Thank you so much! I can't take any credit for writing any of that code, we have an amazing team of really smart people working on that. I'm glad I can help highlight what they do by explaining it though 🤩
Dan, you are amazing. This video landed just in time when I was searching for the correct way of replacing the deprecated configuration. Thank you so much.
Dan, your tutorials are well structured and explains the concept very clearly. Thank you and appreciate your effort. With Spring 3.0.x Spring security has changed with many methods getting deprecated. I request you to kindly explain the correct way to do LDAP authentication and return JWT using spring security 3.0 Thank you.
This video is great, I find easy to understand how to move from the WebSecurityConfigurerAdapter to the lambda DSL with the example given. And that for Spring Boot to pick the changes up it has to find it in a @Bean
I didn't like this approach at first but being honest is way better than the previous one, I can't count how many times someone could not create a authentication manager bean because they overrode authenticationManager method and not authenticationManagerBean method
Thank you Dan. I just finished this tutorial and now I am sure to said "this is an amazing tutorial for beginners, it is clear, easy to understand and useful" Thank you Dan. I just finished this tutorial and now I am sure to said "this is an amazing tutorial for beginners, it is clear, easy to understand and useful"
Den! Hi what about very intensivly corrupted outdated docs about kervberos 1release in spring in aspects of new 6 security they cannot be together at all
Thanks for the video! After spending hours as I am new to JAVA and especially security side of things, your video helped me bypass the CORS issue. Being new to JAVA how to keep track or update myself in the best practices in JAVA? any recommendations is appreciated!
Thanks Dan, very concise video. What I don't like about the new configuration is that there is no easy way to get the underlying AuthenticationManager as a bean. We need custom login flows, so we need to call Authenticationmanager manually. In WebSecurityConfigurerAdapter, we can easily get the AuthenticationManager, but now, there is no way to do it AFAIK.
I was working quite long to hack old framework to be able change role to endpoint mapping without restarting app. Wanted to have features that can be assigned to user or role in dynamic way. Is new solution more flexible or I will have to hack it again 😂 that’s great to use it instead of feature toggle or grouping users to many groups. Just assign permission for user or for group on fly and keep it in database instead of code
@@DanVega Add the annotation? My understanding is that Spring Boot's autoconfiguration classes will configure your default security beans. @EnableWebSecurity will cause Spring Security to configure your default security beans. These defaults are generally close but you would only use @EnableWebSecurity if you specifically wanted Spring Boot to back off. - great video though.
Great video Dan. Concise and to the point. I have a quick question about the deprecation - the blog post says WebSecurityConfigurerAdapter has been deprecated, as we encourage users to move towards a component-based security configuration. My question is why? What advantage would that give us as a developer which we couldn't have with WebSecurityConfigurerAdapter? Hope to hear from you soon and once again - thank you very much for taking the time to make this video
Dan I can't express how good your tutorials are, love the structure, goal-setting and the on-point explaining without any gibber-gabber, One question is: will you update your course on Udemy to reflect the deprecations in the newer versions of Spring? so far Spring security is a very important subject, many do touch on it but there is no good structured course out there for this specific topic. Thanks again.
I really appreciate the kind words Max! I have been thinking a lot about Udemy lately. I'm not sure what my plan is yet but when I figure that I will let you know.
Hello, my friend! Could you explain what is the difference between @EnableMethodSecurity and @EnableMethodSecurity? Also, why are they needed? Thanks in advance
If you're using Spring Boot 3 -> Spring Security 6 has removed antMatches which was deprecated. Please use requestMatchers docs.spring.io/spring-security/reference/whats-new.html
Thank you so much Dan, I really like the way you try to explain how to use it. I think it’s really important to use it in a Spring suggested way tooo. I have one question regarding on the SecurityFilterChains, does it mean that if I create two different SecurityFilterChains, is Spring be able to create two different sets of filter behavior?
I see that in @EnableWebSecurity has also @Configuration, so do we need to add @Configuration again at line 11? When I remove @Configuration at line 11, application still working.
Thanks for this, Dan! btw, I thought mvcMatchers() were preferred over antMatchers()? Also, keeping config in a separate class, outside of the Application class, makes it easier to replace inside tests.
