JWT authentication: how to implement logout?

Question

JWT authentication: how to implement logout?

I performed JWT authentication for my Spring boot application. In general, it works as follows:

The client sends the username and password to the entry endpoint.
The server validates the credentials provided.
If not, it will return an error
If yes, it will return the token, this token actually includes
The client sends this token with every future request.

The question is, how should we implement the exit from the system?

import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import java.util.Date;

class TokenAuthenticationService {
    static final long EXPIRATIONTIME = 864_000_000; // 10 days
    static final String SECRET = "ThisIsASecret";
    static final String TOKEN_PREFIX = "Bearer";
    static final String HEADER_STRING = "Authorization";

    static void addAuthentication(HttpServletResponse res, String username) {
        String JWT = Jwts
                .builder()
                .setSubject(username)
                .setExpiration(
                        new Date(System.currentTimeMillis() + EXPIRATIONTIME))
                .signWith(SignatureAlgorithm.HS512, SECRET).compact();
        res.addHeader(HEADER_STRING, TOKEN_PREFIX + " " + JWT);
    }

    static Authentication getAuthentication(HttpServletRequest request, UserDetailsService customUserDetailsService) {
        String token = request.getHeader(HEADER_STRING);
        if (token != null) {
            // parse the token.
            Claims claims = Jwts.parser().setSigningKey(SECRET)
                    .parseClaimsJws(token.replace(TOKEN_PREFIX, "")).getBody();
            String userName = claims.getSubject();
            Date expirationTime = claims.getExpiration();
            if (expirationTime.compareTo(new Date()) < 0) {
                return null;
            }
            UserDetails user = customUserDetailsService.loadUserByUsername(userName);
            return user != null ? new UsernamePasswordAuthenticationToken(user.getUsername(),
                    user.getPassword(), user.getAuthorities()) : null;
        }
        return null;
    }
}

addAuthenticationused by the class JWTLoginFilterto send an authentication code at login, 'getAuthentication is used by theJWTAuthenticationFilter`, which filters all requests to endpoints.

What is the best practice here?

+4

java spring

Arian hosseinzadeh Apr 23 '17 at 10:03

2

, , , , , , .

, , , , "".

+3

Mike Nakis 23 . '17 10:17

Indrek Ots · Accepted Answer · 2017-04-24T06:14:18+0000

, . , , .

JWT , . . , , , .

:

JWT . , , , -, JWT.
. , , - , . .
. . . , , . . , , .
. , . , JWT . . JWT, ( ), JWT. , , JWT. , . -, , JWT, .
JWT. , , . , , , , . back-end , JWT . , , . , , .

JWT authentication: how to implement logout?

More articles: