Forem: Prafful Lachhwani

6 Tips and Tricks to avoid NullPointerException

Prafful Lachhwani — Fri, 11 Feb 2022 11:50:06 +0000

Null references have historically been a bad idea, even Tony Hoare who invented null references calls it The Billion Dollar Mistake.

"I call it my billion-dollar mistake. It was the invention of the null reference in 1965. At that time, I was designing the first comprehensive type system for references in an object-oriented language (ALGOL W). My goal was to ensure that all use of references should be absolutely safe, with checking performed automatically by the compiler. But I couldn't resist the temptation to put in a null reference, simply because it was so easy to implement. This has led to innumerable errors, vulnerabilities, and system crashes, which have probably caused a billion dollars of pain and damage in the last forty years." ~ Charles Antony Richard Hoare

1. Overview

NullPointerException can sometimes be frustrating. It can break your application. It could be difficult to find an actual issue from the production server logs. In this article, I will explain what is java.lang.NullPointerException? Also, we will see various tips and tricks that will help you in writing better code. If you already have some idea about NullPointerException, skip to the How to avoid NullPointerException? section.

2. What is NullPointerException?

The NullPointerException is a runtime exception when a program tries to access an object with a null reference. Or, does any operation on a null object. Here is a simple code snippet that throws java.lang.NullPointerException.

Here str is null, any operations on it will throw NullPointerException. The output if we try to run this code:

This was a trivial example, imagine if our String str was given as an argument or in result set from a database call, the application will break. In the next section, we will see some best practices to avoid NullPointerException.

3. How to avoid NullPointerException?

One of the famous ways to avoid java.lang.NullPointerException is to add null checks wherever plausible. However, this approach will make your code bloated with null != something statements. Here are some best practices that you can follow to make your code NullPointerException proof.

3.1. Using Optional Class

The optional class feature was introduced in Java 8. Here is an example that explains, how you can leverage the Optional class feature to reduce NullPointerExceptions?

import java.util.Optional;

public class Example {
    public static void main(String args[]) {
        String str = null;
        Optional<String> strOpt = Optional.ofNullable(str);
        System.out.print(strOpt.orElse("").length()); // prints 0
    }
}

Here, strOpt.orElse("") gives us an empty string when str is null otherwise it returns the original string. Below are some more useful methods that can be used with the Optional class for different scenarios:

public boolean isPresent() - Returns true if there is a value present, otherwise false.
public T get() - If a value is present in this Optional, returns the value, otherwise throws NoSuchElementException.
public T orElseGet(Supplier<? extends T> other) - Returns the value if present, otherwise invoke other and return the result of that invocation.

To read more about the Optional class refer Optional (Java Platform SE 8).

3.2. Using StringUtils

StringUtils handles null input Strings quietly. Meaning if a null String is passed it does not throw NullPointerException. It considers the null String as blank. For using this in your project you may need to import StringUtils from Apache Commons Lang. Bellow code demonstrate the null safety feature of StringUtils.

import org.apache.commons.lang3.StringUtils;

public class Example {
    public static void main(String args[]) {
        String str = null;
        System.out.print(StringUtils.length(str)); // prints 0
    }
}

Some useful StringUtils method are as follows:

public static boolean isNotBlank(CharSequence cs) - Checks if a CharSequence is not empty, not null and not whitespace only.
public static boolean equals(CharSequence cs1, CharSequence cs2) - Compares two CharSequences, returning true if they represent equal sequences of characters. Returns true if both arguments are null.

3.3. Using Primitive Datatypes

Since primitive datatypes can never be null. Wherever possible try using:

int instead of Integer.
boolean instead of Boolean.
float instead of Float.
double instead of Double.
long instead of Long.
short instead of Short.
char instead of Character

3.4. Calling equals on literal

While comparing two Strings or elements of an enum it is always recommended to use a non-null value at the left-hand side. Example:

public class Example {
    public static void main(String args[]) {
        String str = null;
        if ("abc".equals(str)) {
            System.out.println(true);
        }
        if (str.equals("abc")) // NullPointerException here
        {
            System.out.println(true);
        }
    }
}

3.5. Using Ternary Operator

Using a ternary operator you can prevent your code from throwing NullPointerExceptions, Here is how:

public class Example {
    public static void main(String args[]) {
        String str = null;
        System.out.println(null == str ? 0 : str.length());
    }
}

The above code will call length() method only if str is not null hence preventing NullPointerException.