I generally use mvc matchers but I would have to do some research if its preferred or not. I was just converting a basic example I found that was using ant matchers and that's why i used it here.
mvcMatchers("/admin") would match /admin, /admin/, /admin.html, etc. since it uses the same MVC matching logic as Spring MVC itself. antMatchers("/admin") would strictly match "/admin", not the other variants. In this case, an attacker could get into the "authenticated()" block by simply adding an extra "/" (yikes!). Since this subtlety is so easy to miss, I would recommend mvcMatchers.
Thanks for sharing, would you mind to share some opinion or suggestion for my recent use case. I'm developing a microservice architecture and spring security is in the core library project that included in each of the services. I have different set of api to mark as permitAll() for each of them. Basically I want to avoid create almost identical filter chain bean that consist of csrf.disable(), cors and etc. Can filter chain bean be extended?
I would have to see how much duplication is going on. Generally in microservices you are going to have some level of duplication and each service needs to be independently deployable so I'm ok with it here.
Sounds like a great suggestion. Can you add this to my content idea discussions and provide as much detail as possible. github.com/danvega/office-hours/discussions/categories/content-ideas
Thank you for the great video Dan! I tried adding 'springdoc-openapi-ui' to document the api while using basic auth security but for some reason it did not work. I was able to send a request even if I logout. Can you please make a tutorial in which you demonstrate how to use 'springdoc-openapi-ui' in our project while having basic auth and also JWT auth (I know that we can have one at a time but it would be great to see both implementations). Thank you in advance!
The video is great but I was following along and can't call either of the secured API's user / admin. I've tried with curl and Chrome passing in basic auth (Chrome prompts you for credentials). I have the security config annotated as a @Configuration and both methods annotated as @Bean. I'm sure it's user error :(
Great video as always! Keep up the good work and it will be awesome to see more videos on this topic. Since nowadays most apps are REST API's with SPA framework and JWT flows are used - it will be great if Spring Team implements this flow (REST API, Role based Authentication/Authorization against the Database - with bcrypted password, etc) out of the box. Do the new Spring Security changes simplify this flow in any way? Because right now to implement such flow there is a lot of boilerplate code which would be better if it is implemented and can be used from Spring Security!
I love the way you present the ideas to work with. Simple and well designed!! Could you please add the zip file of your demo project on the description so that anyone can download and practice more. Thank you
Dan, u are going very fast, u are no telling the internals and how it is happening, u just fired a request http -a user:password :8080/admin and logged in as user , i understood whats happenin, but want to know how it works will it go as header or better u should have used postman to avoid confusions
I have an error even after doing this changes I got this err while runing the app : org.springframework.beans.factory.BeanDefinitionStoreException: Failed to process import candidates for configuration class [org.springframework.boot.autoconfigure.security.servlet.SpringBootWebSecurityConfiguration$WebSecurityEnablerConfiguration]: class path resource [org/springframework/web/servlet/config/annotation/WebMvcConfigurerAdapter.class] cannot be opened because it does not exist
Hi There, I am using Spring Boot 2.75 and I used your tutorial up to a point. I managed to dig around Google and founs some useful pointers but using your tutorial I wrote this and it worked. Thanks for your help @Bean public InMemoryUserDetailsManager userDetailsManager(){
//In Spring 5 we need to encode our password as standard. This is different from how we use to do it in Spring 4
Jesus, the person who actually worked on the framework explaining things, I smell professionalism! Thank you and much love!
Thank you so much! I can't take any credit for writing any of that code, we have an amazing team of really smart people working on that. I'm glad I can help highlight what they do by explaining it though 🤩
Dan, you are amazing. This video landed just in time when I was searching for the correct way of replacing the deprecated configuration. Thank you so much.
Thank you! Glad I could help out.
Super quick introduction to the new feature. Thank you very much
I am also glad to get that replacement on video. Thank you very much
Dan, your tutorials are well structured and explains the concept very clearly. Thank you and appreciate your effort.
With Spring 3.0.x Spring security has changed with many methods getting deprecated. I request you to kindly explain the correct way to do LDAP authentication and return JWT using spring security 3.0
Thank you.
