devLap

Day 1: Building My Smart Reconciliation and Audit System from Scratch

java dev.to

Today I started building a Smart Reconciliation and Audit System , a real enterprise grade project that companies use to match uploaded financial transactions against system records and flag mismatches.

Just me, IntelliJ Idea, and a lot of errors.

What I built today,

  • Integrated JWT-based authentication to generate secure tokens for users,
  • Implemented role-based access control (Admin, Analyst, Viewer).
  • Configured Spring Security for stateless session management and endpoint protection.
  • Designed structured API request & response handling for clean communication between frontend and backend.
  • Secured user data by encrypting passwords using BCrypt.
  • Built logic to validate users and generate tokens dynamically during login.
  • Implemented request filtering to validate JWT tokens on every API call.
  • Seeded the database with default users (Admin, Analyst, Viewer) for testing and initial system setup.

Things I understood today:

  1. When User sends username & password to login endpoint.
  2. Server creates a UsernamePasswordAuthenticationToken using the credentials.
  3. This token is passed to AuthenticationManager
  4. AuthenticationManager internally calls UserDetailsService.loadUserByUsername() to fetches user data from database.
  5. Password is validated using PasswordEncoder (BCrypt).
  6. If valid → authentication is successful, If invalid → exception is thrown.
  7. Controller generates JWT token. It is sent back to the client.

For Subsequent Requests:

  1. Client sends request with the token.
  2. JWT Filter intercepts the request before controller.
  3. Filter extracts token and validates it using JwtUtil.
  4. If valid, Extract username, Load user again using UserDetailsService,Set authentication in SecurityContextHolder.
  5. Request proceeds to controller.

Mistakes I made

Mistake 1 — wrong JWT algorithm

Used SignatureAlgorithm.ES256 which requires an elliptic curve key pair — completely different setup. Should be HS256 which works with a simple string secret.

Mistake 2 — seeded users without encoding passwords

When creating default users in DataInitializer, I saved plain text passwords. Then login failed because passwordEncoder.matches() expects BCrypt hash, not plain text.

Tested in Postman:

  1. Role based authentication:

  2. Used Api Response for ensuring same structure:

Source: dev.to

arrow_back Back to Tutorials