If I had to keep just one tutorial about spring security, this is the only one. How amazing that you can cover spring security in so much depth and so much detail in just one hour. Thank you for sharing with us, respected!
He is simply a genius of it. I am just keeping it as my best tutorial. However, it looks so simple because we have watched several of security videos also, so we acknowledge the effort of those we had watched in the past. So sweet explanation. God bless you.
Hey, man! I just wanted to express my heartfelt appreciation for this tutorial. It has been immensely helpful in explaining the difference in implementation between normal login and JWT (JSON Web Token). The diagram you provided was a game-changer. Initially, I was utterly confused about how it all worked, especially since authentication providers usually handle the authentication logic. I couldn't understand why we would give the JWT authentication filter all the responsibility when we could simply write a JWT authentication provider. However, thanks to your clear explanation and the diagram, everything fell into place. It felt like a breath of fresh air, bringing much-needed clarity. Once again, thank you so much!
i will recommand this video for anyone who want to learn spring security in depth and the way you explainied is so cool and diagram is so clear that everyone can understand easily what is what .. thanks man!
bro keep going you are doing great...i have seen a lot of channels, everybody except some simply don't explain whats happening behind the scene. Thanks for the clip.
I'm here to say thanks so much from Colombia. I've seen many videos about spring security to try to understand its architecture, and no one of them have you're excellent explanation (even the Spring Security Documentation). Thanks again!!
Great presentation about spring security, certainly the best one I have come across. Thank you so much for all your tutorials! You are an amazing teacher :)
Awesome video. There are many tutorial videos on youtube that just have you copy the code with no explanation. You on the other hand explained everything with detail. I hope to see more videos soon.
I was expecting like that in details, u fully cleared each nd every scenario, well done and appreciate your time and effort. Just suggestion, if possible, replace your security class with latest spring version, so you don't need to use adapter class. Thanks Again!!!!
Glad it helped! Yes, I should release a new video with upgrade. Meanwhile you can read this blog. backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/
This was the only explanation with clear presentation.all basic concepts clarified...you are amazing... I don't know why they make it complex this much...but you give us a heads up thank you 🙇
what a great tutorial... I am new to spring security and this is exactly how I wanted to start learning it. You explained it so nicely and in detail, specially debugging the code was very helpful. Thanks for the effort.
@@mrshuffle3696 yes, I can of course do that. It is in my todo list already. I just try to dedicate some time for this kind of tutorials. I have been extraordinarily busy lately. Please stay tuned :)
One of the top videos I have seen on explaining Spring Security Architecture. I have seen that you have uploaded only one video on your channel. Do you have another other channel or have you stopped making videos? I hope its not the second scenario.
I started to watch this tutorial suddenly I thought, I need to see what other topics you have explained. I came to your channel and became sad finding you have only one video. Please cover some more topics. I am subscribing to your channel with a hope to find more content from you..
Glad you liked the video Rakib! I am creating content for both blog and youtube. However, youtube takes more energy to finalize a video unfortunately. But I hear you and will work on it for the next video as soon as possible. Thanks for the feedback! You can have a look at the blog meanwhile: backendstory.com/
I'm little confused about UsernamePasswordAuthenticationToken . why sometimes we use this token with 2 parameters and 3 . What are the differences?. And last question: when we set authentication to contextholder is UsernamePassword filter going to check for authorization again or bypass.
This is a really good video, thanks for putting in the time to make it. Question on all of this, since Spring Boot 3 is out and there's some new ways of doing things (WebSecurityConfigurerAdapter for example), would you still recommend using this same approach you have provided in this video or would you recommend doing things differently? Also, what about encryption? You haven't included any sort of encryption in your setup, is this something that I should definitely implement? I am creating a backend for a web application I am creating, where I will be using a front-end framework like Angular to consume my API endpoints in the backend. In this case, is everything else the same once you have implemented this setup you have provided? For instance you have a custom user with a custom UserDetailsService and just go about things as you would normally knowing that the application is ensuring that only authenticated users are gaining access to the right endpoints? Bit of a noob question but this is pretty new to me. If there's any way I can get a little more guidance from you (potentially paid 1-1) do let me know as you seem very knowledgeable on Spring Security. Thanks!
Hi! I will try to answer your questions paragraph by paragraph. I recorded this video for educational purpose, so I wouldn't rely on the code samples I shared in the video directly since your requirements might be different. What I tried to explain is how things work under the hood. That was the goal. :) Framework is changing during time as you say and WebSecurityConfigurerAdapter is the latest change. I wrote a blog about how to replace WebSecurityConfigurerAdapter. I believe you will find it useful as well. backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/ Regarding encryption, yes you need to use it. I use BCryptPasswordEncoder in the video and can suggest it. It is safe for rainbow attacks by adding random salt into generated hash. If you don't know what is hashing and salt, this video is great summary. th-cam.com/video/--tnZMuoK3E/w-d-xo.html&ab_channel=Seytonic You can use custom UserDetailsService most of the cases, yes. However, I need to understand your business needs first before giving clear advice. If you want 1-1 meeting, please send me an email regarding this thread. So, we can schedule a meeting. ugurcanlacin@gmail.com
It would be better if you uploaded this video one month ago before I start my project using spring security :D but still it is great to understand what happens under the hood, thanks a lot👍🏻
Great and Simple Explanation. Good Work. What tool do you use to explain the process flow like Incoming Request -> Dispatcher Servlet -> Controller.? if you don't mind.
Thanks for the great video again. It helped me add spring security authentication/authorization to my API. But I am now building another API and would like to use same logic to add authentication there. For this, I dont want to simply copy / paste code and violate DRY. When it comes to spring security, would moving Spring Security Configuration class and AuthenticationFilter and AuthorizationFilter to a library and simply then reusing that library in my both API solve this problem? I know how to create a library but I am not very experienced with Spring Security and wonder if this is a good approach? Thanks again!
Hey Dino, sorry for late response. That's exactly how I used same code over different codebases before. You can have a common library that handles authentication and authorization, so just import it as a dependency. So, it is a good approach. :)
I don't understand the UsernamePasswordAuthenticationToken's 3 args constructor: 1. (username, null, new ArrayList()) 2. (username, password, new ArrayList()) when to make credentials null and when not to?
At 44:40, I first validate JWT token, so we know that username and password is already checked before. This is because, user gets JWT token after username and password verification. At 44:40, we validate JWT token. Once it is validated, we do not need to provide password. Short answer: Provide password for login attempt. AuthenticationManager will need it to verify user authentication. You don't need to provide for authorization if you are validating JWT token already.
Thanks bro It helped me fix a bug Though I am using spring security 6 Still I got help Please can you upload video for Spring Security 6 coz a few things have changed 😊
Glad it helped! Yes, I should release a new video with upgrade. Meanwhile you can read this blog. backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/
As I understand, if we code a custom filter, requests will go through the filter chain until requests meet our filter, then stop right there. The filter will call the authen manager, which will call the authen provider. Did I get it right?
It depends on your design. But here it does not work like that. I trigger authentication manager in my login endpoint. Then, authentication manager triggers authentication provider and so on. My custom filter checks if there is JWT token provided in incoming request. If so, I create an authentication object and give it to SecurityContext. I wrote an article that explains why we give this authentication object to SecurityContext. backendstory.com/spring-security-authorization-mechanism/
@@BackendStory and i also wonder what does the below code mean , is it mean let spring security remember this user is already authenticated to avoid authenticated again when the request comes again ? ``` UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(username, null, new ArrayList()); authToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request)); SecurityContextHolder.getContext().setAuthentication(authToken); ```
@@忘忧草-y9w No, it is only one time thing for this scenario, because we use stateless session management. The code piece that you quoted authenticate the incoming request only in request's thread, so request can hit the controller class. When controller class finishes its job like calling underlying service or util classes, request ends with returning a response. Once response is sent, SecurityContext is wiped out from thread. For every request, create a completely new and empty SecurityContext, hence with no stored authentication etc. This response might also be helpful. stackoverflow.com/a/67681782
Great tutorial, much appreciated. How would I do authentication with 2 different LDAP systems? For example say OpenLdap and Active Directory? Thank you again
Hi! I think you need to provide 2 authentication providers in your case. ActiveDirectoryLdapAuthenticationProvider class is for Active Directory. Here is an example. stackoverflow.com/a/58565523/8160856 And you need to provide LdapAuthenticationProvider for Open Ldap. Here is an example for it. www.baeldung.com/spring-security-ldap#java
@@BackendStory Thank you so much. I got it working but I also have another issue - I use actuator and my actuator /health endpoint reports health of my Ldap correctly but I dont know how to set it to report health of both Ldaps now that I added them. I have setup in my application.properties spring.ldap.username, spring.ldap.password, and spring.ldap.urls to bind to one or the other and that works fine. But how to set these to bind to both Ldaps now that I got both of them working? Much appreciated
@@dinobulja It seems like you should have another health endpoint for one of the ldap provider. You can create a custom health indicator for this purpose. An example here below. www.amitph.com/custom-health-check-spring-boot-actuator/ If you are thinking how you can check Ldap health, here is the source code of default Ldap health check class. github.com/spring-projects/spring-boot/blob/main/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/ldap/LdapHealthIndicator.java Hope this solves your issue. :)
@@BackendStory I guess what you mean is to combine these 2 urls? First one is missing logic on how to check Ldap health but provides structure for 2 custom health indicators. The 2nd url provides how to check for Ldap health using LdapOperations.executeWithReadonly(), I just dont get how to pass it LdapOperation it requires in ctor? Could you elaborate bit? Much appreciated.
@@dinobulja No, I didn't mean you should combine them actually. I meant that you can create additional health endpoint for one of the actuator. In your previous message, you said when you set spring.ldap.username, spring.ldap.password, and spring.ldap.urls in application.properties for one of the LDAP, it works fine. So, you can create a custom health indicator for the other one. That's what I meant. :)
if you don't set it, then the request will not be authenticated. So, the request can't access the endpoint. You can check the following blog to understand why. backendstory.com/spring-security-authorization-mechanism/
@@BackendStory Thank you for the article. Would like to further understand: In scenario 3, since now the customJWTTokenFilter is invoked before UsernamePasswordAuthenticationFilter, will the UsernamePasswordAuthenticationFilter still get invoked and fully run through the filter logic if the request is authenticated in JWTTokenFilter and setContext()? Will the result be different if we did not setContext()?
@@grayyeung757 Sorry for the late response. UsernamePasswordAuthenticationFilter will not be invoked if the request is authenticated. The reason for that is UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter. If you check AbstractAuthenticationProcessingFilter, you will see that doFilter() method checks if the given request is already authenticated or not. I know this sounds a bit complicated, but things get easier once you debug these flows by putting breakpoints in Spring Security classes. So, I would suggest to debug these classes to check if the behaviour is expected.
Sadly you are on spring boot 2.6.3 which means that you are still using the old way of configuring web security with now-deprecated classes, looking forward to see your code updated to the modern standards. thank you
Yes, you are right. However, I do not think I will record another 70 minutes video just for couple of deprecated classes. :( If you would choose one scenario here, which one would be your interest with up to date Spring Security version? :)
@@BackendStory You know the current trend is authenticating and authorizing with JWT, and if I was you I would just do a simple example with an admin / user log-in authentications with roles, also I have to disagree with the concept that it was just a few deprecated classes as that the classes don't actually matter more than it is about how to build and configure security and little things like using the Lambda DSL to name a few .. but you are right not worth making a 2 hours long video for it because your amazing slides explaining what goes under the hood with spring boot does not need to get repeated, you can have a straight coding example and refer people to this video as a foundation. I hope I did thank you in my previews reply because I see your explaining professional and straight to the point. but thanks again and consider me as a subscriber.