This video is great, I find easy to understand how to move from the WebSecurityConfigurerAdapter to the lambda DSL with the example given. And that for Spring Boot to pick the changes up it has to find it in a @Bean
I didn't like this approach at first but being honest is way better than the previous one, I can't count how many times someone could not create a authentication manager bean because they overrode authenticationManager method and not authenticationManagerBean method
Thank you Dan. I just finished this tutorial and now I am sure to said "this is an amazing tutorial for beginners, it is clear, easy to understand and useful"
Thank you Dan. I just finished this tutorial and now I am sure to said "this is an amazing tutorial for beginners, it is clear, easy to understand and useful"
Excellent Dan thank you so much for sharing knowledge. Could you make a video about jakarta ?
Sir, Why annotate with @Configuration when @EnableWebSecurity has @Configuration annotation in it??
If you are on that version you are correct but it no longer includes it so going forward you will need both.
@@SpringSourceDev Oh i see, thats for the clarification...
Den! Hi what about very intensivly corrupted outdated docs about kervberos 1release in spring in aspects of new 6 security they cannot be together at all
simple a good tutorial, it helps me understand the confusion of spring security > 2.7, thanks
Glad you enjoyed it!
Thanks for the video! After spending hours as I am new to JAVA and especially security side of things, your video helped me bypass the CORS issue. Being new to JAVA how to keep track or update myself in the best practices in JAVA? any recommendations is appreciated!
Awesome video man!
Perfect timing
That's what I am looking for.
Thanks so much bro, you have all the new ones that we need
No problem at all, glad I could help out.
@@DanVega I can't wait for the new video
Dan, thank you very much but why we didn't do the production practice from the beginning.
Again thank you.
Good question! Mainly to keep the tutorial concise on and on topic.
Thanks Dan for this video. Could you make another security video, this time involving API Keys?
That is on the list. Are you just looking for JWT?
@@DanVega Nope, just general API keys for application level security.
@@DanVega a video about authentication and authorization using JWT is what many many many people are waiting for! så please yes!
@@maxjustmax521 that is coming next!
Great tutorial man! Thank you!
Thank you so much for this tutorial it helped out a lot.
Glad it helped!
Great video. Thank you so much!
Is there a way to refresh the token or log it out ?
Dan, thank you so so much! It was very useful!
Thanks Dan, very concise video.
What I don't like about the new configuration is that there is no easy way to get the underlying AuthenticationManager as a bean. We need custom login flows, so we need to call Authenticationmanager manually. In WebSecurityConfigurerAdapter, we can easily get the AuthenticationManager, but now, there is no way to do it AFAIK.
Thanks for the feedback.Can you give me an example of what you're trying to do and I will see if I can get you an answer.
I was working quite long to hack old framework to be able change role to endpoint mapping without restarting app. Wanted to have features that can be assigned to user or role in dynamic way. Is new solution more flexible or I will have to hack it again 😂 that’s great to use it instead of feature toggle or grouping users to many groups. Just assign permission for user or for group on fly and keep it in database instead of code
Thank you, exactly what I needed
Hi, Dan. Do we need to still leave EnableWebSecurity annotation? Looks to me it works without it. Btw, great video.
You should still use it. The reason it works without it is because Spring Boot will actually add the annotation for you if you forget.
@@DanVega Add the annotation? My understanding is that Spring Boot's autoconfiguration classes will configure your default security beans. @EnableWebSecurity will cause Spring Security to configure your default security beans. These defaults are generally close but you would only use @EnableWebSecurity if you specifically wanted Spring Boot to back off. - great video though.
This is exactly what I am looking for. Thank you so much!!!
Great video Dan. Concise and to the point.
I have a quick question about the deprecation - the blog post says WebSecurityConfigurerAdapter has been deprecated, as we encourage users to move towards a component-based security configuration.
My question is why? What advantage would that give us as a developer which we couldn't have with WebSecurityConfigurerAdapter?
Hope to hear from you soon and once again - thank you very much for taking the time to make this video
Good question! I'm not sure what the motivation was behind the change but I will see if I can find out.
Dan I can't express how good your tutorials are, love the structure, goal-setting and the on-point explaining without any gibber-gabber, One question is: will you update your course on Udemy to reflect the deprecations in the newer versions of Spring?
so far Spring security is a very important subject, many do touch on it but there is no good structured course out there for this specific topic.
Thanks again.