3.6. Throwing IllegalArgumentException

It is always a best practice to throw an IllegalArgumentException if the argument is null or something that is not expected. This may save hours of figuring out what went wrong. Here is an example code that throws IllegalArgumentException when the argument passed is null:

public class Example {
    public static void main(String args[]) {
        String str = null;
        printStringLength(str);
    }
    static void printStringLength(String str) {
        if (null == str) {
            throw new IllegalArgumentException("String str was null");
        } else {
            System.out.println(str.length());
        }
    }
}

4. Conclusion

One of my favourite way of avoiding NullPointerException is by adding this statement null != obj.getSomething(). But, we're mature developers we don't want to bloat our code with these null check statements, imagine a code that looks like this:

if (null != obj 
        && null != obj.getSomething() 
        && null != obj.getSomething().fromHere()
        && null != obj.obj.getSomething().fromHere().property()) {
    // do something with obj.getSomething().fromHere().property()
}

Looks crazy right? Trust me I've written this in one of my applications to stop NullPointerExceptions. However, now we know how to avoid them in a better way.

Thank you for reading! Do let me know in the comments, what was the craziest thing you did for dealing with NullPointerExceptions.

How to choose the right backend technology?

Prafful Lachhwani — Tue, 25 Jan 2022 13:33:31 +0000

Web technologies are growing so fast that we now have tons of modern tools and frameworks. Be it a choice of frontend, backend or database. Many developers have this big question - Which tech stack I should begin with?🤔

Sometimes we end up choosing the one we worked on before or language we are comfortable in. As human nature, we always stick to our comfort zone and that's where things start going wrong. This may include choosing a framework being overkill. Or, even worse, we pivot from our existing tech stack in the middle of a project and end up re-writing the code in a different language.🤦‍♂️

So, it's important to choose the right tech stack before starting a new project. With this post, I will help you with a thought process so that you could choose the best tech stack.

1. Getting the content

This is a three-part series. In this post, I will talk about various backend technologies such as Node.js, Java - Spring, Laravel - PHP and Python - Django. We will compare them on different aspects such as reliability, scalability, performance, security, developer's experience and most importantly cost of hosting. In the later posts, we will compare different frontend technologies and various databases. So, let's get going!

2. What is a backend?

In a nutshell, the backend has the code which runs on the server-side and is responsible for handling and managing storage, database and other resources. The backend is also called the data access layer of software.

One should always start with choosing the right backend. Because it acts as the backbone of your application. We have so many alternatives out there, we will cover some popular backend frameworks in this article and will see which one is appropriate for a given scenario.

3. Node.js

Node.js uses asynchronous programming! Meaning, it is non-blocking. In other words, It does not wait for a resource to finish the job. It is immediately ready to take up the next request and gives a callback when it's done. Node.js runs like a rocket and it is very scalable.

When to use Node.js?

When your application is highly event-driven and performs lots of I/O operations. Also, when you have to make various API calls from the backend itself. Here in this scenario, you can leverage its non-blocking feature.

When NOT to use Node.js?

When you have a heavy algorithm or a job that consumes lots of CPU cycles. Because Node.js runs on a single thread just like client-side js, your application will be very inefficient for CPU intensive jobs.

4. Java - Spring Boot

Spring is a powerful, lightweight, and most popular framework which makes Java quicker, easier and safer to use. Spring boot helps you to build production-ready Spring-based applications. It serves 80% of everyone's needs for a modern web application. It is highly useful for creating stand-alone, production-grade applications with minimum effort.

When to use Spring Boot?

When your primary focus is security, maybe you want to write banking or financial applications. Where you cannot compromise with security, Spring boot will be the best option. As Java supports multithreading out of the box, it becomes a great choice for building complex and highly concurrent web applications.

When NOT to use Spring Boot?

