{"id":13806065,"url":"https://github.com/dhatim/dropwizard-jwt-cookie-authentication","last_synced_at":"2026-01-12T09:12:22.355Z","repository":{"id":3545378,"uuid":"49969573","full_name":"dhatim/dropwizard-jwt-cookie-authentication","owner":"dhatim","description":"Dropwizard bundle managing authentication through JWT cookies","archived":false,"fork":false,"pushed_at":"2025-09-25T20:07:46.000Z","size":315,"stargazers_count":36,"open_issues_count":4,"forks_count":11,"subscribers_count":18,"default_branch":"master","last_synced_at":"2025-09-25T22:18:11.952Z","etag":null,"topics":["cookie","dropwizard","java","jwt","module"],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dhatim.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-01-19T17:22:10.000Z","updated_at":"2025-09-21T04:27:55.000Z","dependencies_parsed_at":"2023-02-14T18:31:20.970Z","dependency_job_id":"44586a56-a9b5-482b-a117-f4968448ac1f","html_url":"https://github.com/dhatim/dropwizard-jwt-cookie-authentication","commit_stats":null,"previous_names":[],"tags_count":45,"template":false,"template_full_name":null,"purl":"pkg:github/dhatim/dropwizard-jwt-cookie-authentication","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhatim%2Fdropwizard-jwt-cookie-authentication","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhatim%2Fdropwizard-jwt-cookie-authentication/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhatim%2Fdropwizard-jwt-cookie-authentication/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhatim%2Fdropwizard-jwt-cookie-authentication/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dhatim","download_url":"https://codeload.github.com/dhatim/dropwizard-jwt-cookie-authentication/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhatim%2Fdropwizard-jwt-cookie-authentication/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28337655,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T06:09:07.588Z","status":"ssl_error","status_checked_at":"2026-01-12T06:05:18.301Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cookie","dropwizard","java","jwt","module"],"created_at":"2024-08-04T01:01:07.530Z","updated_at":"2026-01-12T09:12:22.330Z","avatar_url":"https://github.com/dhatim.png","language":"Java","readme":"[![Build Status](https://github.com/dhatim/dropwizard-jwt-cookie-authentication/workflows/build/badge.svg)](https://github.com/dhatim/dropwizard-jwt-cookie-authentication/actions)\n[![Maven Central](https://maven-badges.herokuapp.com/maven-central/org.dhatim/dropwizard-jwt-cookie-authentication/badge.svg)](https://maven-badges.herokuapp.com/maven-central/org.dhatim/dropwizard-jwt-cookie-authentication)\n[![Coverage Status](https://coveralls.io/repos/github/dhatim/dropwizard-jwt-cookie-authentication/badge.svg?branch=master)](https://coveralls.io/github/dhatim/dropwizard-jwt-cookie-authentication?branch=master)\n[![Javadoc](https://www.javadoc.io/badge/org.dhatim/dropwizard-jwt-cookie-authentication.svg)](http://www.javadoc.io/doc/org.dhatim/dropwizard-jwt-cookie-authentication)\n[![Mentioned in Awesome Dropwizard](https://awesome.re/mentioned-badge.svg)](https://github.com/stve/awesome-dropwizard)\n\n**Please note version 5 requires Java 11 and Dropwizard 4.**\n\n# dropwizard-jwt-cookie-authentication\n\nStatelessness is not only an architectural constaint of RESTful applications, it also comes with a lot of advantages regarding scalability and memory usage.\n\nA common pattern is to provide the client with a signed JWT containing all necessary authorization and/or session state information. This JWT must then be passed along subsequent requests, usually in bearer Authorization HTTP headers.\n\nHowever, in the particular case where clients of the RESTful application are web applications, it is much more interesting to use cookies. The browser will automatically read, store, send and expire the tokens, saving front-end developers the hassle of doing it themselves.