🔐 Spring-JWT-Auth – Spring Boot Based Authentication System (JWT)

Learning-level project for Implementing Auth as A Security Layer for the Major / large scale projects.

---

✨ Key Highlights

• Stateless authentication using JWT
• Role-based access control (USER / ADMIN)
• Account lockout on multiple failed login attempts
• JWT token blacklisting on logout
• Centralized exception handling with clean API responses
• Proper Controller–Service–Repository separation

---

🚀 Core Capabilities

🔑 Authentication

• Secure user registration & login
• BCrypt password hashing (no plain-text storage)
• Email uniqueness validation
• JWT access token generation

🛡 Security Architecture

• Stateless authentication (SessionCreationPolicy.STATELESS)
• Custom JWT authentication filter (JwtAuthFilter)
• HmacSHA256 compliant 64-bit JWT signing key (HS256)
• Token tamper detection and validation

---

🧱 Tech Stack

Layer	Technology
Language	Java 17+
Framework	Spring Boot
Security	Spring Security
Authentication	JWT (jjwt)
Data Access	Spring Data (PostgreSql)
Build Tool	Maven
Database	PostgreSql
API Testing	Postman

---

🔄 How Security Works (High‑Level Flow)

┌──────────────────┐
│      Client      │
│ (Postman / UI)   │
└─────────┬────────┘
          │ 1️⃣ Login (email + password)
          ▼
┌──────────────────┐
│   Auth API       │
│  /api/auth/login │
└─────────┬────────┘
          │ 2️⃣ Credentials verified (BCrypt)
          ▼
┌──────────────────┐
│   JWT Issued     │
│  HS256 (256-bit) │
└─────────┬────────┘
          │
          │  Authorization: Bearer <JWT>
          ▼
┌───────────────────────────────────────────────────────────┐
│           Spring Security Filter Chain                    │
│                                                           │
│   ┌───────────────────────────────────────────────────┐   │
│   │               JwtAuthFilter                       │   │
│   │                                                   │   │
│   │  • Extract JWT from Authorization header          │   │
│   │  • Validate signature & expiration                │   │
│   │  • Check token blacklist (logout protection)      │   │
│   │  • Load user details & roles                      │   │
│   │  • Set Authentication in SecurityContext          │   │
│   └───────────────────────────────────────────────────┘   │
│                                                           │
└─────────┬─────────────────────────────────────────────────┘
          │
          ▼
┌──────────────────┐
│  Controller      │
│ (@PreAuthorize)  │
└─────────┬────────┘
          │
          ▼
┌──────────────────┐
│   Service Layer  │
│ (Business Logic) │
└─────────┬────────┘
          │
          ▼
┌──────────────────┐
│    Database      │
│ (Users / Tokens) │
└──────────────────┘

🔄 Combined Security Flow (Defense-in-Depth)

Client Request
      │
      │
      ▼
AuthController
      ▼
AuthService
      │
      ├─ Wrong password? → increment failedAttempts
      ├─ failedAttempts ≥ 5 → lock account
      ▼
Authentication Result

---

🔒 Security Best Practices Implemented

• BCrypt password hashing with salting
• No plain-text password storage or logging
• Stateless JWT authentication
• Secure HS256 token signing (256-bit secret)
• Role-based API authorization
• Account lockout on multiple failed login attempts
• JWT token blacklisting on logout
• Centralized exception handling
• Jakarta Bean Validation for input validation
• Secure JWT request filtering
• API rate limiting

---

🧪 Postman Testing Flow

1. Register user → /api/auth/register
2. Login → /api/auth/login
3. Copy JWT access token
4. Add Authorization: Bearer <TOKEN> header
5. Access secured APIs

---