Reputation: 8276
Spring Boot Security With JWT Token Tricks and Best Practices
Looking for a good explanation for to following: Once we identify a user (by any of the safe methods) we can generate a JWT token ang give it back to the user to identify themselves for a limited time without having to re-authenticate.
How do we ensure that the correct user is using the correct token. Example, what if
user 2stole the token ofuser 1, or what isnot a userstole the token ofuser 1. Are we blindly going to trust the token? How to protect from this case?What if
user 1grabs the token and modifies it to add some extra privileges? How to protect from this case?
Let's assume token is served in a cookie and it is not httpOnly, since UI needs to read (or decode) the content to grab some of the information from it's content.
Upvotes: 2
Views: 77
Answers (1)
Reputation: 62615
Are we blindly going to trust the token?
Yes, it's the principle of a bearer token. If someone stole it, he can impersonate the regular user. Against this, there is two mechanisms:
- The token has a lifetime that can be relatively short.
- In some implementations, the token can be revoked.
What if user 1 grabs the token and modifies it to add some extra privileges?
The token is signed with a cryptographic algorithm. If you modified it, it's signature would become invalid.
Upvotes: 1
Related Questions
- JWT and Spring Security
- Secure spring boot app without user log on
- JWT Authentication Flow in a Front -End Application?
- JWT Token Security
- Implementing JWT Authentication on Spring Boot APIs
- JWT Spring - user based access
- Main concepts of spring security with JWT tokens (Spring boot with REST controllers)
- Spring Security: JWT token for API and session for web
- Spring boot security, JWT auth server to server
- Secure REST Api with Spring boot and JWT