

  202. Great tutorial but my database table was not generated at startup

    spring.datasource.url= jdbc:mysql://localhost:3306/testdb?useSSL=false
spring.datasource.username= root
spring.datasource.password= 123456

spring.jpa.properties.hibernate.dialect= org.hibernate.dialect.MySQL5InnoDBDialect
spring.jpa.hibernate.ddl-auto= update

# App Properties
bezkoder.app.jwtSecret= bezKoderSecretKey
bezkoder.app.jwtExpirationMs= 86400000

    and any pointer on how to generate refresh token. thanks

    1. Hi, you must create testdb database with username & password first.
      Our Hibernate configuration only generates tables.

      For refresh token, I will write a tutorial when having time. 🙂

  205. Hello,
    Thank you very much for your step by step tutorial.

    I got the following error: “cannot resolve method getName()” in the following method:

    public static UserDetailsImpl build(User user) {
        List authorities = user.getRoles().stream()
                .map(role -> new SimpleGrantedAuthority(role.getName().name()))
                .collect(Collectors.toList());

        return new UserDetailsImpl(
                user.getId(),
                user.getUsername(),
                user.getEmail(),
                user.getPassword(),
                authorities);
    }

    Initially, I thought it happened maybe I did some mistake during my typing. But I copy-paste your code for ERole, User, Role Model and also the UserDetailsImpl.java but it still shows that error.

    How can I fix that?

    1. Hi, I’m sorry, syntax highlight plugin causes the Typo.

      List<GrantedAuthority> authorities = ...

      You can check Role and User class again to make sure that all the fields are correct.
      Another way is to download the source code.

  207. Hello, I would like to ask you something.

    The spring security oauth 2.0 resource serve has been deprecated.

    Is this tutorial the way that it should be done now that the EnableResourceServer is deprecated?

    I would like to migrate my project that is using it, but in their migration guide there are not explanation about the resource server since they say that is out of the scope in the migration guide.

    Is this the new way or can you write a tutorial with the new way about implementing oauth 2.0 ?

    thanks

    1. Hi, I think that EnableResourceServer will not affect the code in this tutorial.
      For Spring Security OAuth 2.0, I will write the tutorial in near future.

  208. Excellent, I have tried this tutorial and it worked!, I’m really thankful for you, I hope you are going to be successful because sharing useful knowledge for many people.

        1. Thanks for your post. I’m also waiting for your Spring Boot JWT with Refresh Token tutorial.

  209. Hello, I’m a beginner, so I have a lot of questions. I hope you will answer this question. I’m so frustrated because I don’t understand.
    In the repository, we divided the user and the role. What function does the user and the role ? For example, if you type id/pass and then go to the repository, I don’t understand why you use id/email in the user. I know the reason why I want to use the role in the repository for automation, but I don’t know why I use the repository user.

    1. Hi, I don’t really understand your question.
      But if you want to know why we use the repository user, you can find where we call its methods:

      • userRepository.existsByUsername()
      • userRepository.existsByEmail
      • userRepository.save()
      • userRepository.findByUsername()

  210. Thank you for good writing. But I don’t understand what’s the difference between database and repository. I don’t know exactly the difference between the two, so I’m asking you a question.

    1. Hi,

      A Repository is a database that stores the metadata for Designer objects. In other words, the data associated with objects like Entities, Modules, Table Definitions, etc. is stored as rows in tables that are part of the Repository.

      The Repository also includes a PL/SQL Application Programming Interface (API) for maintaining this data.

      A Repository would essentially be linked to at least one database, but in general, it is linked to many databases.

      A Database is just a place to store data, or an application database is a place to store the data for a particular computer application.

      The Repository is itself an application database, but it also stores data about (ie. metadata – data about data) other application databases. These other databases might be co-located with the Repository, but normally are stored somewhere else.

      A Repository is a central common point of file storage of a related nature, a Database is a structured file or set of files that store and organize data.

      I found this great answer here: https://qr.ae/TeQcol.

  211. I am regular reader of your site. All of Spring tutorials are really good. This Spring Boot Authentication with JWT tutorial is the best.

  212. Amazing article! It really helped me with a school project.
    Only one question, how can I add a server side logout feature? So the token is immediately invalid

    1. Hi, you can implement a /logout endpoint (or logout functionality) where you only have to get the token and remove it from TokenStore.

      tokenStore.removeAccessToken(accessToken);
tokenStore.removeRefreshToken(refreshToken);

      The detail is decribed at: https://stackoverflow.com/a/42907381.

  213. # App Properties
    bezkoder.app.jwtSecret= bezKoderSecretKey
    bezkoder.app.jwtExpirationMs= 86400000

    by defaults?

        1. These custom properties are what you set, personally, and should not be the same as other places.

          1. This is a great example. Thanks so much for this code and explanation. You have your timeout set to 10 days (if I did the math right). I assume that normally, you would want the timeout to be some much lower value, such as 10-15 minutes. How do you handle the timeout? You only want the user’s login to timeout if he has been inactive. So do you get a new token with every transaction? Or if it has been 10 minutes since the last token?

  214. Hello, im a french dev student, thank you very much for your work! I have a probleme with this method in UserDetailsImpl.

    => public static UserDetailsImpl build(User user) {
		List authorities = user.getRoles().stream()
				.map(role -> new SimpleGrantedAuthority(role.getName().name()))
				.collect(Collectors.toList());

		return new UserDetailsImpl(
				user.getId(), 
				user.getUsername(), 
				user.getEmail(),
				user.getPassword(), 
				authorities);
	}
=>  getName() "cannot resolve method"

    Im not very strong with stream map etc, can you explain me this block a bit more?

    Thank you for your attention and continue to display this wonderful content.

    Mathieu

    1. Hi Mathieu,

      user.getRoles() returns a Set<Role>, we convert this Set to a Stream of Role. Imagine that the stream is a collection of Role that releases items in turn.

      map() changes every Role item above to a SimpleGrantedAuthority object, the parameter for the constructor could be one of these Strings: ‘ROLE_USER’, ‘ROLE_MODERATOR’, ‘ROLE_ADMIN’.

      So, what does role.getName().name() do?
      role.getName() returns ERole enum object, let’s call it erole_object. Look back to this:

      public enum ERole {
	ROLE_USER,
    ROLE_MODERATOR,
    ROLE_ADMIN
}

      erole_object.name() returns the String corresponding to the enum (‘ROLE_MODERATOR’ for example).

      Please make sure that you define Role model in Role.java correctly.

      Regards,
      bezkoder.

      1. Thank you a lot for your explanation! I will follow your site and youtube channel studiously and recommend it to others students!

    3. Role has a method called getName() which returns the Enum constant & name method returns the name of this enum constant.

    2. What if we wanted to update the role for a user on the website ? Like remove Role_Moderator and upgrade him to Role_Admin ? How to do that ?

Comments are closed to reduce spam. If you have any question, please send me an email.