Complete Spring Security & JWT tutorial [2024]

แชร์
ฝัง
  • เผยแพร่เมื่อ 8 ต.ค. 2024

ความคิดเห็น • 7

  • @IOCodes
    @IOCodes  3 หลายเดือนก่อน +2

    @Sliepov checkout these video using the link th-cam.com/video/KW5EwW1iPJE/w-d-xo.html

  • @Sliepov
    @Sliepov 3 หลายเดือนก่อน +2

    Cannot resolve method 'parserBuilder' in 'Jwts'

    • @Sliepov
      @Sliepov 3 หลายเดือนก่อน

      for jjwt-api:0.12.5

    • @IOCodes
      @IOCodes  3 หลายเดือนก่อน

      In that case make use of the parser function like we have below
      but you'll have to note that some of the function have been deprecated for this particular dependency version.

    • @IOCodes
      @IOCodes  3 หลายเดือนก่อน

      Jwts.parser()
      .setSigningKey(generateSigningKey())
      .build()
      .parseClaimsJws(jwtToken)
      .getBody();

  • @alessandrocattaneo-v7q
    @alessandrocattaneo-v7q 14 วันที่ผ่านมา

    In this tutorial i did not understand how you verfy the token when you make a request from the UI or postman to the beckend. You only check if the token is not exiperd, if the user is present in the db and if the user is logged in, but you never verify the token sign. Can you ,with your implementation, have multiple user logged in at the same time? If i'm not wrong no. And if you can, you could have logged in a user with User Role and a user logged in with an Admin Role at the same time, an attacker can forge a token which is not exipired and has set as username the username of an admin user and interact with your application as an admin because you never check the token sign. Am i wrong?

    • @IOCodes
      @IOCodes  13 วันที่ผ่านมา

      @alessandrocattaneo-v7q
      Firstly I'll love to start of by saying yes, you can have multiple logged in user at the same time making a request to the application, although I've implemented the project with the use of an 'In Memory Db', it is still very possible to have other logged in users in the application because I've included a '/register' endpoint where a new user can be registered.
      And Secondly with every request that is been made from the client to the server the jwtToken is been verified due to the presence of the extractClaims method in the JwtService class, which the defined snippet is seen below;
      public Claims extractClaims(String jwtToken) {
      return Jwts.parser()
      .verifyWith(generateSigningKey()) // This line ensures that the token is verified with the initial key that was used in the creation of the token.
      .build()
      .parseSignedClaims(jwtToken)
      .getPayload();
      }
      and the process of checking if the token has expired involves extracting the claims which also involves verifying the token with the initial key that was used in signing it.
      I hope with this response I've answered your questions?