Forem: Pratusha Raya The latest articles on Forem by Pratusha Raya (@pratianala). https://forem.com/pratianala https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2853483%2Fcb90a3dc-af36-4f66-af16-8cd49f6c0d0b.png Forem: Pratusha Raya https://forem.com/pratianala en Overview of Web Accessibility Guidelines: Tools, Techniques & Best Practices for EAA & WCAG Compliance Pratusha Raya Wed, 23 Jul 2025 19:20:21 +0000 https://forem.com/pratianala/overview-of-web-accessibility-guidelines-tools-techniques-best-practices-for-eaa-wcag-9bf https://forem.com/pratianala/overview-of-web-accessibility-guidelines-tools-techniques-best-practices-for-eaa-wcag-9bf <blockquote> <p>Accessibility is not just a feature -  it's a fundamental human right.</p> </blockquote> <p>With the European Accessibility Act (EAA) in force, digital accessibility is now a legal and ethical expectation. If you develop or manage websites or apps, this article will help you align with WCAG 2.1 AA standards and ensure inclusive design for users with disabilities.</p> <p>This guide covers:</p> <ul> <li><p>Key WCAG criteria every developer should know</p></li> <li><p>Tools like FastPass and NVDA</p></li> <li><p>A practical accessibility testing checklist</p></li> <li><p>40+ actionable best practices</p></li> </ul> <p>Let’s explore how to design and build with accessibility in mind.</p> <h2> What Is the European Accessibility Act? </h2> <p>The EAA mandates that digital products and services must be accessible across the EU, aligning with WCAG 2.1 AA guidelines. It applies to:</p> <ul> <li><p>Websites and apps</p></li> <li><p>E-commerce platforms</p></li> <li><p>Banking, transport, and ticketing systems</p></li> <li><p>Communication services</p></li> </ul> <p>The goal is simple: equal access for all, including those with visual, motor, cognitive, and auditory impairments.</p> <h2> Accessibility Testing Tools </h2> <h3> FastPass (Accessibility Insights for Web) </h3> <p>FastPass is a browser extension by Microsoft that performs automated WCAG checks.</p> <p><strong>Steps to Use</strong>:</p> <ol> <li>Install Accessibility Insights for Web.</li> <li>Open your app and run FastPass from the extension.</li> <li>Fix reported Failures and Warnings using guidance provided.</li> </ol> <p>Ideal for early-stage and pre-release accessibility scans.</p> <h2> NVDA (NonVisual Desktop Access) </h2> <p><strong>NVDA</strong> is a free screen reader for Windows that simulates how blind users experience your app.</p> <p><strong>Try This</strong>:</p> <ul> <li><p>Download from nvaccess.org</p></li> <li><p>Launch with Ctrl + Alt + N</p></li> <li><p>Navigate using:<br> — Tab, Shift + Tab: move between elements</p></li> </ul> <p>— Insert + F7: view headings and landmarks</p> <ul> <li>Listen for how labels, buttons, and alerts are announced</li> </ul> <h2> Summary: Key WCAG Guidelines to Verify </h2> <p>1.1.1 — Non-text Content: Provide text alternatives for images/icons.<br> 1.3.1 — Info &amp; Relationships: Use semantic HTML to convey structure.<br> 1.3.3 — Sensory Characteristics: Don’t rely only on color, shape, or position.<br> 1.4.3 — Contrast (Minimum): Ensure 4.5:1 text-to-background contrast.<br> 1.4.10 — Reflow: No horizontal scroll at 320px screen width.<br> 1.4.12 — Text Spacing: Page remains usable with increased line/letter spacing.<br> 2.1.1 — Keyboard: All features must work with just a keyboard.<br> 2.4.1 — Bypass Blocks: Add “Skip to content” or similar mechanism.<br> 2.4.3 — Focus Order: Focus moves in logical, predictable order.<br> 2.4.4 — Link Purpose: Link text is meaningful in context.<br> 2.4.5 — Label in Name: Visible label must be part of the accessible name.<br> 2.4.7 — Focus Visible: Show focus with a clear visible indicator.<br> 3.3.1 — Error Identification: Clearly explain input errors to users.<br> 3.3.2 — Labels or Instructions: Provide helpful labels/instructions for inputs.<br> 4.1.1 — Parsing: Use clean, valid HTML (no duplicate IDs, unclosed tags).<br> 4.1.2 — Name, Role, Value: Components expose accessible name/role/state.<br> 4.1.3 — Status Messages: Notify users via ARIA live regions for updates.</p> <h2> 40+ Best Practices to Ensure Accessibility and Points to Remember </h2> <h3> Semantic Structure &amp; Content </h3> <ul> <li><p>Use alt attributes for images to describe their purpose.</p></li> <li><p>Avoid using div or span when semantic elements like button or nav are appropriate.</p></li> <li><p>Use headings (h1 — h6) in a logical, hierarchical order.</p></li> <li><p>Use meaningful link text — avoid vague phrases like “click here” or “read more”.</p></li> <li><p>Include lang attributes on the element.</p></li> <li><p>Avoid using tables for layout purposes.</p></li> <li> <p>Group related form elements using </p> and .</li> </ul> <h3> Keyboard Accessibility </h3> <ul> <li><p>Ensure all interactive elements (links, buttons, forms) can be used with a keyboard.</p></li> <li><p>Use a visible focus indicator to highlight the element currently in focus.