I really appreciate the kind words Max! I have been thinking a lot about Udemy lately. I'm not sure what my plan is yet but when I figure that I will let you know.
Your video is great. you teach like a pro. btw this is the first time i see you. you just got my subscribe and ill check more videos of yours.
Hello, my friend!
Could you explain what is the difference between @EnableMethodSecurity and @EnableMethodSecurity? Also, why are they needed? Thanks in advance
I cannot use antMatchers here why? it gives :Cannot resolve method 'antMatchers' in 'AuthorizationManagerRequestMatcherRegistry'
If you're using Spring Boot 3 -> Spring Security 6 has removed antMatches which was deprecated. Please use requestMatchers
docs.spring.io/spring-security/reference/whats-new.html
How do i define the AuthenticationManager bean following the deprecation of WebSecurityConfigurerAdapter?
Thank you so much Dan, I really like the way you try to explain how to use it. I think it’s really important to use it in a Spring suggested way tooo.
I have one question regarding on the SecurityFilterChains, does it mean that if I create two different SecurityFilterChains, is Spring be able to create two different sets of filter behavior?
Great question. I answered it here for you
github.com/danvega/office-hours/discussions/25
@@DanVega thanks Dan
Hi what happen to AuthenticationManagerBuilder object ?
You can create a bean that returns an AuthenticationManager. What are you trying to do?
Dan thank you so much
Good and helpful tutorial 👍
How do you create integration tests for these controllers that use the InMemoryUserDetails?
Thank you Dan
Can you make a video on how to enable csrf on spring security and use it with Angular app.
I don't do a lot with Angular but I will add it to my backlog.
github.com/danvega/office-hours/discussions/46
I get a very strange error: authorizeRequests() is depricated. How do I solve this?
Very helpful video, thanks!
The GitHub link seems to be not having the code demonstrated here. Could you please update that?
Sorry for that, fixed and pushed.
What is this http terminal tool
It just makes calling services from the command-line a little bit easier, readable and less verbose.
httpie.io/
Thank you for this amazing Tutorial! Can you also explain how to do the same thing if we have multiple Configurations with different @Order?
I answered a similar question here github.com/danvega/office-hours/discussions/25
Hi Dan. always great content, thanks a lot!
My pleasure!
I see that in @EnableWebSecurity has also @Configuration, so do we need to add @Configuration again at line 11? When I remove @Configuration at line 11, application still working.
Just leave it there because In later versions it doesn’t include @Configuration
thanks!!!
Great content as always ❤️.. waiting for the next one.. keep it up good work 👍
Thanks for this, Dan! btw, I thought mvcMatchers() were preferred over antMatchers()? Also, keeping config in a separate class, outside of the Application class, makes it easier to replace inside tests.
I generally use mvc matchers but I would have to do some research if its preferred or not. I was just converting a basic example I found that was using ant matchers and that's why i used it here.
mvcMatchers("/admin") would match /admin, /admin/, /admin.html, etc. since it uses the same MVC matching logic as Spring MVC itself. antMatchers("/admin") would strictly match "/admin", not the other variants. In this case, an attacker could get into the "authenticated()" block by simply adding an extra "/" (yikes!). Since this subtlety is so easy to miss, I would recommend mvcMatchers.
Thanks for sharing, would you mind to share some opinion or suggestion for my recent use case.
I'm developing a microservice architecture and spring security is in the core library project that included in each of the services.
I have different set of api to mark as permitAll() for each of them.
Basically I want to avoid create almost identical filter chain bean that consist of csrf.disable(), cors and etc. Can filter chain bean be extended?
I would have to see how much duplication is going on. Generally in microservices you are going to have some level of duplication and each service needs to be independently deployable so I'm ok with it here.
Does this configuration also work for Spring Web MVC?
How come you're using antMatchers instead of requestMatchers?
Because this video was made before the changes in Spring Boot 3 😉 Going forward please use request matchers.
amazing ...! sir can you please do spring security with using mysql database data
Sounds like a great suggestion. Can you add this to my content idea discussions and provide as much detail as possible.
github.com/danvega/office-hours/discussions/categories/content-ideas
@@DanVega added sir
Thank you for the great video Dan! I tried adding 'springdoc-openapi-ui' to document the api while using basic auth security but for some reason it did not work. I was able to send a request even if I logout. Can you please make a tutorial in which you demonstrate how to use 'springdoc-openapi-ui' in our project while having basic auth and also JWT auth (I know that we can have one at a time but it would be great to see both implementations). Thank you in advance!