@@maxjustmax521 Thanks a lot for spending time for the comments. These are gold to me. I added into my todo list following video prep => create video for proper JWT authentication/authorization coding with jpa and up to date Spring Security.
Hi Max, I updated the code with component based configuration by removing deprecated WebSecurityConfigurerAdapter. You can have a look at it if you still need it. For your information :) backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/
JwtUtil class has the validate method, which parses JWT and validates if token is not expired and token has username given. Source code is here: github.com/ugurcanlacin/backendstory/blob/main/spring-security-authentication-scenario-3/src/main/java/com/backendstory/authentication/JwtUtil.java#L29 In this video, I did not explain how JWT works much and the JWT implementation is pretty basic. So, I suggest you to check other resources if your main interest is JWT. Here, I just explain authentication architecture in general.
At 53:54 I had to change in supports() method the .equals for this: (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication)). Just in case anyone is struggling like me with this.
If I had to keep just one tutorial about spring security, this is the only one. How amazing that you can cover spring security in so much depth and so much detail in just one hour. Thank you for sharing with us, respected!
this comment made my day. thank you for your kind words!
I agree. This is the best course I found so far that explains Spring Security so well. Many thanks to Ugurcan.
He is simply a genius of it. I am just keeping it as my best tutorial. However, it looks so simple because we have watched several of security videos also, so we acknowledge the effort of those we had watched in the past. So sweet explanation. God bless you.
Hey, man! I just wanted to express my heartfelt appreciation for this tutorial. It has been immensely helpful in explaining the difference in implementation between normal login and JWT (JSON Web Token). The diagram you provided was a game-changer. Initially, I was utterly confused about how it all worked, especially since authentication providers usually handle the authentication logic. I couldn't understand why we would give the JWT authentication filter all the responsibility when we could simply write a JWT authentication provider. However, thanks to your clear explanation and the diagram, everything fell into place. It felt like a breath of fresh air, bringing much-needed clarity. Once again, thank you so much!
Endlich verstehe ich, wie das alles funktioniert, vielen Dank!
This is the only tutorial that was able to make me wrap my head around spring security. Great Job!
Glad it helped!
i will recommand this video for anyone who want to learn spring security in depth and the way you explainied is so cool and diagram is so clear that everyone can understand easily what is what .. thanks man!
Such content deserve a +1 subscription
bro keep going you are doing great...i have seen a lot of channels, everybody except some simply don't explain whats happening behind the scene. Thanks for the clip.
Müthiş video, spring security'ye dair şu ana kadar denk geldiğim en güzel video olabilir
tesekkurler mustafa, yorumun beni mutlu etti
Best explanation of Spring Security I’ve seen anywhere over the past 5 years. Thank you very much
I'm here to say thanks so much from Colombia. I've seen many videos about spring security to try to understand its architecture, and no one of them have you're excellent explanation (even the Spring Security Documentation). Thanks again!!
Glad to hear you liked it!
Hi Lacin, I am from India. Lucky to find your tutorial, otherwise my question marks on spring security will never be answered. Thank you so much!
Thanks Koteswara, I am glad that you find it helpful! :)
This video just keeps getting better.
Great presentation about spring security, certainly the best one I have come across. Thank you so much for all your tutorials! You are an amazing teacher :)
thank you for your kind words :)
I’m so excited for the great contents you’ll bring to us. It’s very clear and simple explanation! 🙏🏼
I'm so suprised. I've never think that there is a someone like you. You teach so detail about behind the scence in default. Thanks
This comment made my day. Thanks for your kind words. :)
Please create more videos. You are amazing!
Bang bang. Enjoyed!!! Great man. Thanks.