</p></li> <li><p>Ensure links and buttons are clearly distinguishable and usable with keyboard navigation.</p></li> <li><p>Ensure pressing the Enter key on a button triggers the expected action.</p></li> <li><p>Ensure keyboard users can escape or close dialogs with the Escape key.</p></li> <li><p>Use aria-disabled=“true” (not just disabled) for elements that should appear inactive but visible.</p></li> </ul> <h3> Screen Reader Support </h3> <ul> <li><p>Regularly test with screen readers (NVDA) and other tools.</p></li> <li><p>Screen readers should announce actions taken by users (e.g., clicks, form submissions).</p></li> <li><p>Screen readers should read out error messages and alerts.</p></li> <li><p>Ensure the screen reader reads out form field requirements and validations.</p></li> <li><p>Make sure all form inputs have appropriate labels for screen readers.</p></li> <li><p>Ensure focus is returned to the triggering element after closing modals.</p></li> <li><p>Ensure dynamic content updates do not steal focus unexpectedly.</p></li> <li><p>Ensure all tooltips, popovers, and custom widgets are accessible.</p></li> </ul> <h3> Forms &amp; Validation </h3> <ul> <li><p>Use clear and predictable labels for forms, menus, and buttons.</p></li> <li><p>Make sure all form inputs have appropriate labels for screen readers.</p></li> <li><p>Screen readers should read out error messages and alerts.</p></li> <li><p>Ensure the screen reader reads out form field requirements and validations.</p></li> <li> <p>Group related form elements using </p> and . Provide captions and transcripts for audio and video content.</li> </ul> <h3> ARIA &amp; Live Regions </h3> <ul> <li><p>Implement ARIA roles, properties, and states where required without overusing them.</p></li> <li><p>Use live regions (aria-live) to announce updates dynamically for assistive technologies.</p></li> <li><p>Use role=“alert” sparingly and only for critical messages.</p></li> <li><p>Use aria-disabled=“true” to disable elements while keeping them in focus order.</p></li> </ul> <h3> Visual Design &amp; Contrast </h3> <ul> <li><p>Maintain sufficient color contrast between text and background.</p></li> <li><p>Avoid relying solely on color to convey meaning. Use text or icons for additional clarification.</p></li> <li><p>Use accessible icons with clear alternative text for non-text content.</p></li> <li><p>Add focus indicators for all interactive elements.</p></li> <li><p>Ensure text spacing adheres to accessibility requirements.</p></li> </ul> <h3> Responsive Design &amp; Zoom </h3> <ul> <li><p>Ensure the interface is usable on various screen sizes and orientations. </p></li> <li><p>Do not introduce horizontal scrollbars.</p></li> <li><p>Use em or rem units for scalable elements instead of fixed pixel sizes.</p></li> <li><p>Make content resizable and ensure no content is lost when zoomed in on a page.</p></li> </ul> <h3> Navigation &amp; Landmarks </h3> <ul> <li><p>Maintain a consistent structure and navigation across pages.</p></li> <li><p>Provide skip links or landmark regions for quick navigation.</p></li> </ul> <h3> Media &amp; Motion </h3> <ul> <li><p>Do not auto-play media without user interaction or a clear stop control.</p></li> <li><p>Provide captions and transcripts for audio and video content.</p></li> </ul> <h3> General Accessibility Testing </h3> <ul> <li><p>Ensure compatibility with multiple browsers and devices.</p></li> <li><p>Regularly test with screen readers (NVDA) and other tools.</p></li> </ul> <h2> Dev Checklist (Quick Reference) </h2> <ul> <li><p>Alt text on all images</p></li> <li><p>Keyboard access to all features</p></li> <li><p>Visible focus indicator</p></li> <li><p>Logical tab order</p></li> <li><p>Modals behave properly</p></li> <li><p>Forms are labeled and errors announced</p></li> <li><p>Contrast and spacing meet guidelines</p></li> <li><p>App reflows at 320px width</p></li> <li><p>NVDA test passes for labels, forms, dynamic content</p></li> </ul> <p>If you found this useful:</p> <ul> <li><p>Drop a comment</p></li> <li><p>Share with your team</p></li> </ul> <p>Thank you!</p> a11y wcag frontend eaa Secure Your Spring Boot API with JWT and Role-Based Authorization Pratusha Raya Mon, 21 Jul 2025 18:25:17 +0000 https://forem.com/pratianala/secure-your-spring-boot-api-with-jwt-and-role-based-authorization-2l9c https://forem.com/pratianala/secure-your-spring-boot-api-with-jwt-and-role-based-authorization-2l9c <p><em>Originally published on <a href="https://medium.com/@prati.anala/secure-your-spring-boot-api-with-jwt-and-role-based-authorization-7ab6770a9fad" rel="noopener noreferrer">Medium</a></em></p> <p>Securing your REST API is essential for protecting sensitive data and ensuring only authorized users can access your endpoints. In this article, you'll learn how to secure a Spring Boot API using JSON Web Tokens (JWT) with role-based authorization, clear error handling, and best practices.