\n\nThis dropwizard bundle makes things simple for back-end developpers too. It automatically serializes/deserializes session information into/from JWT cookies.\n\n## Enabling the bundle\n\n### Add the dropwizard-jwt-cookie-authentication dependency\n\nAdd the dropwizard-jwt-cookie-authentication library as a dependency to your `pom.xml` file:\n\n```xml\n\u003cdependency\u003e\n    \u003cgroupId\u003eorg.dhatim\u003c/groupId\u003e\n    \u003cartifactId\u003edropwizard-jwt-cookie-authentication\u003c/artifactId\u003e\n    \u003cversion\u003e5.1.3\u003c/version\u003e\n\u003c/dependency\u003e\n  ```\n\n### Edit you app's Dropwizard YAML config file\n\nThe default values are shown below. If they suit you, this step is optional.\n\n```yml\njwtCookieAuth:\n  secretSeed: null\n  secure: false\n  httpOnly: true\n  domain: null\n  sameSite: null\n  sessionExpiryVolatile: PT30m\n  sessionExpiryPersistent: P7d\n```\n\n### Add the 'JwtCookieAuthConfiguration' to your application configuration class:\n\nThis step is also optional if you skipped the previous one.\n\n```java\n@Valid\n@NotNull\nprivate JwtCookieAuthConfiguration jwtCookieAuth = new JwtCookieAuthConfiguration();\n\npublic JwtCookieAuthConfiguration getJwtCookieAuth() {\n  return jwtCookieAuth;\n}\n```\n\n### Add the bundle to the dropwizard application\n\n```java\npublic void initialize(Bootstrap\u003cMyApplicationConfiguration\u003e bootstrap) {\n  bootstrap.addBundle(JwtCookieAuthBundle.getDefault());\n}\n```\n\nIf you have a custom configuration fot the bundle, specify it like so:\n```java\nbootstrap.addBundle(JwtCookieAuthBundle.getDefault().withConfigurationSupplier(MyAppConfiguration::getJwtCookieAuth));\n```\n\n## Using the bundle\n\nBy default, the JWT cookie is serialized from / deserialized in an instance of [`DefaultJwtCookiePrincipal`](http://static.javadoc.io/org.dhatim/dropwizard-jwt-cookie-authentication/3.0.0/org/dhatim/dropwizard/jwt/cookie/authentication/DefaultJwtCookiePrincipal.html).\n\nWhen the user authenticate, you must put an instance of `DefaultJwtCookiePrincipal` in the security context (which you can inject in your resources using the `@Context` annotation) using `JwtCookiePrincipal.addInContext`\n```java\nJwtCookiePrincipal principal = new DefaultJwtCookiePrincipal(name);\nprincipal.addInContext(context);\n```\n\nOnce a principal has been set, it can be retrieved using the `@Auth` annotation in method signatures. You can also use `CurrentPrincipal.get()` within the request thread.\n\nEach time an API endpoint is called, a fresh cookie JWT is issued to reset the session TTL. You can use the `@DontRefreshSession` on methods where this behavior is unwanted.\n\nTo specify a max age in the cookie (aka \"remember me\"), use `DefaultJwtCookiePrincipal.setPersistent(true)`.\n\nIt is a stateless auhtentication method, so there is no real way to invalidate a session other than waiting for the JWT to expire. However calling `JwtCookiePrincipal.removeFromContext(context)` will make browsers discard the cookie by setting the cookie expiration to a past date.\n\nPrincipal roles can be specified via the `DefaultJwtCookiePrincipal.setRoles(...)` method. You can then define fine grained access control using annotations such as `@RolesAllowed` or `@PermitAll`.\n\nAdditional custom data can be stored in the Principal using `DefaultJwtCookiePrincipal.getClaims().put(key, value)`.