Everything about Spring Security explained just around an hour! Superb!
Glad you liked it!
Awesome video. There are many tutorial videos on youtube that just have you copy the code with no explanation. You on the other hand explained everything with detail. I hope to see more videos soon.
Glad it helped! :)
Thank you so much for this. Please can we have a follow up for authorities and granted authorities?
I was expecting like that in details, u fully cleared each nd every scenario, well done and appreciate your time and effort. Just suggestion, if possible, replace your security class with latest spring version, so you don't need to use adapter class. Thanks Again!!!!
Glad it helped! Yes, I should release a new video with upgrade. Meanwhile you can read this blog.
backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/
This video is very important for anybody using Spring. Thanks for this gem!
Glad it was helpful!
This was the only explanation with clear presentation.all basic concepts clarified...you are amazing... I don't know why they make it complex this much...but you give us a heads up thank you
🙇
Pleasure to be your 1000th sub 🍻🍻
Thanks!!
Amazing video about Spring Security Authentication
Happy to hear that you liked it! :)
@@BackendStory Can you just come up with OAuth2 Authentication along with JWT token format where all the roles are defined clearly in the MySql db
@@rathinmaheswaran Yes, it is in my todo list actually. I will do it.
Great tutorial. Please post videos on Single Sign-On and Oauth2/OIDC please. 👍
You are good in teaching make some more videos
Best tutorial on youtube
Thank you for tutorial ! Understood every detail and found answers to questions that I had in my mind about architecture of security.
Great to hear that this helped you!
great video, please keep posting more
Thank you for your efforts!!😄
what a great tutorial... I am new to spring security and this is exactly how I wanted to start learning it. You explained it so nicely and in detail, specially debugging the code was very helpful. Thanks for the effort.
Happy to hear that you liked it. Thank you for your nice words!
Great depth explanation. Hope to see more videos of this quality coming up soon!
Glad to hear that you liked it. I am working on the next videos at the moment.
Amazing Bro, we need more and more and more videos on java spring
Haha...what a chad!...
Just one video, JUST FRIGGIN ONE VIDEO TO RULE THEM ALL
It is a very clear and carefully prepared video. Congratulations!
Great video, please make more content like this !!!
Wow, you doing a great job, explaining all details! Thank you so much! I hope you make more content in the future!
Thank you too for a great comment! :) I will try to make more content like this in the near future.
@@BackendStory Could you extend this example and explain oauth2 in a future video?
@@mrshuffle3696 yes, I can of course do that. It is in my todo list already. I just try to dedicate some time for this kind of tutorials. I have been extraordinarily busy lately. Please stay tuned :)
That was such a great video! Wish you create more videos like this in future
I just found this great tutorial, very good. Will you make videos like this again?
An extensive course with detailed examples. Appreciate your content, keep on making more and more videos!
I wish you success. I hope you grow up fast😊
Can’t wait to see more videos 👏👏👏
One of the top videos I have seen on explaining Spring Security Architecture. I have seen that you have uploaded only one video on your channel. Do you have another other channel or have you stopped making videos? I hope its not the second scenario.
Unfortunately, I couldn't prioritise youtube. Something I need to work on to get back.
I started to watch this tutorial suddenly I thought, I need to see what other topics you have explained. I came to your channel and became sad finding you have only one video. Please cover some more topics. I am subscribing to your channel with a hope to find more content from you..
Glad you liked the video Rakib! I am creating content for both blog and youtube. However, youtube takes more energy to finalize a video unfortunately. But I hear you and will work on it for the next video as soon as possible. Thanks for the feedback!
You can have a look at the blog meanwhile: backendstory.com/
THANK YOU FOR THIS TUTORIAL
I'm little confused about UsernamePasswordAuthenticationToken . why sometimes we use this token with 2 parameters and 3 . What are the differences?. And last question:
when we set authentication to contextholder is UsernamePassword filter going to check for authorization again or bypass.
great work hope to see more from you
I hope that you will have more course in the future.
great and very detailed explanation. thank you and keep producing..