</p> <h2> Project Setup </h2> <p>Create a Spring Boot project with the following dependencies:</p> <ul> <li>Spring Web </li> <li>Spring Security </li> <li>jjwt (add to <code>pom.xml</code>): </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.jsonwebtoken<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>jjwt<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.9.1<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <h3> DTO for Login </h3> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.example.jwtsecuritydemo</span><span class="o">;</span> <span class="c1">//DTO for login requests. Used to receive username and password as JSON.</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">LoginRequest</span> <span class="o">{</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">username</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">password</span><span class="o">;</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getUsername</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">username</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">setUsername</span><span class="o">(</span><span class="nc">String</span> <span class="n">username</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">username</span> <span class="o">=</span> <span class="n">username</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getPassword</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">password</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">setPassword</span><span class="o">(</span><span class="nc">String</span> <span class="n">password</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">password</span> <span class="o">=</span> <span class="n">password</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> JWT Utility </h3> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.example.jwtsecuritydemo</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.crypto.spec.SecretKeySpec</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.Key</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">io.jsonwebtoken.Claims</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">io.jsonwebtoken.Jwts</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">io.jsonwebtoken.SignatureAlgorithm</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Date</span><span class="o">;</span> <span class="c1">//Utility class for JWT operations: generate, validate, and extract claims.</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">JwtUtil</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">SECRET_KEY</span> <span class="o">=</span> <span class="s">"my-super-secret-key-for-jwt"</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="kt">long</span> <span class="no">EXPIRATION_TIME</span> <span class="o">=</span> <span class="mi">3600000</span><span class="o">;</span> <span class="c1">// 1 hour</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">SignatureAlgorithm</span> <span class="no">SIGNATURE_ALGORITHM</span> <span class="o">=</span> <span class="nc">SignatureAlgorithm</span><span class="o">.</span><span class="na">HS256</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">Key</span> <span class="n">key</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SecretKeySpec</span><span class="o">(</span><span class="no">SECRET_KEY</span><span class="o">.</span><span class="na">getBytes</span><span class="o">(),</span> <span class="no">SIGNATURE_ALGORITHM</span><span class="o">.</span><span class="na">getJcaName</span><span class="o">());</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">generateToken</span><span class="o">(</span><span class="nc">String</span> <span class="n">username</span><span class="o">,</span> <span class="nc">String</span> <span class="n">role</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">Jwts</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">setSubject</span><span class="o">(</span><span class="n">username</span><span class="o">)</span> <span class="o">.</span><span class="na">claim</span><span class="o">(</span><span class="s">"role"</span><span class="o">,</span> <span class="n">role</span><span class="o">)</span> <span class="o">.</span><span class="na">setIssuedAt</span><span class="o">(</span><span class="k">new</span> <span class="nc">Date</span><span class="o">())</span> <span class="o">.</span><span class="na">setExpiration</span><span class="o">(</span><span class="k">new</span> <span class="nc">Date</span><span class="o">(</span><span class="nc">System</span><span class="o">.</span><span class="na">currentTimeMillis</span><span class="o">()</span> <span class="o">+</span> <span class="no">EXPIRATION_TIME</span><span class="o">))</span> <span class="o">.</span><span class="na">signWith</span><span class="o">(</span><span class="no">SIGNATURE_ALGORITHM</span><span class="o">,</span> <span class="n">key</span><span class="o">)</span> <span class="o">.