I have been working as a software developer for 5+ years in the industry. Lately, I feel that I want to go for a niche and create content around it. It is how I ended up creating this blog.
You will find blog posts and videos about application security niche here. Since I mostly use Java technologies, I started creating content about Spring Security framework.
If you would like to reach out to me, you can find me here:
One of the top videos I have seen on explaining Spring Security Architecture. I have seen that you have uploaded only one video on your channel. Do you have another other channel or have you stopped making videos? I hope its not the second scenario.
I was expecting like that in details, u fully cleared each nd every scenario, well done and appreciate your time and effort. Just suggestion, if possible, replace your security class with latest spring version, so you don't need to use adapter class. Thanks Again!!!!
Glad it helped! Yes, I should release a new video with upgrade. Meanwhile you can read this blog. backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/
Thanks bro It helped me fix a bug Though I am using spring security 6 Still I got help Please can you upload video for Spring Security 6 coz a few things have changed 😊
Glad it helped! Yes, I should release a new video with upgrade. Meanwhile you can read this blog. backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/
bro keep going you are doing great...i have seen a lot of channels, everybody except some simply don't explain whats happening behind the scene. Thanks for the clip.
i will recommand this video for anyone who want to learn spring security in depth and the way you explainied is so cool and diagram is so clear that everyone can understand easily what is what .. thanks man!
if you don't set it, then the request will not be authenticated. So, the request can't access the endpoint. You can check the following blog to understand why. backendstory.com/spring-security-authorization-mechanism/
@@BackendStory Thank you for the article. Would like to further understand: In scenario 3, since now the customJWTTokenFilter is invoked before UsernamePasswordAuthenticationFilter, will the UsernamePasswordAuthenticationFilter still get invoked and fully run through the filter logic if the request is authenticated in JWTTokenFilter and setContext()? Will the result be different if we did not setContext()?
@@grayyeung757 Sorry for the late response. UsernamePasswordAuthenticationFilter will not be invoked if the request is authenticated. The reason for that is UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter. If you check AbstractAuthenticationProcessingFilter, you will see that doFilter() method checks if the given request is already authenticated or not. I know this sounds a bit complicated, but things get easier once you debug these flows by putting breakpoints in Spring Security classes. So, I would suggest to debug these classes to check if the behaviour is expected.
Hey, man! I just wanted to express my heartfelt appreciation for this tutorial. It has been immensely helpful in explaining the difference in implementation between normal login and JWT (JSON Web Token). The diagram you provided was a game-changer. Initially, I was utterly confused about how it all worked, especially since authentication providers usually handle the authentication logic. I couldn't understand why we would give the JWT authentication filter all the responsibility when we could simply write a JWT authentication provider. However, thanks to your clear explanation and the diagram, everything fell into place. It felt like a breath of fresh air, bringing much-needed clarity. Once again, thank you so much!
I don't understand the UsernamePasswordAuthenticationToken's 3 args constructor: 1. (username, null, new ArrayList<>()) 2. (username, password, new ArrayList<>()) when to make credentials null and when not to?
At 44:40, I first validate JWT token, so we know that username and password is already checked before. This is because, user gets JWT token after username and password verification. At 44:40, we validate JWT token. Once it is validated, we do not need to provide password. Short answer: Provide password for login attempt. AuthenticationManager will need it to verify user authentication. You don't need to provide for authorization if you are validating JWT token already.
Thanks for the great video again. It helped me add spring security authentication/authorization to my API. But I am now building another API and would like to use same logic to add authentication there. For this, I dont want to simply copy / paste code and violate DRY. When it comes to spring security, would moving Spring Security Configuration class and AuthenticationFilter and AuthorizationFilter to a library and simply then reusing that library in my both API solve this problem? I know how to create a library but I am not very experienced with Spring Security and wonder if this is a good approach? Thanks again!
Hey Dino, sorry for late response. That's exactly how I used same code over different codebases before. You can have a common library that handles authentication and authorization, so just import it as a dependency. So, it is a good approach. :)
I'm little confused about UsernamePasswordAuthenticationToken . why sometimes we use this token with 2 parameters and 3 . What are the differences?. And last question: when we set authentication to contextholder is UsernamePassword filter going to check for authorization again or bypass.
I'm here to say thanks so much from Colombia. I've seen many videos about spring security to try to understand its architecture, and no one of them have you're excellent explanation (even the Spring Security Documentation). Thanks again!!
