hello, i realized that websecurityconfigureadapter is deprecated since springboot 2.7.0. Are you going to make video of how to use it , mean without using websecurityconfigureadapter, i tried to apply it, it did not work for me? thanks
this entire tutorial is full of bad practices and it is outdated. And is using JWTs as session holders which is VERY INSECURE. You should NEVER use this tutorial. He is basically building functionality that already exists in spring security but he is building it worse and much more insecure. He clearly has absolutely no idea how security actually works. Handling of JWTs has existed in spring security since 2017. This clearly shows that the author hasn't even read the official spring security documentation as he seems totally unaware of this fact. Why use a security framework if you do not intend to use its features? Writing a custom solution like this adds more 3rd party dependencies to your project, makes code harder to maintain and is more likely to break in future updates. Also if you accidentally introduce a bug the entire application and its data may be compromised. Its sad that "youtubers" are not better informed, and actually read documentation before making these videos and posing as some sort of expert.
I'm impressed - you provided a full example of a JWT implementation. I can follow each step and you explain every step very well. Trying to look all of this stuff up by myself would have cost me months. THANK YOU, SIR!
I just wanted to ask about the end point "/login" I did not see it somewhere. Please can you explain when you sue /login end point the flow on the code works? Thank you very much
That's awesome as always! It would be also really helpful if you could show us how to configure security without WebSecurityConfigurerAdapter, cause it's deprecated since Spring Security 5.7.0-M2. Thanks!!!
could you write frontend to this application with your specific design because it would be a great masterclass from cosmopolitan developer like you for Junior developers like me, I'll wait it's front.Thanks,brotha
Hello 👋 Please can you make an updated version of this video since the webSecurityConfigurerAdapter is deprecated and spring recommend using the Filter chain concept Thank you 😊
This is a fantastic tutorial. Even-though some of the concepts like "WebSecurityConfigurerAdapter" are deprecated, it was good to know. This is the first time I have actually understood the flow of authentication and authorization. Thank you.
This was a fun project, I learned how to secure my API routes, how to authenticate & authorize as well as sending a refresh token. It would be awesome if you do this project again but with the best practices. Maybe like a follow up or more advanced video. Thank you both of you guys for providing such an informative tutorial.
I know I'm a bit late but did you also name your main entity class "User". I named my Employee and then used the User class from the security package. And I'm struggling to figure out which one to use for the refresh token part.
Wonderful course !!! Thanks a ton for taking time and coming up with something this good. its very helpful.!!! Unable to find the GITHub link for this tutorial, pls share github link 😞
Sorry Sir, but I confused that this video U had posted in 2020 and 2023 you post another video about JWT so what is different from 2 video sir? Can I use JWT in this video? Thank You.
Following this tutorial, it's cool so far, good lookin' out! Just a little comment: you mentioned calling the class "User" is a bad idea, but actually, it's a terrible idea. I picked PostgreSQL instead of MySQL, and apparently, User's a restricted keyword there, so it was crashing, until I changed User into something else ("Member" in my case)
also you can add new property in applicatiom.properties file: spring.jpa.properties.hibernate.auto_quote_keyword=true This will be add quote to keywords
Thank you guys for a wonderful video! One question: when sending a request without authorization header i am not receiving any body message, as shown in the video. Just status 403 Forbidden. that is it. Did anyone face similar issue?
Hy, need some help/clarification , at 1.24 when u test in postman , how does the passwords get matched ? because I am following along and I get a message " encoded password does not look like BCrypt" ....tks
So i figured it out , at 58.16 when he overrides the loadUserByUsername , when he return the User u must add ---> .User(user.get().getEmail(), new BCryptPasswordEncoder().encode(user.get().getPassword()), authorities); --> so the password get encoded to for compare. Hope it helps others stuck maybe!
Great video. One word of warning though. Be careful catching all exceptions as is done in doFilterInternal method as is done at 1:43:50. Any exceptions coming from later in the filter will be caught here and you may end up with a red herring "401 unauthorized error" which is nothing to do with authorization. I hope this saves someone the frustration of trying to debug an authorization problem which isn't even there.
This is a good tutorial. however, the problem is that WebSecurityConfigurerAdapter is now deprecated thus, the method used in second section is not reliable now. You could try to use different methods but it breaks your course path and might get you confused.