Although, there are no limitations to the spring framework, it can serve all your needs. But, sometimes trivial apps which do not need heavy computation, spring as a backend will be an overkill. The only thing for saying no to Spring boot is that it's a bit complex and requires a lot of expertise.

5. PHP - Laravel

PHP is an old friend who introduced me to web development.🥺

Laravel is an open-source PHP framework. It follows an MVC (Model-View-Controller) architecture. Laravel makes life easier as it has so many developer-friendly features, one of them is query builder or ORM (Object-Relational Mapping). Before Laravel, it seemed like PHP is dying but now it is one of the competitive frameworks.

When to use Laravel?

When the time to market is the key, then Laravel is the best choice. Because it has so many salient features that make web development very fast as compared to other frameworks out there. Also, Laravel can be hosted on a shared hosting thus making it cheapest amongst all, so when time and cost is the key you should go with Laravel.

When NOT to use Laravel?

PHP is not considered much secure as compared to Spring and Node.js, however, Laravel prevents some of the basic attacks such as SQL injection and cross-site scripting attacks and adds an extra layer of security to it. But still, PHP is never recommended for applications where security is a must.

6. Python - Django

Django is a fast, secure and scalable high-level Python web framework. Django encourages rapid and clean application development. It takes care of much of the hassle of web development, so you can focus on writing your app without needing to reinvent the wheel.

When to use Django?

Since, Django is based on python it supports powerful machine learning libraries like PyTorch, NumPy, etc. Its computational and statistical capabilities make it the ideal platform for machine learning applications.

When NOT to use Django?

Django is not suitable for smaller projects with only a few features and requirements. Because it's a "Batteries included" framework, it has so much boilerplate code which small projects don't need. As a result, consuming unnecessary server processing time and bandwidth.

7. Conclusion

I hope you found the article insightful! We have discussed the four most popular backend frameworks and how to make the right choice.

And stay tuned for the next article of this series. In that, I will compare the most popular front-end frameworks so that you can make the right decision.

Please give your valuable feedback in the comment section, tell me what I missed about these frameworks.

Spring Boot REST API authentication best practices using JWT

Prafful Lachhwani — Thu, 20 Jan 2022 15:31:42 +0000

1. Overview

In this tutorial I will explain how you can implement production ready, token based REST API authentication using JWT (JSON Web Tokens). Further we will use these tokens to identify our acting user in a HTTP request to our API. For this tutorial we will use MongoDB to persist our user data, you can choose any database of your choice.

2. What is a JWT?

JSON Web Token(JWT) is an encoded string which we will use to identify our user in this case. A JWT consist of three parts separated by a period(.):

Header: It contains signing algorithm like SHA256.
Payload: It contains our user data.
Signature: To verify the message wasn't changed along the way, making it secure.

Combing all three will make our JWT look something like this xxxxx.yyyyy.zzzzz. To learn more about JWT please visit - https://jwt.io/

3. Project Initialization

We will start y initializing our Spring Boot project using Spring Initiailizr. For starters I have added 5 dependencies, you can tweak it a little according to your project needs.

Hit generate and import project in your favorite IDE. Also, don't forget to add database properties in application.properties file.

spring.data.mongodb.database=your_db_name_here
spring.data.mongodb.port=27017

4. Additional Dependencies

You will have to add following dependencies in order to use JWT in your project. commons-lang3 is optional, I personally use it for its various utility classes.

For maven based projects:

<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-api</artifactId>
    <version>0.11.2</version>
</dependency><dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-impl</artifactId>
    <version>0.11.2</version>
    <scope>runtime</scope>
</dependency><dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-jackson</artifactId>
    <version>0.11.2</version>
    <scope>runtime</scope>
</dependency><dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-lang3</artifactId>
    <version>3.12.0</version>
</dependency>

For gradle based projects:

dependencies {
    implementation 'io.jsonwebtoken:jjwt-api:0.11.2'
    runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.11.2',
             'io.jsonwebtoken:jjwt-jackson:0.11.2',
             'org.apache.commons:commons-lang3:3.0'
}

5. Project Structure

We will follow MVC pattern, please refer to following project structure.