Thank you for the suggestion. I added it to my backlog github.com/danvega/office-hours/discussions/35
Amazing video thank you so much! I was stuck with this just the other day 😊
Glad it helped!
The video is great but I was following along and can't call either of the secured API's user / admin. I've tried with curl and Chrome passing in basic auth (Chrome prompts you for credentials). I have the security config annotated as a @Configuration and both methods annotated as @Bean. I'm sure it's user error :(
problem solved. User error. The video is really great, thanks.
great video
Thank you, Ken!
Thanks for a very good tutorial. However I am stuck at the login loop. I am using Kotlin. How can you assist me?
07:00
thank you
You're welcome
Thanks you
Great video as always! Keep up the good work and it will be awesome to see more videos on this topic.
Since nowadays most apps are REST API's with SPA framework and JWT flows are used - it will be great if Spring Team implements this flow (REST API, Role based Authentication/Authorization against the Database - with bcrypted password, etc) out of the box.
Do the new Spring Security changes simplify this flow in any way? Because right now to implement such flow there is a lot of boilerplate code which would be better if it is implemented and can be used from Spring Security!
These changes don't really change that but I have enough requests for a similar tutorial that I will work on that soon. Thanks for the feedback.
Thanks for this video, it's really helpful
But I can't .antMatcher() after authorizeRequests() . Please help me solve this error. Thankssss
They deprecated it too. Now:
authorizeRequests() -> authorizeHttpRequests()
antMatcher() -> requestMatchers()
@@khawan5534
authorizeRequests() has already depricated.(
I would like a new video all about relationship(hibernate)
Thanks for the suggestion github.com/danvega/office-hours/discussions/36
thx dear
I love you
I love the way you present the ideas to work with. Simple and well designed!! Could you please add the zip file of your demo project on the description so that anyone can download and practice more. Thank you
Dan, u are going very fast, u are no telling the internals and how it is happening, u just fired a request http -a user:password :8080/admin and logged in as user , i understood whats happenin, but want to know how it works will it go as header or better u should have used postman to avoid confusions
👍
Sir, Can you Please Tell How to Write Authentication Manager Builder in New Spring boot Version
Upload spring security jdbc
What are you trying to learn? How to lookup users in a database via JDBC?
I am trying to develop one e-commerce project with spring boot security jdbc and react js
Thank you for your response Dan sir
Omg. Just 6 months ago and this is outdated. WTF is happening with Spring Security :(
What do you mean? It was deprecated, then removed. Not sure what the issue is?
stu mllunar
Most of the things in this video are now deprecated...whata shitty framework
I have an error even after doing this changes I got this err while runing the app : org.springframework.beans.factory.BeanDefinitionStoreException: Failed to process import candidates for configuration class [org.springframework.boot.autoconfigure.security.servlet.SpringBootWebSecurityConfiguration$WebSecurityEnablerConfiguration]: class path resource [org/springframework/web/servlet/config/annotation/WebMvcConfigurerAdapter.class] cannot be opened because it does not exist
Hi There,
I am using Spring Boot 2.75 and I used your tutorial up to a point. I managed to dig around Google and founs some useful pointers but using your tutorial I wrote this and it worked. Thanks for your help
@Bean
public InMemoryUserDetailsManager userDetailsManager(){
//In Spring 5 we need to encode our password as standard. This is different from how we use to do it in Spring 4
PasswordEncoder encoder=PasswordEncoderFactories.createDelegatingPasswordEncoder();
UserDetails user=User.withUsername("user")
.password(encoder.encode("password"))
.roles("USER")
.build();
UserDetails admin=User.withUsername("admin")
.password(encoder.encode("password"))
.roles("ADMIN")
.build();
return new InMemoryUserDetailsManager(user,admin);
}
thanks sir , im appreciating your open mind for helping peoples , im from india , can you give me your facebook im a java developer from kerala
Thank you for the kind words. Facebook isn't a great place to reach me. If you want you can find me on Twitter
twitter.com/therealdanvega