This is a really good video, thanks for putting in the time to make it.
Question on all of this, since Spring Boot 3 is out and there's some new ways of doing things (WebSecurityConfigurerAdapter for example), would you still recommend using this same approach you have provided in this video or would you recommend doing things differently?
Also, what about encryption? You haven't included any sort of encryption in your setup, is this something that I should definitely implement?
I am creating a backend for a web application I am creating, where I will be using a front-end framework like Angular to consume my API endpoints in the backend. In this case, is everything else the same once you have implemented this setup you have provided? For instance you have a custom user with a custom UserDetailsService and just go about things as you would normally knowing that the application is ensuring that only authenticated users are gaining access to the right endpoints?
Bit of a noob question but this is pretty new to me. If there's any way I can get a little more guidance from you (potentially paid 1-1) do let me know as you seem very knowledgeable on Spring Security.
Thanks!
Hi!
I will try to answer your questions paragraph by paragraph.
I recorded this video for educational purpose, so I wouldn't rely on the code samples I shared in the video directly since your requirements might be different. What I tried to explain is how things work under the hood. That was the goal. :) Framework is changing during time as you say and WebSecurityConfigurerAdapter is the latest change. I wrote a blog about how to replace WebSecurityConfigurerAdapter. I believe you will find it useful as well.
backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/
Regarding encryption, yes you need to use it. I use BCryptPasswordEncoder in the video and can suggest it. It is safe for rainbow attacks by adding random salt into generated hash.
If you don't know what is hashing and salt, this video is great summary.
th-cam.com/video/--tnZMuoK3E/w-d-xo.html&ab_channel=Seytonic
You can use custom UserDetailsService most of the cases, yes. However, I need to understand your business needs first before giving clear advice.
If you want 1-1 meeting, please send me an email regarding this thread. So, we can schedule a meeting.
ugurcanlacin@gmail.com
You should discuss oauth2 security process and implementation, and also SAML
These are in my todo list too. Thanks for reminding them. :)
Thanks Sir , great Job
It would be better if you uploaded this video one month ago before I start my project using spring security :D but still it is great to understand what happens under the hood, thanks a lot👍🏻
Let me know if you need anything regarding application security then. I can add it to my todo list for future contents 😄
Crazy
The suggest you create a complete Java backend developer series
awesome explanation
Thanks for the information you share.
Learnt a lot from this, thanks!
Great and Simple Explanation. Good Work. What tool do you use to explain the process flow like Incoming Request -> Dispatcher Servlet -> Controller.? if you don't mind.
Glad you liked it. I used Figma and drew those diagrams myself. :)
@@BackendStory Thanks for replying. Keep up your good work.
great video bro
super video!
Thank you very much!
I can't find the flow diagrams in their docs. Would it be possible to share a link to them?
Very rich content! Keep it up :)
Really good work bro, just curious to understand what tool used by you for diagrams ?
I used Figma for the diagrams
Thanks for the great video again. It helped me add spring security authentication/authorization to my API. But I am now building another API and would like to use same logic to add authentication there. For this, I dont want to simply copy / paste code and violate DRY. When it comes to spring security, would moving Spring Security Configuration class and AuthenticationFilter and AuthorizationFilter to a library and simply then reusing that library in my both API solve this problem? I know how to create a library but I am not very experienced with Spring Security and wonder if this is a good approach? Thanks again!
Hey Dino, sorry for late response. That's exactly how I used same code over different codebases before. You can have a common library that handles authentication and authorization, so just import it as a dependency. So, it is a good approach. :)
keep going bro
right to the point
I don't understand the UsernamePasswordAuthenticationToken's 3 args constructor:
1. (username, null, new ArrayList())
2. (username, password, new ArrayList())
when to make credentials null and when not to?