6. Configuration

In WebSecurityConfig.java, we will modify default spring security features by extending WebSecurityConfigurerAdapter class. Here we will define our HTTP request filter and a default response when the user is unauthenticated. It will act as a middleware for all our HTTP requests.

package com.example.api.config;

import com.example.api.util.JwtRequestFilter;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import java.util.HashMap;
import java.util.Map;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private final UserDetailsService jwtUserDetailsService;
    private final JwtRequestFilter jwtRequestFilter;

    public WebSecurityConfig(UserDetailsService jwtUserDetailsService, JwtRequestFilter jwtRequestFilter) {
        this.jwtUserDetailsService = jwtUserDetailsService;
        this.jwtRequestFilter = jwtRequestFilter;
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(jwtUserDetailsService).passwordEncoder(new BCryptPasswordEncoder());
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.csrf().disable().authorizeRequests().antMatchers("/auth/*").permitAll().anyRequest().authenticated().and().exceptionHandling().authenticationEntryPoint((request, response, authException) -> {
            Map<String, Object> responseMap = new HashMap<>();
            ObjectMapper mapper = new ObjectMapper();
            response.setStatus(401);
            responseMap.put("error", true);
            responseMap.put("message", "Unauthorized");
            response.setHeader("content-type", "application/json");
            String responseMsg = mapper.writeValueAsString(responseMap);
            response.getWriter().write(responseMsg);
        }).and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
    }
}

In above configure(HttpSecurity httpSecurity) method we have defined to permit all request starting with /auth route that's where we will add our Authentication Controller. If the request is unauthorized our API will throw a 401 error message.

7. Request Filter

In JwtRequestFilter.java we will define our request filter which we mentioned in our API middleware in previous chapter. For this we will extend OncePerRequestFilter, Spring guarantees that it is executed only once for a given request.

In this doFilterInternal() method we will fetch JWT token from the request header and process it by validating and obtaining username from token's payload. Further if token is valid we will fetch user from database and add it in SecurityContextHolder, we can further use it any of our service to perform various user related operations.

package com.example.api.util;

import com.example.api.service.JwtUserDetailsService;
import io.jsonwebtoken.ExpiredJwtException;
import org.apache.commons.lang3.StringUtils;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Component
public class JwtRequestFilter extends OncePerRequestFilter {

    private final JwtUserDetailsService jwtUserDetailsService;
    private final JwtTokenUtil jwtTokenUtil;

    public JwtRequestFilter(JwtUserDetailsService jwtUserDetailsService, JwtTokenUtil jwtTokenUtil) {
        this.jwtUserDetailsService = jwtUserDetailsService;
        this.jwtTokenUtil = jwtTokenUtil;
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws ServletException, IOException {

        final String requestTokenHeader = request.getHeader("Authorization");
        if (StringUtils.startsWith(requestTokenHeader,"Bearer ")) {
            String jwtToken = requestTokenHeader.substring(7);
            try {
                String username = jwtTokenUtil.getUsernameFromToken(jwtToken);
                if (StringUtils.isNotEmpty(username)
                        && null == SecurityContextHolder.getContext().getAuthentication()) {
                    UserDetails userDetails = jwtUserDetailsService.loadUserByUsername(username);
                    if (jwtTokenUtil.validateToken(jwtToken, userDetails)) {
                        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken =
                                new UsernamePasswordAuthenticationToken(
                                        userDetails, null, userDetails.getAuthorities());
                        usernamePasswordAuthenticationToken
                                .setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                        SecurityContextHolder.getContext()
                                .setAuthentication(usernamePasswordAuthenticationToken);
                    }
                }
            } catch (IllegalArgumentException e) {
                logger.error("Unable to fetch JWT Token");
            } catch (ExpiredJwtException e) {
                logger.error("JWT Token is expired");
            } catch (Exception e) {
                logger.error(e.getMessage());
            }
        } else {
            logger.warn("JWT Token does not begin with Bearer String");
        }
        chain.doFilter(request, response);
    }

}

In JwtTokenUtil.java we will perform all JWT token related operations such as generating new token and Validating given token.

