You are currently viewing Securing Spring Boot Application with JWT + JWK in Spring Security OAuth2

Securing Spring Boot Application with JWT + JWK in Spring Security OAuth2

In this tutorial, we will create a Spring Boot application and secure it using JWT (JSON Web Tokens) with JWS (JSON Web Signature) and JWK (JSON Web Key) in Spring Security OAuth2.


  • Basic understanding of Spring Boot and Spring Security
  • JDK installed on your machine
  • Maven or Gradle installed

Step 1: Setup a Spring Boot Project

First, let’s create a new Spring Boot project. You can do this manually or use the Spring Initializr to generate a project with the required dependencies.

For Maven, add the following dependencies:

  • Spring Web
  • Spring Security
  • Spring Security OAuth2 JWT

Here’s an example pom.xml for Maven:

    <!-- Spring Boot Starter Web -->

    <!-- Spring Security -->

    <!-- Spring Security OAuth2 JWT -->

Step 2: Configure Spring Security

Create a new class SecurityConfig to configure Spring Security:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

public class SecurityConfig extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {
            .authorizeRequests(authorize -> authorize
            .oauth2ResourceServer(oauth2 -> oauth2
                .jwt(jwt -> jwt.decoder(jwtDecoder()))

    public JwtDecoder jwtDecoder() {
        return NimbusJwtDecoderJwkSupport.withJwkSetUri("").build();

In this configuration:

  • configure(HttpSecurity http) method configures the security rules.
  • oauth2ResourceServer(jwt -> jwt.decoder(jwtDecoder())) configures the OAuth2 resource server to use a JWT decoder.
  • jwtDecoder() method creates a JwtDecoder bean using JWK set URI.

Step 3: Create a Controller

Let’s create a simple REST controller for testing our secure endpoint:

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

public class HelloController {

    public String hello() {
        return "Hello, secured user!";

Step 4: Generate JWK

You can generate a sample JWK for testing purposes using online tools or libraries. Here’s an example:

  "keys": [
      "kty": "RSA",
      "e": "AQAB",
      "n": "v6uCJ26eJk5Dbg6fK_KTVZjR9Tzx0sy7MyEi8gSTzIJ0r5GN..."

Step 5: Test the Application

Now you can run your Spring Boot application and test the /hello endpoint. You will need a valid JWT to access this endpoint. You can obtain a JWT from an authentication server or generate one using online tools.

Here’s an example of how you can use curl to test the endpoint:

curl -X GET http://localhost:8080/hello \
  -H "Authorization: Bearer <your_jwt_token>"

Replace <your_jwt_token> with your actual JWT token.


In this tutorial, we’ve set up a basic Spring Boot application secured with JWT + JWS + JWK using Spring Security OAuth2. We configured Spring Security to use a JWT decoder with a JWK set URI and created a simple REST endpoint to test the security. This is just a starting point, and in a real-world application, you would integrate with an authentication server to obtain valid JWT tokens for users.

Leave a Reply