This is a really good video, thanks for putting in the time to make it. Question on all of this, since Spring Boot 3 is out and there's some new ways of doing things (WebSecurityConfigurerAdapter for example), would you still recommend using this same approach you have provided in this video or would you recommend doing things differently? Also, what about encryption? You haven't included any sort of encryption in your setup, is this something that I should definitely implement? I am creating a backend for a web application I am creating, where I will be using a front-end framework like Angular to consume my API endpoints in the backend. In this case, is everything else the same once you have implemented this setup you have provided? For instance you have a custom user with a custom UserDetailsService and just go about things as you would normally knowing that the application is ensuring that only authenticated users are gaining access to the right endpoints? Bit of a noob question but this is pretty new to me. If there's any way I can get a little more guidance from you (potentially paid 1-1) do let me know as you seem very knowledgeable on Spring Security. Thanks!
Hi! I will try to answer your questions paragraph by paragraph. I recorded this video for educational purpose, so I wouldn't rely on the code samples I shared in the video directly since your requirements might be different. What I tried to explain is how things work under the hood. That was the goal. :) Framework is changing during time as you say and WebSecurityConfigurerAdapter is the latest change. I wrote a blog about how to replace WebSecurityConfigurerAdapter. I believe you will find it useful as well. backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/ Regarding encryption, yes you need to use it. I use BCryptPasswordEncoder in the video and can suggest it. It is safe for rainbow attacks by adding random salt into generated hash. If you don't know what is hashing and salt, this video is great summary. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE---tnZMuoK3E.html&ab_channel=Seytonic You can use custom UserDetailsService most of the cases, yes. However, I need to understand your business needs first before giving clear advice. If you want 1-1 meeting, please send me an email regarding this thread. So, we can schedule a meeting. ugurcanlacin@gmail.com
@@BackendStory and i also wonder what does the below code mean , is it mean let spring security remember this user is already authenticated to avoid authenticated again when the request comes again ? ``` UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(username, null, new ArrayList<>()); authToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request)); SecurityContextHolder.getContext().setAuthentication(authToken); ```
@@user-yw8np2ph3w No, it is only one time thing for this scenario, because we use stateless session management. The code piece that you quoted authenticate the incoming request only in request's thread, so request can hit the controller class. When controller class finishes its job like calling underlying service or util classes, request ends with returning a response. Once response is sent, SecurityContext is wiped out from thread. For every request, create a completely new and empty SecurityContext, hence with no stored authentication etc. This response might also be helpful. stackoverflow.com/a/67681782
I started to watch this tutorial suddenly I thought, I need to see what other topics you have explained. I came to your channel and became sad finding you have only one video. Please cover some more topics. I am subscribing to your channel with a hope to find more content from you..
Glad you liked the video Rakib! I am creating content for both blog and youtube. However, youtube takes more energy to finalize a video unfortunately. But I hear you and will work on it for the next video as soon as possible. Thanks for the feedback! You can have a look at the blog meanwhile: backendstory.com/
If I had to keep just one tutorial about spring security, this is the only one. How amazing that you can cover spring security in so much depth and so much detail in just one hour. Thank you for sharing with us, respected!
He is simply a genius of it. I am just keeping it as my best tutorial. However, it looks so simple because we have watched several of security videos also, so we acknowledge the effort of those we had watched in the past. So sweet explanation. God bless you.
Sadly you are on spring boot 2.6.3 which means that you are still using the old way of configuring web security with now-deprecated classes, looking forward to see your code updated to the modern standards. thank you
Yes, you are right. However, I do not think I will record another 70 minutes video just for couple of deprecated classes. :( If you would choose one scenario here, which one would be your interest with up to date Spring Security version? :)
@@BackendStory You know the current trend is authenticating and authorizing with JWT, and if I was you I would just do a simple example with an admin / user log-in authentications with roles, also I have to disagree with the concept that it was just a few deprecated classes as that the classes don't actually matter more than it is about how to build and configure security and little things like using the Lambda DSL to name a few .. but you are right not worth making a 2 hours long video for it because your amazing slides explaining what goes under the hood with spring boot does not need to get repeated, you can have a straight coding example and refer people to this video as a foundation. I hope I did thank you in my previews reply because I see your explaining professional and straight to the point. but thanks again and consider me as a subscriber.
@@maxjustmax521 Thanks a lot for spending time for the comments. These are gold to me. I added into my todo list following video prep => create video for proper JWT authentication/authorization coding with jpa and up to date Spring Security.
Hi Max, I updated the code with component based configuration by removing deprecated WebSecurityConfigurerAdapter. You can have a look at it if you still need it. For your information :) backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/
At 53:54 I had to change in supports() method the .equals for this: (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication)). Just in case anyone is struggling like me with this.