Since this topic became very extensive, I decided to split up the blog into 4 parts. To keep blog lengths manageable. Here is the split up
Part 1: Introduction
Part 2: Payara, Spring Boot and Quarkus (this one)
Part 3: Ktor and Atbash Runtime
Part 4: Discussion and conclusion
For an introduction around JWT Tokens, you can have a look at the first part of this blog. It also contains a description how the Keycloak service is created for the example programs described in this part.
Payara
As an example of how you can work with JWT tokens with Jakarta EE and MicroProfile, we make use of Payara Micro.
The JWT Token support is provided by MicroProfile, so add the dependency to your project.
<dependency> <groupId>org.eclipse.microprofile</groupId> <artifactId>microprofile</artifactId> <version>6.0</version> <type>pom</type> <scope>provided</scope> </dependency>
We are using MicroProfile 6, which requires Jakarta EE 10 runtime as this is the version that is supported by the Payara Micro community edition.
As configuration, we need to provide the endpoint where the MicroProfile JWT Auth implementation can retrieve the public key that is required to validate the content of the token against the provided signature. This can be done by specifying mp.jwt.verify.publickey.location
configuration key. Two other configuration keys are required, one that verifies if the issuer of the token is as expected and the audience claim is the other one.
Other configuration aspects are the indication that a JWT token will be used as authentication and authorization for the endpoints through the @LoginConfig
annotation. The @DeclareRoles
annotation is a Jakarta EE annotation that indicates which roles are recognised and can be used. These annotations can be placed on any CDI bean.
@LoginConfig(authMethod = "MP-JWT") @DeclareRoles({"administrator"})
On the JAX-RS method, we can add the @RolesAllowed
annotation to indicate the role that must be present in the token before the client is allowed to call the endpoint.
@GET @Path("/admin") @RolesAllowed("administrator") public String getAdminMessage() {
When there is no annotation placed on the method, only a valid JWT token is required to call the endpoint. Also, have a look at the part 4 of this blog for some important info and differences between runtimes.
Through the MicroProfile JWT Auth specification, we can also access one or all the claims that are present in the token. The following snippet shows how you can access a single claim or the entire token in a CDI bean or JAX-RS resource class.
@Inject @Claim("preferred_username") private String name; @Inject private JsonWebToken jsonWebToken; // When you need access to every aspect of the JWT token.
The entire example can be found in the project https://github.com/rdebusscher/Project_FF/tree/main/jwt/payara.
Spring Boot
Also, Spring Boot has excellent support for using JWT tokens for the authentication and authorization of rest endpoints. Besides the Spring Boot Security starter, the Oauth2 Resource Server dependency is required within your application. So you don’t need to handle the JWT token yourself in a programmatic way as some resources on the internet claim.
In our example, we use Spring Boot 3 and JDK 17.
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-oauth2-resource-server</artifactId> </dependency>
In contrast to MicroProfile where you need to provide several configuration keys, Spring boot makes use of the OpenId Connect specification where it is defined that the endpoint .well-known/openid-configuration
provides all info. This includes the location of the public key required for the validation of the token against the signature and the value of the issuer. The location can be specified through a Spring Configuration resource.
spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8888/auth/realms/atbash_project_ff spring.security.oauth2.resourceserver.jwt.audiences=account
The audience value is not required to be defined, Spring Boot works without it. But it is a recommended configuration aspect to make sure that tokens are correctly used, especially when you use tokens for multiple applications.
You can either define the requirements for the roles that should be present in the token using a Spring Bean that extends the WebSecurityConfigurerAdapter
class and the HttpSecurity builder, but I prefer the method-based approach.
With this approach, you can define the required role using the @PreAuthorize
annotation
@GetMapping("/admin") @PreAuthorize("hasAuthority('administrator')") public String getAdminMessage() {
It makes it easier to find out which role is required before a client can call the endpoint and also easier to verify if you didn’t make any error in the security configuration of your application. This method-based approach requires a small activation and mapping between the roles within the token and the authority
we check in the annotation.
@Configuration @EnableMethodSecurity public class MethodSecurityConfig { }
The configuration for the JWT token roles is provided by a JwtAuthenticationConverter
bean.
@Bean public JwtAuthenticationConverter jwtAuthenticationConverter() { JwtGrantedAuthoritiesConverter grantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter(); grantedAuthoritiesConverter.setAuthorityPrefix(""); grantedAuthoritiesConverter.setAuthoritiesClaimName("groups"); JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter(); jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(grantedAuthoritiesConverter); return jwtAuthenticationConverter; }
Within the REST methods, we can have access to the JWT token claims, just as with the Jakarta EE and MicroProfile example. We need to add a JwtAuthenticationToken
parameter to the method which allows access to claims through the getTokenAttributes()
method.
@GetMapping("/user") public String getUser(JwtAuthenticationToken authentication) { Object username = authentication.getTokenAttributes().get("preferred_username");
The entire example can be found in the project https://github.com/rdebusscher/Project_FF/tree/main/jwt/spring.
Quarkus
The Quarkus support is also based on MicroProfile, so you will see several similarities with the Payara case I described earlier. The Quarkus example is based on the recent Quarkus 3.x version. As a dependency, we need two artifacts related to the JWT support provided by the SmallRye project. Although it seems you do not need the build one at first sight, as it is about creating JWT tokens within your application, the example did not work without it.
<dependency> <groupId>io.quarkus</groupId> <artifactId>quarkus-smallrye-jwt</artifactId> </dependency> <dependency> <groupId>io.quarkus</groupId> <artifactId>quarkus-smallrye-jwt-build</artifactId> </dependency>
Since the SmallRye JWT implementation is also using the SMicroProfile JWT auth specification, the configuration through key-value pairs is identical to the Payara one. We need to define the location of the publicKey, and the expected values for the issuer and audience. In the example, I have defined them in the application.properties file, a Quarkus-specific configuration source. But as long as they can be retrieved through any of the supported configuration sources, it is ok.
Since Quarkus is not a Jakarta-compliant runtime, it doesn’t require any indication that the application will make use of the JWT tokens for authentication and authorisation. The existence of the two dependencies we added earlier to the project is enough. In this case, it is similar to the Spring Boot case where we also did not do this.
On the JAX-RS resource methods, we can indicate if we need a certain role within the token, or that just the token itself is required and no specific role is required. If a role is required, we can make use of the same @RolesAllowed
annotation we encountered in the Payara example or we need to add the @Authenticated
annotation if we just need a valid token.
@GET @Path("/admin") @RolesAllowed("administrator") public String getAdminMessage() { return "Protected Resource; Administrator Only "; } @GET @Path("/user") @Authenticated // No roles specified, so only valid JWT is required public String getUser() { return "Protected Resource; user : " + name; }
This @Authenticated
annotation is defined in the Quarkus Security artifact, brought in transitively, and indicates that an authenticated user is required. Without this annotation, the endpoint would become publicly accessible, without the need for any token or authentication method.
More on that in a part 4 of this blog.
The retrieval of the claims is again identical to the Payara case. The example project can be found at https://github.com/rdebusscher/Project_FF/tree/main/jwt/quarkus.
Runtimes
The Ktor and Atbash Runtime versions of the example application are described in part 3.
Part 1: Introduction
Part 2: Payara, Spring Boot and Quarkus (this one)
Part 3: Ktor and Atbash Runtime
Part 4: Discussion and conclusion
Training and Support
Do you need a specific training session on Jakarta EE, Quarkus, Kotlin or MicroProfile? Have a look at the training support that I provide on the page https://www.atbash.be/training/ and contact me for more information.