Securing Java Microservices with Java JWT

By Micah Silverman

Elevator Pitch

Micah Silverman will take you on a token based journey. The talk covers what tokens are, looking at cryptographically signed tokens, using the JJWT library to create JWTs, mitigating CSRF attacks using JWTs and establishing trust between microservices using JWTs. Some slides and lots of code.


“Microservices are awesome, but they’re not free” - Les Hazlewood, CTO Stormpath

This is a popular talk that I gave during my motorcycle road trip up and down the east coast. While I work for Stormpath, there are no Stormpath dependencies in the code. It’s an example that uses Spring Boot with Spring Security and the open-source JJWT.

In the first part of the talk, I introduce JWTs and their utility by replacing the default CSRF functionality in Spring Security with a custom one that uses JWT. It demonstrates how, in addition to doing a “dumb” equals match for the submitted token and the one on record, a JWT can be inspected for expiration. This makes it so that you can have a form, protected by CSRF, that must be submitted within a certain period of time.

In the second part of the talk, I have a Spring Boot microservices example. I run two instances of the example and demonstrate how they initially do not trust signed JWT messages between each other. I then discuss how to establish trust between these microservices (by registering the public keys of each with each other) and then show how they now will trust messages. Finally, I talk about and demonstrate a more modern approach to microservices using Kafka messaging as the backbone rather than HTTP.

Here’s a blog post I wrote on the subject as well.