Spring Security JWT validation without using UsernamePasswordAuthenticationToken

0
votes

I need to write my custom Security Spring filter to validate a JWT token.

I have my custom JWT validator. When the token is valid I have to authorise the user.

I implemented this like some others example that are presents online:

UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(user_id, null, null);

usernamePasswordAuthenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));  
                  SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);

This works fine but my question is this: Is there a dedicated AuthenticationToken for JWT validation without to use UsernamePasswordAuthenticationToken?

I don't like to use UsernamePasswordAuthenticationToken... it's a good practice?

1
javaspringspring-securityjwt

1 Answers

0
votes

Of course , it does not look good from the clean code 's point of view because its name UsernamePasswordAuthenticationToken does not match with thing that object does. JWT is nothing to do with the password. Just like if you use the name orange to refer an apple will be confusing too.

JWT is normally used as the Bearer token , and spring-security-oauth2-resource-server provides a BearerTokenAuthenticationToken . But it will pull out all other OAuth2 dependencies stuff to your project. So if you don't need the OAuth2 and just need this token class , simply create a own by yourself.