package com.example.api.util;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.security.Keys;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;

import java.io.Serializable;
import java.security.Key;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Function;

@Component
public class JwtTokenUtil implements Serializable {

    public static final long JWT_TOKEN_VALIDITY = 5 * 60 * 60;

    Key key = Keys.secretKeyFor(SignatureAlgorithm.HS256);

    public String getUsernameFromToken(String token) {
        return getClaimFromToken(token, Claims::getSubject);
    }

    public Date getExpirationDateFromToken(String token) {
        return getClaimFromToken(token, Claims::getExpiration);
    }

    public <T> T getClaimFromToken(String token, Function<Claims, T> claimsResolver) {
        final Claims claims = getAllClaimsFromToken(token);
        return claimsResolver.apply(claims);
    }

    private Claims getAllClaimsFromToken(String token) {
        return Jwts.parserBuilder().setSigningKey(key).build().parseClaimsJws(token).getBody();
    }

    private Boolean isTokenExpired(String token) {
        final Date expiration = getExpirationDateFromToken(token);
        return expiration.before(new Date());
    }

    public String generateToken(UserDetails userDetails) {
        Map<String, Object> claims = new HashMap<>();
        return Jwts.builder().setClaims(claims).setSubject(userDetails.getUsername()).setIssuedAt(new Date(System.currentTimeMillis())).setExpiration(new Date(System.currentTimeMillis() + JWT_TOKEN_VALIDITY * 1000)).signWith(key).compact();
    }

    public Boolean validateToken(String token, UserDetails userDetails) {
        final String username = getUsernameFromToken(token);
        return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
    }
}

8. Model and Repository

We will use Lombok framework here to quickly create our User.java model. It is completely optional but it is my favorite way of defining a model class. Afterall life is too short to write getters and setters.

package com.example.api.model;

import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.NoArgsConstructor;
import lombok.Setter;
import org.springframework.data.annotation.Id;
import org.springframework.data.mongodb.core.index.Indexed;
import org.springframework.data.mongodb.core.mapping.Document;

@Document("users")
@Getter
@Setter
@AllArgsConstructor
@NoArgsConstructor
public class User {

    @Id
    private String userName;
    private String firstName;
    private String lastName;
    @Indexed(unique = true)
    private String email;
    private String password;
    private String role;

}

We will write our UserRepository.java interface and define a method to fetch user details from username.

package com.example.api.repository;

import com.example.api.model.User;
import org.springframework.data.mongodb.repository.MongoRepository;
import org.springframework.data.mongodb.repository.Query;

public interface UserRepository extends MongoRepository<User, String> {

    @Query(value = "{userName:'?0'}")
    User findUserByUsername(String username);
}

9. UserDetailsService

In JwtUserDetailsService.java class we will customize default spring security way of getting user by implementing UserDetailsService interface.

package com.example.api.service;

import com.example.api.repository.UserRepository;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import java.util.ArrayList;
import java.util.List;

@Service
public class JwtUserDetailsService implements UserDetailsService {

    final UserRepository userRepository;

    public JwtUserDetailsService(UserRepository userRepository) {
        this.userRepository = userRepository;
    }

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        com.example.api.model.User user = userRepository.findUserByUsername(username);
        List<GrantedAuthority> authorityList = new ArrayList<>();
        authorityList.add(new SimpleGrantedAuthority("USER_ROLE"));
        return new User(user.getUserName(), user.getPassword(), authorityList);
    }
}

10. Controllers

Last but not the least we will define controllers in order to communicate with our API.