</span><span class="na">compact</span><span class="o">();</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">boolean</span> <span class="nf">validateToken</span><span class="o">(</span><span class="nc">String</span> <span class="n">token</span><span class="o">)</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">Jwts</span><span class="o">.</span><span class="na">parser</span><span class="o">()</span> <span class="o">.</span><span class="na">setSigningKey</span><span class="o">(</span><span class="n">key</span><span class="o">)</span> <span class="o">.</span><span class="na">parseClaimsJws</span><span class="o">(</span><span class="n">token</span><span class="o">);</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">getUsernameFromToken</span><span class="o">(</span><span class="nc">String</span> <span class="n">token</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">Jwts</span><span class="o">.</span><span class="na">parser</span><span class="o">()</span> <span class="o">.</span><span class="na">setSigningKey</span><span class="o">(</span><span class="n">key</span><span class="o">)</span> <span class="o">.</span><span class="na">parseClaimsJws</span><span class="o">(</span><span class="n">token</span><span class="o">)</span> <span class="o">.</span><span class="na">getBody</span><span class="o">()</span> <span class="o">.</span><span class="na">getSubject</span><span class="o">();</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">getRoleFromToken</span><span class="o">(</span><span class="nc">String</span> <span class="n">token</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Claims</span> <span class="n">claims</span> <span class="o">=</span> <span class="nc">Jwts</span><span class="o">.</span><span class="na">parser</span><span class="o">()</span> <span class="o">.</span><span class="na">setSigningKey</span><span class="o">(</span><span class="n">key</span><span class="o">)</span> <span class="o">.</span><span class="na">parseClaimsJws</span><span class="o">(</span><span class="n">token</span><span class="o">)</span> <span class="o">.</span><span class="na">getBody</span><span class="o">();</span> <span class="k">return</span> <span class="n">claims</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"role"</span><span class="o">,</span> <span class="nc">String</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Authentication Controller </h3> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.example.jwtsecuritydemo</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.http.ResponseEntity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.*</span><span class="o">;</span> <span class="nd">@RestController</span> <span class="nd">@RequestMapping</span><span class="o">(</span><span class="s">"/auth"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthController</span> <span class="o">{</span> <span class="nd">@PostMapping</span><span class="o">(</span><span class="s">"/login"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o">&lt;?&gt;</span> <span class="n">login</span><span class="o">(</span><span class="nd">@RequestBody</span> <span class="nc">LoginRequest</span> <span class="n">loginRequest</span><span class="o">)</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">username</span> <span class="o">=</span> <span class="n">loginRequest</span><span class="o">.</span><span class="na">getUsername</span><span class="o">();</span> <span class="nc">String</span> <span class="n">password</span> <span class="o">=</span> <span class="n">loginRequest</span><span class="o">.</span><span class="na">getPassword</span><span class="o">();</span> <span class="nc">String</span> <span class="n">role</span> <span class="o">=</span> <span class="s">"admin"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">username</span><span class="o">)</span> <span class="o">?</span> <span class="s">"ROLE_ADMIN"</span> <span class="o">:</span> <span class="s">"ROLE_USER"</span><span class="o">;</span> <span class="k">if</span> <span class="o">((</span><span class="s">"admin"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">username</span><span class="o">)</span> <span class="o">&amp;&amp;</span> <span class="s">"password"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">password</span><span class="o">))</span> <span class="o">||</span> <span class="o">(</span><span class="s">"user"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">username</span><span class="o">)</span> <span class="o">&amp;&amp;</span> <span class="s">"password"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">password</span><span class="o">)))</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">token</span> <span class="o">=</span> <span class="nc">JwtUtil</span><span class="o">.</span><span class="na">generateToken</span><span class="o">(</span><span class="n">username</span><span class="o">,</span> <span class="n">role</span><span class="o">);</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">ok</span><span class="o">().