\n\n## Sample application resource\n```java\n@POST\n@Consumes(MediaType.APPLICATION_JSON)\n@Produces(MediaType.APPLICATION_JSON)\npublic DefaultJwtCookiePrincipal login(@Context ContainerRequestContext requestContext, String name){\n    DefaultJwtCookiePrincipal principal = new DefaultJwtCookiePrincipal(name);\n    principal.addInContext(requestContext);\n    return principal;\n}\n\n@GET\n@Path(\"logout\")\npublic void logout(@Context ContainerRequestContext requestContext){\n    JwtCookiePrincipal.removeFromContext(requestContext);\n}\n\n@GET\n@Produces(MediaType.APPLICATION_JSON)\npublic DefaultJwtCookiePrincipal getPrincipal(@Auth DefaultJwtCookiePrincipal principal){\n    return principal;\n}\n\n@GET\n@Path(\"idempotent\")\n@Produces(MediaType.APPLICATION_JSON)\n@DontRefreshSession\npublic DefaultJwtCookiePrincipal getSubjectWithoutRefreshingSession(@Auth DefaultJwtCookiePrincipal principal){\n    return principal;\n}\n\n@GET\n@Path(\"restricted\")\n@RolesAllowed(\"admin\")\npublic String getRestrictedResource(){\n    return \"SuperSecretStuff\";\n}\n```\n\n## Custom principal implementation\n\nIf you want to use your own Principal class instead of the `DefaultJwtCookiePrincipal`, simply implement the interface `JwtCookiePrincipal` and pass it to the bundle constructor along with functions to serialize it into / deserialize it from JWT claims.\n\ne.g:\n\n```java\nbootstrap.addBundle(new JwtCookieAuthBundle\u003c\u003e(MyCustomPrincipal.class, MyCustomPrincipal::toClaims, MyCustomPrincipal::new));\n```\n\n## JWT Signing Key\n\nBy default, the signing key is randomly generated on application startup. It means that users will have to re-authenticate after each server reboot.\n\nTo avoid this, you can specify a `secretSeed` in the configuration. This seed will be used to generate the signing key, which will therefore be the same at each application startup.\n\nAlternatively you can specify your own key factory:\n```java\nbootstrap.addBundle(JwtCookieAuthBundle.getDefault().withKeyProvider((configuration, environment) -\u003e {/*return your own key*/}));\n```\n## Manual Setup\n\nIf you need [Chained Factories](https://www.dropwizard.io/en/latest/manual/auth.html#chained-factories) or [Multiple Principals and Authenticators](https://www.dropwizard.io/en/latest/manual/auth.html#multiple-principals-and-authenticators), don't register directly the bundle. Use instead its `getAuthRequestFilter` and `getAuthResponseFilter` methods to manually setup authentication.\n\nYou will also be responsible for generating the signing key and registering `RolesAllowedDynamicFeature` or `DontRefreshSessionFilter` if they are needed.\n\nExample:\n\n```java\nJwtCookieAuthBundle jwtCookieAuthBundle = new JwtCookieAuthBundle\u003c\u003e(\n    MyJwtCookiePrincipal.class,\n    MyJwtCookiePrincipal::toClaims,\n    MyJwtCookiePrincipal::new);\n\nSecretKey key = JwtCookieAuthBundle.generateKey(configuration.getJwtCookieAuth().getSecretSeed());\n\nenvironment.jersey().register(\n        new PolymorphicAuthDynamicFeature\u003c\u003e(\n                ImmutableMap.of(\n                        MyJwtCookiePrincipal.class, jwtCookieAuthBundle.getAuthRequestFilter(key),\n                        MyBasicPrincipal.class, new BasicCredentialAuthFilter.Builder\u003cMyBasicPrincipal\u003e()\n                            .setAuthenticator(new MyBasicAuthenticator())\n                            .setRealm(\"SUPER SECRET STUFF\")\n                            .buildAuthFilter()\n                )\n        )\n);\nenvironment.jersey().register(new PolymorphicAuthValueFactoryProvider.Binder\u003c\u003e(ImmutableSet.of(MyJwtCookiePrincipal.class, MyBasicPrincipal.class)));\nenvironment.jersey().register(RolesAllowedDynamicFeature.class);\nenvironment.jersey().register(DontRefreshSessionFilter.class);\nenvironment.jersey().register(jwtCookieAuthBundle.getAuthResponseFilter(key, configuration.getJwtCookieAuth()));\n```\n\n## Javadoc\n\nIt's [here](http://www.javadoc.io/doc/org.dhatim/dropwizard-jwt-cookie-authentication).\n","funding_links":[],"categories":["Open Source"],"sub_categories":["Authentication"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdhatim%2Fdropwizard-jwt-cookie-authentication","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdhatim%2Fdropwizard-jwt-cookie-authentication","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdhatim%2Fdropwizard-jwt-cookie-authentication/lists"}