AuthenticationController.java will deal with user login and register. In both the routes we will generate JWT tokens and send it in response to the user.

package com.example.api.controller;

import com.example.api.model.User;
import com.example.api.repository.UserRepository;
import com.example.api.service.JwtUserDetailsService;
import com.example.api.util.JwtTokenUtil;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.ResponseEntity;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;

import java.util.HashMap;
import java.util.Map;

@RestController
@RequestMapping("/auth")
public class AuthenticationController {

    protected final Log logger = LogFactory.getLog(getClass());

    final UserRepository userRepository;
    final AuthenticationManager authenticationManager;
    final JwtUserDetailsService userDetailsService;
    final JwtTokenUtil jwtTokenUtil;

    public AuthenticationController(UserRepository userRepository, AuthenticationManager authenticationManager,
                                    JwtUserDetailsService userDetailsService, JwtTokenUtil jwtTokenUtil) {
        this.userRepository = userRepository;
        this.authenticationManager = authenticationManager;
        this.userDetailsService = userDetailsService;
        this.jwtTokenUtil = jwtTokenUtil;
    }

    @PostMapping("/login")
    public ResponseEntity<?> loginUser(@RequestParam("user_name") String username,
                                       @RequestParam("password") String password) {
        Map<String, Object> responseMap = new HashMap<>();
        try {
            Authentication auth = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username
                    , password));
            if (auth.isAuthenticated()) {
                logger.info("Logged In");
                UserDetails userDetails = userDetailsService.loadUserByUsername(username);
                String token = jwtTokenUtil.generateToken(userDetails);
                responseMap.put("error", false);
                responseMap.put("message", "Logged In");
                responseMap.put("token", token);
                return ResponseEntity.ok(responseMap);
            } else {
                responseMap.put("error", true);
                responseMap.put("message", "Invalid Credentials");
                return ResponseEntity.status(401).body(responseMap);
            }
        } catch (DisabledException e) {
            e.printStackTrace();
            responseMap.put("error", true);
            responseMap.put("message", "User is disabled");
            return ResponseEntity.status(500).body(responseMap);
        } catch (BadCredentialsException e) {
            responseMap.put("error", true);
            responseMap.put("message", "Invalid Credentials");
            return ResponseEntity.status(401).body(responseMap);
        } catch (Exception e) {
            e.printStackTrace();
            responseMap.put("error", true);
            responseMap.put("message", "Something went wrong");
            return ResponseEntity.status(500).body(responseMap);
        }
    }

    @PostMapping("/register")
    public ResponseEntity<?> saveUser(@RequestParam("first_name") String firstName,
                                      @RequestParam("last_name") String lastName,
                                      @RequestParam("user_name") String userName, @RequestParam("email") String email
            , @RequestParam("password") String password) {
        Map<String, Object> responseMap = new HashMap<>();
        User user = new User();
        user.setFirstName(firstName);
        user.setLastName(lastName);
        user.setEmail(email);
        user.setPassword(new BCryptPasswordEncoder().encode(password));
        user.setRole("USER");
        user.setUserName(userName);
        UserDetails userDetails = userDetailsService.loadUserByUsername(userName);
        String token = jwtTokenUtil.generateToken(userDetails);
        userRepository.save(user);
        responseMap.put("error", false);
        responseMap.put("username", userName);
        responseMap.put("message", "Account created successfully");
        responseMap.put("token", token);
        return ResponseEntity.ok(responseMap);
    }
}

Example of response to our register request:

You can save this token from response in local storage of your client (Reactive web or Mobile app) and use this token later in protected routes of your API. If we provide invalid credentials to our login request we will get a response with error code 401:

Now its time to actually use our JWT token to identify user associated to a HTTP request. Following code snippet will help you get the authenticated user anywhere in your project:

Authentication authentication = SecurityContextHolder
                .getContext().getAuthentication();
String username = authentication.getName();

For testing we will define UserController.java. Here you can get the user we added earlier during request filter in SecurityContextHolder.

package com.example.api.controller;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

import java.util.HashMap;
import java.util.Map;

@RestController
@RequestMapping("/user")
public class UserController {

    @GetMapping
    public Map<String, Object> getUserName() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        Map<String, Object> userMap = new HashMap<>();
        userMap.put("username", authentication.getName());
        userMap.put("error", false);
        return userMap;
    }
}

When we will send the newly created JWT token in Authorization header we will get a proper response as follows:

11. Conclusion

We saw how you can implement token based authentication for REST API and various amazing frameworks to make life easier.

Complete code for this tutorial is commited in my Github repository. Don't forget to hit the star button :p

Thank you for reading this post, please give your valuable feedback in comments section.