</span><span class="na">body</span><span class="o">(</span><span class="n">token</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">status</span><span class="o">(</span><span class="mi">401</span><span class="o">).</span><span class="na">body</span><span class="o">(</span><span class="s">"Invalid credentials"</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> JWT Filter </h3> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.example.jwtsecuritydemo</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jakarta.servlet.FilterChain</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jakarta.servlet.ServletException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jakarta.servlet.http.HttpServletRequest</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jakarta.servlet.http.HttpServletResponse</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.authentication.UsernamePasswordAuthenticationToken</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.authority.SimpleGrantedAuthority</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.core.context.SecurityContextHolder</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.filter.OncePerRequestFilter</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.IOException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Collections</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">JwtFilter</span> <span class="kd">extends</span> <span class="nc">OncePerRequestFilter</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">doFilterInternal</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">FilterChain</span> <span class="n">chain</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">ServletException</span><span class="o">,</span> <span class="nc">IOException</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">token</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getHeader</span><span class="o">(</span><span class="s">"Authorization"</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">token</span> <span class="o">!=</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="n">token</span><span class="o">.</span><span class="na">startsWith</span><span class="o">(</span><span class="s">"Bearer "</span><span class="o">))</span> <span class="o">{</span> <span class="n">token</span> <span class="o">=</span> <span class="n">token</span><span class="o">.</span><span class="na">substring</span><span class="o">(</span><span class="mi">7</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="nc">JwtUtil</span><span class="o">.</span><span class="na">validateToken</span><span class="o">(</span><span class="n">token</span><span class="o">))</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">username</span> <span class="o">=</span> <span class="nc">JwtUtil</span><span class="o">.</span><span class="na">getUsernameFromToken</span><span class="o">(</span><span class="n">token</span><span class="o">);</span> <span class="nc">String</span> <span class="n">role</span> <span class="o">=</span> <span class="nc">JwtUtil</span><span class="o">.</span><span class="na">getRoleFromToken</span><span class="o">(</span><span class="n">token</span><span class="o">);</span> <span class="nc">SimpleGrantedAuthority</span> <span class="n">authority</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SimpleGrantedAuthority</span><span class="o">(</span><span class="n">role</span><span class="o">);</span> <span class="nc">UsernamePasswordAuthenticationToken</span> <span class="n">auth</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UsernamePasswordAuthenticationToken</span><span class="o">(</span> <span class="n">username</span><span class="o">,</span> <span class="kc">null</span><span class="o">,</span> <span class="nc">Collections</span><span class="o">.</span><span class="na">singletonList</span><span class="o">(</span><span class="n">authority</span><span class="o">));</span> <span class="nc">SecurityContextHolder</span><span class="o">.</span><span class="na">getContext</span><span class="o">().</span><span class="na">setAuthentication</span><span class="o">(</span><span class="n">auth</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="n">chain</span><span class="o">.</span><span class="na">doFilter</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Security Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.example.jwtsecuritydemo</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Bean</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Configuration</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.builders.HttpSecurity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.config.http.SessionCreationPolicy</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.SecurityFilterChain</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter</span><span class="o">;</span> <span class="nd">@Configuration</span> <span class="nd">@EnableMethodSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="k">return</span> <span class="n">http</span> <span class="o">.