Add configurable JWT token validation and then populating auth details in a request scope object

Author: samirgarg

Dockerfile

@@ -29,4 +29,8 @@ RUN chmod 755 /opt/app/app.jar
 # ---- Runtime ----
 EXPOSE 4550
 
+# Documented runtime configuration
+# JWT secret for token verification (Base64-encoded HS256 key)
+ENV JWT_SECRET_KEY="it-must-be-a-string-secret-at-least-256-bits-long"
+
 CMD ["java", "-jar", "/opt/app/app.jar"]

README.md

@@ -109,6 +109,8 @@ gradle pactVerificationTest
 
 Contributions are welcome! Please see the [CONTRIBUTING.md](.github/CONTRIBUTING.md) file for guidelines.
 
+See also: [JWTFilter documentation](docs/JWTFilter.md)
+
 ## License
 
 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details

build.gradle

@@ -270,6 +270,8 @@ dependencies {
 
   implementation 'com.fasterxml.jackson.core:jackson-databind:2.20.0'
 
+  implementation 'io.jsonwebtoken:jjwt:0.13.0'
+
   compileOnly group: 'org.projectlombok', name: 'lombok', version: lombokVersion
   annotationProcessor group: 'org.projectlombok', name: 'lombok', version: lombokVersion
 

docs/JWTFilter.md

@@ -0,0 +1,39 @@
+# JWTFilter
+
+`JWTFilter` enforces the presence of a JWT on incoming requests, validates it, and exposes user details for the lifetime of the request.
+
+## Purpose
+- Requires the `jwt` header on requests (except excluded paths)
+- Validates and parses the token via `JWTService`
+- Stores `userName` and `scope` in a request-scoped `AuthDetails` bean
+
+## Configuration
+Defined in `src/main/resources/application.yaml`:
+
+```yaml
+jwt:
+  secretKey: "it-must-be-a-string-secret-at-least-256-bits-long"
+  filter:
+    enabled: false
+```
+
+- `jwt.secretKey`: Base64 key suitable for HS256 (≥ 256 bits)
+- `jwt.filter.enabled`: When false, the filter is skipped entirely. When true, it runs for all paths except those excluded.
+
+### Enabling per environment
+- Env var: `JWT_FILTER_ENABLED=true`
+- Tests: `@SpringBootTest(properties = "jwt.filter.enabled=true")`
+- Profile override: `application-<profile>.yaml`
+
+## Excluded paths
+Currently excluded: `/health`. Extend in `JWTFilter.shouldNotFilter(...)` if needed.
+
+## Error behaviour
+- Missing header: 401 UNAUTHORIZED ("No jwt token passed")
+- Invalid token: 400 BAD_REQUEST with details
+
+## Related classes
+- `uk.gov.hmcts.cp.filters.jwt.JWTFilter`
+- `uk.gov.hmcts.cp.filters.jwt.JWTService`
+- `uk.gov.hmcts.cp.filters.jwt.AuthDetails`
+- `uk.gov.hmcts.cp.config.JWTConfig`

…ntrollers/CourtScheduleControllerIT.java …rtScheduleControllerIntegrationTest.javasrc/integrationTest/java/uk/gov/hmcts/cp/controllers/CourtScheduleControllerIT.java renamed to src/integrationTest/java/uk/gov/hmcts/cp/controllers/CourtScheduleControllerIntegrationTest.java src/integrationTest/java/uk/gov/hmcts/cp/controllers/CourtScheduleControllerIT.java renamed to src/integrationTest/java/uk/gov/hmcts/cp/controllers/CourtScheduleControllerIntegrationTest.java

@@ -2,11 +2,11 @@
 
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.annotation.Resource;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.http.MediaType;
@@ -22,10 +22,10 @@
 @ExtendWith(SpringExtension.class)
 @SpringBootTest
 @AutoConfigureMockMvc
-class CourtScheduleControllerIT {
-    private static final Logger log = LoggerFactory.getLogger(CourtScheduleControllerIT.class);
+class CourtScheduleControllerIntegrationTest {
+    private static final Logger log = LoggerFactory.getLogger(CourtScheduleControllerIntegrationTest.class);
 
-    @Autowired
+    @Resource
     private MockMvc mockMvc;
 
     @Test

…rollers/RootControllerIntegrationIT.java …trollers/HealthCheckIntegrationTest.javasrc/integrationTest/java/uk/gov/hmcts/cp/controllers/RootControllerIntegrationIT.java renamed to src/integrationTest/java/uk/gov/hmcts/cp/controllers/HealthCheckIntegrationTest.java src/integrationTest/java/uk/gov/hmcts/cp/controllers/RootControllerIntegrationIT.java renamed to src/integrationTest/java/uk/gov/hmcts/cp/controllers/HealthCheckIntegrationTest.java

