Pitch your project

Random text






Blogs

0    
By admin Category Uncategorized, Posted December 23rd, 2015
JSON Web Tokens

Initially in the HHS project, we started on using sessions to track users authentication using Tomcat’s J_security_check and configuring the web.xml which the programmer defines the type of user’s authentication, that is, what the student or admin is allowed to access by redirecting to the authorized pages or files. In addition, the front end part of the HHS project used AngularJS in which also a type of user is also directed to an authorized page. These two redirective behaviors of AngularJS and Tomcat would at some point conflict especially when angular templates depend on other template to fully display the desired page. If Tomcat redirects to a particular template, it would depreciate the page layout. We then decided to find an alternative method and walla! We came across JSON Web Tokens (JWT).

Unlike J_security_check with Tomcat, our JWT implementation tracks a user but **DOES NOT ** involve redirects to pages therefore responses can be transmitted to and fro in an API. This advantage compelled us choose this type of user session tracking technique. So what is JWT all about? In a typical login scenario, once the user is logged in, each subsequent request to the server will include the JWT, allowing the user to access routes, services, and resources that are permitted with that particular generated token which is saved locally (typically in local storage, but cookies can be also used). Whenever the user wants to access a protected route or resource, JWT is sent, typically in the Authorization header. It’s important to note that JSON Web Token transmits information between parties as a JSON object. Since JWT contains a user’s information, it reduces the need of going back and forward to the database.

JWT’s structure have three segments separated by dots (.), that is, header, payload, signature. An example of a JWT structure;
aaaaa.bbbbb.ccccc

Header

The header consist of type of token, which is JWT and the hashing algorithm such as RSA or HMAC SHA256.

Example of a header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

The payload will carry the bulk of our JWT, also called the JWT Claims. This is where we will put the information that we want to transmit and other information about our token.
An example of payload;

{
  "subject": "68979809",
  "name": "Evingtone Ngoa",
  "student": true
}

Signature

For a signature to be in existence, we would have to encode the header, payload, a secret, the algorithm specified in the header, and sign them.

For example if you want to use the RSA algorithm, the signature will be created in the following way;
RSA(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)

If all above segments are done correctly, resultant JWT would look like;

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzY290Y2guaW8iLCJleHAiOjEzMDA4MTkzODAsIm5hbWUiOiJDaHJpcyBTZXZpbGxlamEiLCJhZG1pbiI6dHJ1ZX0.03f329983b86f7d9a9f5fef85305880101d5e302afafa20154d094b229f75773

Separated with dots.
The above advantages opted us to use JWT as opposed to Tomcat sessions and that’s how I learnt about JWT and its usage!

Posted by Evin Ngoa

Comments

  • Ignatius says:

    JWT implementation has more than one advantage the resources invoked by the server to maintain a session can be used for other services, Further JWT is lightweight hence makes the process of authentication become almost seamless(holding all factors like network delay). JWT’s are a means of offering stateless authentication in a compact and secure way. JSON Web Tokens can be used to thwart cross-site request forgery attempts and there are plenty of JWT libraries out there as well.

Leave a Reply

Your email address will not be published. Required fields are marked *