At 44:40, I first validate JWT token, so we know that username and password is already checked before. This is because, user gets JWT token after username and password verification. At 44:40, we validate JWT token. Once it is validated, we do not need to provide password.
Short answer: Provide password for login attempt. AuthenticationManager will need it to verify user authentication. You don't need to provide for authorization if you are validating JWT token already.
Thanks !
Thanks bro
It helped me fix a bug
Though I am using spring security 6
Still I got help
Please can you upload video for Spring Security 6 coz a few things have changed
😊
Glad it helped! Yes, I should release a new video with upgrade. Meanwhile you can read this blog.
backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/
@@BackendStory Thanks again
🙏🙏
As I understand, if we code a custom filter, requests will go through the filter chain until requests meet our filter, then stop right there. The filter will call the authen manager, which will call the authen provider. Did I get it right?
It depends on your design. But here it does not work like that. I trigger authentication manager in my login endpoint. Then, authentication manager triggers authentication provider and so on. My custom filter checks if there is JWT token provided in incoming request. If so, I create an authentication object and give it to SecurityContext.
I wrote an article that explains why we give this authentication object to SecurityContext.
backendstory.com/spring-security-authorization-mechanism/
@@BackendStory Thank you sir
thanks very much!! by the way, can you explain how session is created、how set-cookie is worked and how to make session management?
That's a great suggestion! I am adding it to my todo list.
@@BackendStory and i also wonder what does the below code mean , is it mean let spring security remember this user is already authenticated to avoid authenticated again when the request comes again ?
```
UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(username, null, new ArrayList());
authToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authToken);
```
@@忘忧草-y9w No, it is only one time thing for this scenario, because we use stateless session management. The code piece that you quoted authenticate the incoming request only in request's thread, so request can hit the controller class. When controller class finishes its job like calling underlying service or util classes, request ends with returning a response. Once response is sent, SecurityContext is wiped out from thread.
For every request, create a completely new and empty SecurityContext, hence with no stored authentication etc.
This response might also be helpful.
stackoverflow.com/a/67681782
@@BackendStory 牛逼!!👍👍👍
Great tutorial, much appreciated. How would I do authentication with 2 different LDAP systems? For example say OpenLdap and Active Directory? Thank you again
Hi!
I think you need to provide 2 authentication providers in your case. ActiveDirectoryLdapAuthenticationProvider class is for Active Directory. Here is an example.
stackoverflow.com/a/58565523/8160856
And you need to provide LdapAuthenticationProvider for Open Ldap. Here is an example for it.
www.baeldung.com/spring-security-ldap#java
@@BackendStory Thank you so much. I got it working but I also have another issue - I use actuator and my actuator /health endpoint reports health of my Ldap correctly but I dont know how to set it to report health of both Ldaps now that I added them. I have setup in my application.properties spring.ldap.username, spring.ldap.password, and spring.ldap.urls to bind to one or the other and that works fine. But how to set these to bind to both Ldaps now that I got both of them working? Much appreciated
@@dinobulja It seems like you should have another health endpoint for one of the ldap provider. You can create a custom health indicator for this purpose. An example here below.
www.amitph.com/custom-health-check-spring-boot-actuator/
If you are thinking how you can check Ldap health, here is the source code of default Ldap health check class.
github.com/spring-projects/spring-boot/blob/main/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/ldap/LdapHealthIndicator.java
Hope this solves your issue. :)
@@BackendStory I guess what you mean is to combine these 2 urls? First one is missing logic on how to check Ldap health but provides structure for 2 custom health indicators. The 2nd url provides how to check for Ldap health using LdapOperations.executeWithReadonly(), I just dont get how to pass it LdapOperation it requires in ctor? Could you elaborate bit? Much appreciated.