@@ -1,39 +1,27 @@
 package uk.gov.hmcts.cp.controllers;
 
+import jakarta.annotation.Resource;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.MockMvc;
 
-import static org.hamcrest.Matchers.containsString;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 @ExtendWith(SpringExtension.class)
-@SpringBootTest
 @AutoConfigureMockMvc
-class RootControllerIntegrationIT {
+@SpringBootTest
+class HealthCheckIntegrationTest {
 
-    @Autowired
+    @Resource
     private MockMvc mockMvc;
 
-    @DisplayName("Should welcome upon root request with 200 response code")
-    @Test
-    void shouldCallRootAndGet200() throws Exception {
-        mockMvc.perform(get("/"))
-                .andDo(print())
-                .andExpect(status().isOk())
-                .andExpect(content()
-                        .string(containsString("Welcome to service-hmcts-marketplace-springboot-template")));
-    }
-
     @DisplayName("Actuator health status should be UP")
     @Test
     void shouldCallActuatorAndGet200() throws Exception {

src/integrationTest/java/uk/gov/hmcts/cp/filters/jwt/JWTFilterDisabledIntegrationTest.java

@@ -0,0 +1,33 @@
+package uk.gov.hmcts.cp.filters.jwt;
+
+import static org.hamcrest.Matchers.containsString;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import jakarta.annotation.Resource;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
+@SpringBootTest
+@AutoConfigureMockMvc
+class JWTFilterDisabledIntegrationTest {
+
+    @Resource
+    MockMvc mockMvc;
+
+    @DisplayName("JWT filter should not complain of missing JWT when the filter is disabled")
+    @Test
+    void shouldNotFailWhenTokenIsMissingAndFilterIsDisabled() throws Exception {
+        mockMvc
+                .perform(
+                        MockMvcRequestBuilders.get("/")
+                ).andExpectAll(
+                        status().isOk(),
+                        content().string(containsString("Welcome to service-hmcts-springboot-template"))
+                );
+    }
+}

src/integrationTest/java/uk/gov/hmcts/cp/filters/jwt/JWTFilterIntegrationTest.java

@@ -0,0 +1,48 @@
+package uk.gov.hmcts.cp.filters.jwt;
+
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static uk.gov.hmcts.cp.filters.jwt.JWTFilter.JWT_TOKEN_HEADER;
+
+import jakarta.annotation.Resource;
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.web.client.HttpClientErrorException;
+
+@SpringBootTest(properties = {"jwt.filter.enabled=true"})
+@AutoConfigureMockMvc
+class JWTFilterIntegrationTest {
+
+    @Resource
+    MockMvc mockMvc;
+
+    @Resource
+    private JWTService jwtService;
+
+    @Test
+    void shouldPassWhenTokenIsValid() throws Exception {
+        String jwtToken = jwtService.createToken();
+        mockMvc
+                .perform(
+                        MockMvcRequestBuilders.get("/")
+                                .header(JWT_TOKEN_HEADER, jwtToken)
+                ).andExpectAll(
+                        status().isOk(),
+                        content().string("Welcome to service-hmcts-springboot-template, " + JWTService.USER)
+                );
+    }
+
+    @Test
+    void shouldFailWhenTokenIsMissing() {
+        assertThatExceptionOfType(HttpClientErrorException.class)
+                .isThrownBy(() -> mockMvc
+                        .perform(
+                                MockMvcRequestBuilders.get("/")
+                        ))
+                .withMessageContaining("No jwt token passed");
+    }
+}

src/main/java/uk/gov/hmcts/cp/Application.java

@@ -5,6 +5,7 @@
 
 @SpringBootApplication
 @SuppressWarnings("HideUtilityClassConstructor")
+
 public class Application {
 
     public static void main(final String[] args) {

src/main/java/uk/gov/hmcts/cp/config/JWTConfig.java

@@ -0,0 +1,18 @@
+package uk.gov.hmcts.cp.config;
+
+import uk.gov.hmcts.cp.filters.jwt.AuthDetails;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.context.annotation.RequestScope;
+
+@Configuration
+public class JWTConfig {
+
+    @Bean
+    @RequestScope
+    // attributes are set in the filter
+    AuthDetails jwt(){
+        return AuthDetails.builder().build();
+    }
+}