Spring Security: Authentication Architecture Explained in Depth 

Glad it helped!

this comment made my day. thank you for your kind words!

I agree. This is the best course I found so far that explains Spring Security so well. Many thanks to Ugurcan.

He is simply a genius of it. I am just keeping it as my best tutorial. However, it looks so simple because we have watched several of security videos also, so we acknowledge the effort of those we had watched in the past. So sweet explanation. God bless you.

Glad to hear that you liked it. I am working on the next videos at the moment.

Great to hear that this helped you!

thank you for your kind words :)

Glad you liked it!

Glad it was helpful!

Glad to hear you liked it!

Happy to hear that you liked it. Thank you for your nice words!

This comment made my day. Thanks for your kind words. :)

Glad it helped! :)

Thank you too for a great comment! :) I will try to make more content like this in the near future.

@@BackendStory Could you extend this example and explain oauth2 in a future video?

@@mrshuffle3696 yes, I can of course do that. It is in my todo list already. I just try to dedicate some time for this kind of tutorials. I have been extraordinarily busy lately. Please stay tuned :)

Thanks!!

tesekkurler mustafa, yorumun beni mutlu etti

Happy to hear that you liked it! :)

@@BackendStory Can you just come up with OAuth2 Authentication along with JWT token format where all the roles are defined clearly in the MySql db

@@rathinmaheswaran Yes, it is in my todo list actually. I will do it.

Thanks Koteswara, I am glad that you find it helpful! :)

I'm little confused about UsernamePasswordAuthenticationToken . why sometimes we use this token with 2 parameters and 3 . What are the differences?. And last question: when we set authentication to contextholder is UsernamePassword filter going to check for authorization again or bypass.

Thank you very much!

Hi! I will try to answer your questions paragraph by paragraph. I recorded this video for educational purpose, so I wouldn't rely on the code samples I shared in the video directly since your requirements might be different. What I tried to explain is how things work under the hood. That was the goal. :) Framework is changing during time as you say and WebSecurityConfigurerAdapter is the latest change. I wrote a blog about how to replace WebSecurityConfigurerAdapter. I believe you will find it useful as well. backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/ Regarding encryption, yes you need to use it. I use BCryptPasswordEncoder in the video and can suggest it. It is safe for rainbow attacks by adding random salt into generated hash. If you don't know what is hashing and salt, this video is great summary. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE---tnZMuoK3E.html&ab_channel=Seytonic You can use custom UserDetailsService most of the cases, yes. However, I need to understand your business needs first before giving clear advice. If you want 1-1 meeting, please send me an email regarding this thread. So, we can schedule a meeting. ugurcanlacin@gmail.com

Glad it helped! Yes, I should release a new video with upgrade. Meanwhile you can read this blog. backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/

Unfortunately, I couldn't prioritise youtube. Something I need to work on to get back.

Let me know if you need anything regarding application security then. I can add it to my todo list for future contents 😄

These are in my todo list too. Thanks for reminding them. :)

Glad you liked the video Rakib! I am creating content for both blog and youtube. However, youtube takes more energy to finalize a video unfortunately. But I hear you and will work on it for the next video as soon as possible. Thanks for the feedback! You can have a look at the blog meanwhile: backendstory.com/

You're welcome

Glad you liked it. I used Figma and drew those diagrams myself. :)

@@BackendStory Thanks for replying. Keep up your good work.

I used Figma for the diagrams

Hey Dino, sorry for late response. That's exactly how I used same code over different codebases before. You can have a common library that handles authentication and authorization, so just import it as a dependency. So, it is a good approach. :)

Glad it helped! Yes, I should release a new video with upgrade. Meanwhile you can read this blog. backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/

@@BackendStory Thanks again 🙏🙏

That's a great suggestion! I am adding it to my todo list.

@@BackendStory and i also wonder what does the below code mean , is it mean let spring security remember this user is already authenticated to avoid authenticated again when the request comes again ? ``` UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(username, null, new ArrayList()); authToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request)); SecurityContextHolder.getContext().setAuthentication(authToken); ```

@@user-yw8np2ph3w No, it is only one time thing for this scenario, because we use stateless session management. The code piece that you quoted authenticate the incoming request only in request's thread, so request can hit the controller class. When controller class finishes its job like calling underlying service or util classes, request ends with returning a response. Once response is sent, SecurityContext is wiped out from thread. For every request, create a completely new and empty SecurityContext, hence with no stored authentication etc. This response might also be helpful. stackoverflow.com/a/67681782

@@BackendStory 牛逼！！👍👍👍

Hi! I think you need to provide 2 authentication providers in your case. ActiveDirectoryLdapAuthenticationProvider class is for Active Directory. Here is an example. stackoverflow.com/a/58565523/8160856 And you need to provide LdapAuthenticationProvider for Open Ldap. Here is an example for it. www.baeldung.com/spring-security-ldap#java

