diff --git a/backend/pom.xml b/backend/pom.xml
index 7ea176c..a7f0c46 100644
--- a/backend/pom.xml
+++ b/backend/pom.xml
@@ -41,6 +41,10 @@
 			<artifactId>jjwt</artifactId>
 			<version>0.9.1</version>
 		</dependency>
+		<dependency>
+			<groupId>javax.xml.bind</groupId>
+			<artifactId>jaxb-api</artifactId>
+		</dependency>
 	</dependencies>
 
 	<build>
diff --git a/backend/src/main/java/com/nellyxinwei/backend/config/JwtAthFilter.java b/backend/src/main/java/com/nellyxinwei/backend/config/JwtAthFilter.java
index 0e529e6..d6a4a1c 100644
--- a/backend/src/main/java/com/nellyxinwei/backend/config/JwtAthFilter.java
+++ b/backend/src/main/java/com/nellyxinwei/backend/config/JwtAthFilter.java
@@ -31,7 +31,7 @@ protected void doFilterInternal(
       HttpServletRequest request,
       HttpServletResponse response,
       FilterChain filterChain) throws ServletException, IOException {
-    final String authHeader = request.getHeader(AUTHORIZATION);
+    final String authHeader = request.getHeader("Authorization");
     final String userEmail;
     final String jwtToken;
 
diff --git a/backend/src/main/java/com/nellyxinwei/backend/config/JwtUtils.java b/backend/src/main/java/com/nellyxinwei/backend/config/JwtUtils.java
index b340296..2c6f724 100644
--- a/backend/src/main/java/com/nellyxinwei/backend/config/JwtUtils.java
+++ b/backend/src/main/java/com/nellyxinwei/backend/config/JwtUtils.java
@@ -1,6 +1,6 @@
 package com.nellyxinwei.backend.config;
 
-import java.sql.Date;
+import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
@@ -15,7 +15,7 @@
 
 @Component
 public class JwtUtils {
-  private String jwtSigningKey = "secret";
+  private String SECRET_KEY = "secret";
 
   public String extractUsername(String token) {
     return extractClaim(token, Claims::getSubject);
@@ -25,22 +25,17 @@ public Date extractExpiration(String token) {
     return extractClaim(token, Claims::getExpiration);
   }
 
-  public boolean hasClaim(String token, String claimName) {
-    final Claims claims = extractAllClaims(token);
-    return claims.get(claimName) != null;
-  }
-
   public <T> T extractClaim(String token, Function<Claims, T> claimsResolver) {
     final Claims claims = extractAllClaims(token);
     return claimsResolver.apply(claims);
   }
 
   private Claims extractAllClaims(String token) {
-    return Jwts.parser().setSigningKey(jwtSigningKey).parseClaimsJws(token).getBody();
+    return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody();
   }
 
   private Boolean isTokenExpired(String token) {
-    return extractExpiration(token).before(new java.util.Date());
+    return extractExpiration(token).before(new Date());
   }
 
   public String generateToken(UserDetails userDetails) {
@@ -49,21 +44,29 @@ public String generateToken(UserDetails userDetails) {
   }
 
   public String generateToken(UserDetails userDetails, Map<String, Object> claims) {
-    return createToken(claims, jwtSigningKey);
+    return createToken(claims, userDetails);
   }
 
-  private String createToken(Map<String, Object> claims, String subject) {
-    return Jwts.builder().setClaims(claims)
+  private String createToken(Map<String, Object> claims, UserDetails userDetails) {
+
+    return Jwts.builder()
+        .setClaims(claims)
         .setSubject(userDetails.getUsername())
         .claim("authorities", userDetails.getAuthorities())
         .setIssuedAt(new Date(System.currentTimeMillis()))
         .setExpiration(new Date(System.currentTimeMillis() + TimeUnit.HOURS.toMillis(24)))
-        .signWith(SignatureAlgorithm.HS256, jwtSigningKey).compact();
+        .signWith(SignatureAlgorithm.HS256, SECRET_KEY).compact();
   }
 
-  public Boolean isTokenValid(String token, UserDetails userDetails) {
+  public Boolean validateToken(String token, UserDetails userDetails) {
     final String username = extractUsername(token);
     return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
   }
 
+  public Boolean isTokenValid(String token, UserDetails userDetails) {
+    final String username = extractUsername(token);
+    return (username.equals(userDetails.getUsername()) &&
+        !isTokenExpired(token));
+  }
+
 }
diff --git a/backend/src/main/java/com/nellyxinwei/backend/config/SecurityConfig.java b/backend/src/main/java/com/nellyxinwei/backend/config/SecurityConfig.java
index 00ab86e..cb95779 100644
--- a/backend/src/main/java/com/nellyxinwei/backend/config/SecurityConfig.java
+++ b/backend/src/main/java/com/nellyxinwei/backend/config/SecurityConfig.java
@@ -1,10 +1,5 @@
 package com.nellyxinwei.backend.config;
 
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
-
-import org.apache.tomcat.jni.User;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
@@ -13,11 +8,10 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+// import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
@@ -38,7 +32,10 @@ public class SecurityConfig {
   @Bean
   public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
     http
+        .csrf().disable()
         .authorizeRequests()
+        .antMatchers("/**/auth/**")
+        .permitAll()
         .anyRequest()
         .authenticated()
         .and()
diff --git a/backend/src/main/java/com/nellyxinwei/backend/controllers/AuthenticationController.java b/backend/src/main/java/com/nellyxinwei/backend/controllers/AuthenticationController.java
index f5c2dd5..fb97672 100644
--- a/backend/src/main/java/com/nellyxinwei/backend/controllers/AuthenticationController.java
+++ b/backend/src/main/java/com/nellyxinwei/backend/controllers/AuthenticationController.java
@@ -4,7 +4,6 @@
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
diff --git a/backend/src/main/java/com/nellyxinwei/backend/dao/UserDao.java b/backend/src/main/java/com/nellyxinwei/backend/dao/UserDao.java
index 6907c91..d3e520e 100644
--- a/backend/src/main/java/com/nellyxinwei/backend/dao/UserDao.java
+++ b/backend/src/main/java/com/nellyxinwei/backend/dao/UserDao.java
@@ -23,7 +23,7 @@ public class UserDao {
       "password",
       Collections.singleton(new SimpleGrantedAuthority("ROLE_USER"))
     )
-  )
+  );
 
   public UserDetails findUserByEmail(String email) {
     return APPLICATION_USERS