Hi Nelson, I follow your channel and I started programming in Java thanks to your really well done videos. The passion you transmit in teaching is incredible. I am still very inexperienced and I am approaching software applications with microservices architectures. I'm struggling a bit to understand how to start a microservice and how to get them to communicate with them. I can't quite understand how to integrate Docker and Kubernetes. When you get the chance will you be able to make a small example of how to create multiple microservices in spring boot and integrate Docker with Kubernetes? Thanks Nelson. Support from Italy!
I think you also need to verify if the refresh-token is not an access-token. Otherwise, a compromised, but still valid access-token can be used to get a new refresh-token, making the entire refresh-token business irrelevant.
cool video .. only thing .. when sending a refreshToken to get a new accessToken, it is good practice to create a new refreshToken as well. small thing but it helps, that the refreshToken always has longer expire date-time then the accessToken.
This tutorial is amazing! Since the WebSecurityConfigurerAdapter has been deprecated in the latest version of Spring Boot/Security, is there a new video planned to update the content of this portion of the tutorial? It would be nice to see how set the SecurityConfiguration class using the @EnableGlobalMethodSecurity annotation, use the SecurityFilterChain class. Meanwhile, I'll try to convert that portion of the tutorial and figure it out. Again, thank you! Very informative!
@2:01:29 you can replace *.equals()* with *.startsWith()* to allow the endpoints starting with a prefix. Therefore, a possible solution is _request.getServletPath().startsWith("/api/token")_
hey, this was a great project, but I have a simple problem with the WebSecurityConfigurereAdapter. I can't import it, can you help me with that. thanks anyway.
I have followed this excellent tutorial and it works fine, but the refresh token endpoint can be accessed using the access token instead of the refresh token. Is this behavior okay? If an attacker steals the access token, they could refresh it indefinitely without needing to know the refresh token. Anyway, thanks for your work!
Thank you very much for your video. I have 1 problem is i got 403 Forbidden error when trying to access login url. I am follow your code but i still can not access the login url.
Logic and nested class in the controller....verb in the path of the request methods....and more....I liked Nelson's Spring security tutorial, but I had to skip this one, made by the other guy.
Hey I know it's been a while since you uploaded this video but you said you would make the source code available. Would you be able to update the description with a link to the source code please :)
At 1:20:08 your screen cuts out on the far right side when dealing with setting up the roles as claims. What is the last part of that statement? .collect(Collect.......
1:48:30 Hey, I didn't see this error but just 403 status code. There shouldn't be a JSON response body because missing "Bearer" results in going to the last else block which doens't handle JSON response.
I can’t exactly remember but you might have to put runtime exception in the last else block. Tbh if you want to actually learn spring security I would watch laur spilicas videos
public class userServiceImplementation implements userService class. (roughly 27 min into the video) The problem is that eclipse is telling me that "getRoles()" is undefined for this class which is true, nowhere is this functionality defined in the application. Has anyone else had this problem? Or the original source code for this video, I can't find it.
Interesting how other programmers on RU-vid make you feel stupid by explaining things really bad (not sure if they do this on purpose). It's nice to see Nelson breaking this culture. And now it's RU-vid's turn to get his Algorithm's straight!
Lots of copy paste, fast scrolling/tab switching, duplication. Little of explanation but lots of reading what is in the code. Same like in the Spring Boot Angular video. But I guess, you will again tell me to shut up
It would have been great, if you could have added the reason behind each step or show a general flowchart of how authentication and authorization works. Like at 1.09.00 You added couple of classes for authentication, but how request is gonna traverse down this path and what was the motive of using this class, would have made a video better. Your contents are good no doubt, but some videos you just travel thru with no intention mentioned for each step.
I would like to know if there is a better way of doing the path check inside the CustomAuthorizationFilter. Because in the security configuration you define which paths are authenticated, so maybe there is a way of excluding the CustomerAutorizationFilter for a specific case, like 'antMatcher("/api/login")'.
OMG It's really great tutorial! Thank you man a lot! Also, we can place constant URLs such as "/login" or "/token/refresh" as static final fields in SecurityConfig and just use them wherever we want - in Filters, Resource Controllers, anywhere. And we just have to edit them once only at that point.