@@BackendStory Thank you so much. I got it working but I also have another issue - I use actuator and my actuator /health endpoint reports health of my Ldap correctly but I dont know how to set it to report health of both Ldaps now that I added them. I have setup in my application.properties spring.ldap.username, spring.ldap.password, and spring.ldap.urls to bind to one or the other and that works fine. But how to set these to bind to both Ldaps now that I got both of them working? Much appreciated

​@@dinobulja It seems like you should have another health endpoint for one of the ldap provider. You can create a custom health indicator for this purpose. An example here below. www.amitph.com/custom-health-check-spring-boot-actuator/ If you are thinking how you can check Ldap health, here is the source code of default Ldap health check class. github.com/spring-projects/spring-boot/blob/main/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/ldap/LdapHealthIndicator.java Hope this solves your issue. :)

@@BackendStory I guess what you mean is to combine these 2 urls? First one is missing logic on how to check Ldap health but provides structure for 2 custom health indicators. The 2nd url provides how to check for Ldap health using LdapOperations.executeWithReadonly(), I just dont get how to pass it LdapOperation it requires in ctor? Could you elaborate bit? Much appreciated.

@@dinobulja No, I didn't mean you should combine them actually. I meant that you can create additional health endpoint for one of the actuator. In your previous message, you said when you set spring.ldap.username, spring.ldap.password, and spring.ldap.urls in application.properties for one of the LDAP, it works fine. So, you can create a custom health indicator for the other one. That's what I meant. :)

At 44:40, I first validate JWT token, so we know that username and password is already checked before. This is because, user gets JWT token after username and password verification. At 44:40, we validate JWT token. Once it is validated, we do not need to provide password. Short answer: Provide password for login attempt. AuthenticationManager will need it to verify user authentication. You don't need to provide for authorization if you are validating JWT token already.

It depends on your design. But here it does not work like that. I trigger authentication manager in my login endpoint. Then, authentication manager triggers authentication provider and so on. My custom filter checks if there is JWT token provided in incoming request. If so, I create an authentication object and give it to SecurityContext. I wrote an article that explains why we give this authentication object to SecurityContext. backendstory.com/spring-security-authorization-mechanism/

@@BackendStory Thank you sir

Hey! Thank you for your constructive feedback. Highly appreciated! Can you please point out what is not working after 2.7?

@@BackendStory WebsecurityConfigurerAdapter can not be extended anymore.

@@nicolasfelipe1 thanks for the feedback! I am adding this into my todo list.

JwtUtil class has the validate method, which parses JWT and validates if token is not expired and token has username given. Source code is here: github.com/ugurcanlacin/backendstory/blob/main/spring-security-authentication-scenario-3/src/main/java/com/backendstory/authentication/JwtUtil.java#L29 In this video, I did not explain how JWT works much and the JWT implementation is pretty basic. So, I suggest you to check other resources if your main interest is JWT. Here, I just explain authentication architecture in general.

if you don't set it, then the request will not be authenticated. So, the request can't access the endpoint. You can check the following blog to understand why. backendstory.com/spring-security-authorization-mechanism/

@@BackendStory Thank you for the article. Would like to further understand: In scenario 3, since now the customJWTTokenFilter is invoked before UsernamePasswordAuthenticationFilter, will the UsernamePasswordAuthenticationFilter still get invoked and fully run through the filter logic if the request is authenticated in JWTTokenFilter and setContext()? Will the result be different if we did not setContext()?

​@@grayyeung757 Sorry for the late response. UsernamePasswordAuthenticationFilter will not be invoked if the request is authenticated. The reason for that is UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter. If you check AbstractAuthenticationProcessingFilter, you will see that doFilter() method checks if the given request is already authenticated or not. I know this sounds a bit complicated, but things get easier once you debug these flows by putting breakpoints in Spring Security classes. So, I would suggest to debug these classes to check if the behaviour is expected.

@@BackendStory Thank you so much for the guide.

Yes, you are right. However, I do not think I will record another 70 minutes video just for couple of deprecated classes. :( If you would choose one scenario here, which one would be your interest with up to date Spring Security version? :)

@@BackendStory You know the current trend is authenticating and authorizing with JWT, and if I was you I would just do a simple example with an admin / user log-in authentications with roles, also I have to disagree with the concept that it was just a few deprecated classes as that the classes don't actually matter more than it is about how to build and configure security and little things like using the Lambda DSL to name a few .. but you are right not worth making a 2 hours long video for it because your amazing slides explaining what goes under the hood with spring boot does not need to get repeated, you can have a straight coding example and refer people to this video as a foundation. I hope I did thank you in my previews reply because I see your explaining professional and straight to the point. but thanks again and consider me as a subscriber.

@@BackendStory and please don't do what everyone else is doing with in-memory authentication spring-jpa couldn't be any easier.

​@@maxjustmax521 Thanks a lot for spending time for the comments. These are gold to me. I added into my todo list following video prep => create video for proper JWT authentication/authorization coding with jpa and up to date Spring Security.

Hi Max, I updated the code with component based configuration by removing deprecated WebSecurityConfigurerAdapter. You can have a look at it if you still need it. For your information :) backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/

thank you for your contribution!