@@dinobulja No, I didn't mean you should combine them actually. I meant that you can create additional health endpoint for one of the actuator. In your previous message, you said when you set spring.ldap.username, spring.ldap.password, and spring.ldap.urls in application.properties for one of the LDAP, it works fine. So, you can create a custom health indicator for the other one. That's what I meant. :)
May I know what will happen if did not set "SecurityContextHolder.getContext().setAuthentication(upassToken);" in Scenario 3?
if you don't set it, then the request will not be authenticated. So, the request can't access the endpoint.
You can check the following blog to understand why.
backendstory.com/spring-security-authorization-mechanism/
@@BackendStory
Thank you for the article.
Would like to further understand:
In scenario 3, since now the customJWTTokenFilter is invoked before UsernamePasswordAuthenticationFilter, will the UsernamePasswordAuthenticationFilter still get invoked and fully run through the filter logic if the request is authenticated in JWTTokenFilter and setContext()?
Will the result be different if we did not setContext()?
@@grayyeung757
Sorry for the late response. UsernamePasswordAuthenticationFilter will not be invoked if the request is authenticated. The reason for that is UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter. If you check AbstractAuthenticationProcessingFilter, you will see that doFilter() method checks if the given request is already authenticated or not.
I know this sounds a bit complicated, but things get easier once you debug these flows by putting breakpoints in Spring Security classes. So, I would suggest to debug these classes to check if the behaviour is expected.
@@BackendStory Thank you so much for the guide.
Sadly you are on spring boot 2.6.3 which means that you are still using the old way of configuring web security with now-deprecated classes, looking forward to see your code updated to the modern standards. thank you
Yes, you are right. However, I do not think I will record another 70 minutes video just for couple of deprecated classes. :(
If you would choose one scenario here, which one would be your interest with up to date Spring Security version? :)
@@BackendStory You know the current trend is authenticating and authorizing with JWT, and if I was you I would just do a simple example with an admin / user log-in authentications with roles, also I have to disagree with the concept that it was just a few deprecated classes as that the classes don't actually matter more than it is about how to build and configure security and little things like using the Lambda DSL to name a few .. but you are right not worth making a 2 hours long video for it because your amazing slides explaining what goes under the hood with spring boot does not need to get repeated, you can have a straight coding example and refer people to this video as a foundation.
I hope I did thank you in my previews reply because I see your explaining professional and straight to the point. but thanks again and consider me as a subscriber.
@@BackendStory and please don't do what everyone else is doing with in-memory authentication spring-jpa couldn't be any easier.
@@maxjustmax521 Thanks a lot for spending time for the comments. These are gold to me. I added into my todo list following video prep => create video for proper JWT authentication/authorization coding with jpa and up to date Spring Security.
Hi Max,
I updated the code with component based configuration by removing deprecated WebSecurityConfigurerAdapter. You can have a look at it if you still need it. For your information :)
backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/
make video on new authorization server with costomization
Thank you
You're welcome
Why there is not videos from you
would be awesome if you could make this video on the new spring security system, after 2.7 this is not working well, thanks.
Hey! Thank you for your constructive feedback. Highly appreciated!
Can you please point out what is not working after 2.7?
@@BackendStory WebsecurityConfigurerAdapter can not be extended anymore.
@@nicolasfelipe1 thanks for the feedback! I am adding this into my todo list.
what exactly it checks while validating the token ?
JwtUtil class has the validate method, which parses JWT and validates if token is not expired and token has username given. Source code is here:
github.com/ugurcanlacin/backendstory/blob/main/spring-security-authentication-scenario-3/src/main/java/com/backendstory/authentication/JwtUtil.java#L29
In this video, I did not explain how JWT works much and the JWT implementation is pretty basic. So, I suggest you to check other resources if your main interest is JWT. Here, I just explain authentication architecture in general.
😍
isvecte beyazlamissin reis :)
Now imagine you need to block some user, which taken a jwt token for a year 🤣
At 53:54 I had to change in supports() method the .equals for this: (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication)). Just in case anyone is struggling like me with this.
thank you for your contribution!
26:45 heimerdinger