0

I have tried implementing JWT to my Angularjs application for a secured authentication. I have generated the JWT at server side(java) and the implementation returns a JWT to the client side after a successful login. I have stored the JWT in $http.defaults.headers.common.Authorization and also in the $window.sessionStorage. Now I could see the JWT in all all requests made by the $http service.

The part I am not clear is I dont know how to proceed from this point. What I guess is I should validate the JWT from now on for all $http calls at the server side somehow. Can someone clarify me how I should proceed for validating the client side JWT at the server side ?

Improve this question
4
  • 1
    What's on the server side? Rails? Node? Commented Jun 2, 2016 at 10:14
  • sorry I didnt mention that, it is java Commented Jun 2, 2016 at 10:18
  • What you do is to add some identification about the current user in the token, and on every request, you get the value from the Authorization header and parse it - Then you check the which user was encoded in the token and associate the current request to them. You can debug the token here by the token and the secret key (available only on the server). note that you should not encode private information and put as little as possible information in it so you won't get a huge token. Also it's recommended to pass it over secured connection (HTTPS) Commented Jun 2, 2016 at 10:19
  • @SGN Well if it was rails i could fire in some code but alas - tis not! Commented Jun 2, 2016 at 10:21

1 Answer 1

Reset to default
1

Yes every time the client makes a request to the backend, you now have to supply the JWT in the header.

Inside the JWT you can have some parameters that identifies the user, like his username for example. Do not store password or other sensitive information inside the JWT.

enter image description here

If you are useing Java, you could create a Filter that will be mapped to a url that only an authorized user can have acces. In the filter you can make the necessary checks to see if the suplied token is correct, if it is you can let the request pass trough, otherwise you can return to the client an error specifying that he does not have access.

If you need more information, may be this is a good place to start.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Still I dont have an idea to implement step 56 and step 6 given in the above picture. any idea or blogs on that ?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.