</span><span class="na">csrf</span><span class="o">(</span><span class="n">csrf</span> <span class="o">-&gt;</span> <span class="n">csrf</span><span class="o">.</span><span class="na">disable</span><span class="o">())</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">(</span><span class="n">auth</span> <span class="o">-&gt;</span> <span class="n">auth</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/auth/login"</span><span class="o">).</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">sessionManagement</span><span class="o">(</span><span class="n">sess</span> <span class="o">-&gt;</span> <span class="n">sess</span><span class="o">.</span><span class="na">sessionCreationPolicy</span><span class="o">(</span><span class="nc">SessionCreationPolicy</span><span class="o">.</span><span class="na">STATELESS</span><span class="o">))</span> <span class="o">.</span><span class="na">addFilterBefore</span><span class="o">(</span><span class="k">new</span> <span class="nc">JwtFilter</span><span class="o">(),</span> <span class="nc">UsernamePasswordAuthenticationFilter</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Global Exception Handler </h3> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.example.jwtsecuritydemo</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.http.HttpStatus</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.http.ResponseEntity</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.access.AccessDeniedException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.ControllerAdvice</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.ExceptionHandler</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.ResponseBody</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.ResponseStatus</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jakarta.servlet.ServletException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.IOException</span><span class="o">;</span> <span class="nd">@ControllerAdvice</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">GlobalExceptionHandler</span> <span class="o">{</span> <span class="nd">@ExceptionHandler</span><span class="o">(</span><span class="nc">AccessDeniedException</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="nd">@ResponseStatus</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">FORBIDDEN</span><span class="o">)</span> <span class="nd">@ResponseBody</span> <span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o">&lt;?&gt;</span> <span class="n">handleAccessDeniedException</span><span class="o">(</span><span class="nc">AccessDeniedException</span> <span class="n">ex</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">status</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">FORBIDDEN</span><span class="o">)</span> <span class="o">.</span><span class="na">body</span><span class="o">(</span><span class="s">"Access denied: "</span> <span class="o">+</span> <span class="n">ex</span><span class="o">.</span><span class="na">getMessage</span><span class="o">());</span> <span class="o">}</span> <span class="nd">@ExceptionHandler</span><span class="o">({</span><span class="nc">ServletException</span><span class="o">.</span><span class="na">class</span><span class="o">,</span> <span class="nc">IOException</span><span class="o">.</span><span class="na">class</span><span class="o">})</span> <span class="nd">@ResponseStatus</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">UNAUTHORIZED</span><span class="o">)</span> <span class="nd">@ResponseBody</span> <span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o">&lt;?&gt;</span> <span class="n">handleServletException</span><span class="o">(</span><span class="nc">Exception</span> <span class="n">ex</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">status</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">UNAUTHORIZED</span><span class="o">)</span> <span class="o">.</span><span class="na">body</span><span class="o">(</span><span class="s">"Unauthorized: "</span> <span class="o">+</span> <span class="n">ex</span><span class="o">.</span><span class="na">getMessage</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Secured Endpoints </h3> <h4> HelloController.java </h4> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.example.jwtsecuritydemo</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.GetMapping</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RestController</span><span class="o">;</span> <span class="nd">@RestController</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">HelloController</span> <span class="o">{</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/hello"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">hello</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="s">"Hello! You have accessed a secured endpoint."