Hi all, Currently, spring security does not provide built-in support of creation of JWT out of the box. Consequently, this would mean developers need to manually write tons of implementation code (including our own Filter, creating and verifying JWT), as evidenced from the below articles among many others Article 1 Article 2
Our backend application would rely on username and password authentication (which thankfully Spring security has direct support to) and once authenticated succesfully, create JWT (yes, sessionless) and send to browser. For every subsequent page visited, backend will verify the JWT in the browser request.
To avoid over-bloating our application, we avoid include OAuth2 Resource Server and OAuth2 Authorization Server libraries as we are not dealing with Oauth mechanism.
For the above-mentioned scenarios, if spring security has built-in support for that, and with the autoconfiguration provided by spring boot, the above scenario's implementation would be a breeze.
Comment From: Tanmayshi
I can totally relate to this. When I worked with Spring Security and tried implementing JWT-based authentication, I ran into the same issue. There was no straightforward out-of-the-box support for creating and verifying JWT, which forced me to write custom filters and handlers.
While Spring Security makes username/password authentication really easy, the JWT part felt unnecessarily verbose. Having built-in support for JWT creation and validation (without pulling in the OAuth stack) would definitely make the developer experience much smoother.
place focus on this problem @jzheaux