</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h4> SecuredController.java </h4> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.example.jwtsecuritydemo</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.security.access.prepost.PreAuthorize</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.*</span><span class="o">;</span> <span class="nd">@RestController</span> <span class="nd">@RequestMapping</span><span class="o">(</span><span class="s">"/api"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecuredController</span> <span class="o">{</span> <span class="nd">@PreAuthorize</span><span class="o">(</span><span class="s">"hasAuthority('ROLE_ADMIN')"</span><span class="o">)</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/secure-data"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">secureData</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="s">"Access granted to admin user!"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Main Application </h3> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">package</span> <span class="nn">com.example.jwtsecuritydemo</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.boot.SpringApplication</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.boot.autoconfigure.SpringBootApplication</span><span class="o">;</span> <span class="nd">@SpringBootApplication</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">JwtsecuritydemoApplication</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">SpringApplication</span><span class="o">.</span><span class="na">run</span><span class="o">(</span><span class="nc">JwtsecuritydemoApplication</span><span class="o">.</span><span class="na">class</span><span class="o">,</span> <span class="n">args</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Testing with curl </h3> <h4> Login as admin: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://localhost:8080/auth/login <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">-d</span> <span class="s2">"{</span><span class="se">\"</span><span class="s2">username</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">admin</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">password</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">password</span><span class="se">\"</span><span class="s2">}"</span> </code></pre> </div> <h4> Login as user: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://localhost:8080/auth/login <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">-d</span> <span class="s2">"{</span><span class="se">\"</span><span class="s2">username</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">user</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">password</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">password</span><span class="se">\"</span><span class="s2">}"</span> </code></pre> </div> <h4> Access public endpoint: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-H</span> <span class="s2">"Authorization: Bearer &lt;TOKEN&gt;"</span> http://localhost:8080/hello </code></pre> </div> <h4> Access admin-only endpoint (should succeed for admin, fail for user): </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-H</span> <span class="s2">"Authorization: Bearer &lt;TOKEN&gt;"</span> http://localhost:8080/api/secure-data </code></pre> </div> <h3> Conclusion </h3> <p>You now have a robust, stateless, and role-based JWT security setup for your Spring Boot API. This approach is scalable, production-ready, and easy to extend for real-world applications.</p> <h4> What You Gain from This Article </h4> <ul> <li><p>Practical Security: A hands-on, production-ready template for securing any Spring Boot API using JWT and role-based access control.</p></li> <li><p>Scalability: Stateless JWT approach ideal for microservices, cloud deployments, and modern distributed systems.</p></li> <li><p>Extensibility: Modular code that’s easy to extend — add refresh tokens, integrate databases, or connect OAuth providers.</p></li> <li><p>Best Practices: Use of DTOs, global exception handling, and method-level security—all industry standards.</p></li> </ul> <h4> Who Should Use This Guide </h4> <p>Java/Spring Boot developers looking to secure APIs quickly and correctly.</p> <p>Backend engineers building microservices or RESTful APIs.</p> <p>Students and learners wanting a clear, step-by-step JWT security example.</p> <p>Architects and tech leads seeking a reference implementation.</p> <h4> How to Get the Most Out of This Article </h4> <p>Try the curl commands to see the authentication flow in action.</p> <p>Fork and extend the code — add user registration, connect to a real database, or implement refresh tokens.</p> <p>Share your feedback or questions in the comments—let's learn together!</p> <h4> Bonus: What’s Next? </h4> <p>Interested in:</p> <p>Integrating with OAuth2 or social login?</p> <p>Adding refresh tokens?</p> <p>Using JWT with GraphQL or WebSockets?</p> <p>Deploying this setup to the cloud?</p> <h4> Let me know in the comments! Planning follow-up articles based on your feedback. Thank you for reading! </h4> springboot java jwt security