#3 Spring Security Fundamentals | Basic Authentication Vs Form-Based Authentication | FULL COURSE

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey there everyone my name is avilash welcome back to another episode of spring security uh tutorial series and in this episode i'm going to talk about something really really basic so again we are going to talk about foundation and before we proceed further i want to build that particular foundation and then only we'll start talking about some advanced stuff so again in this particular session we are going to talk about how to set up the basic authentication and the form based login with our spring mbc application the topic is very simple it's gonna take three or four lines of code to make it happen but again the foundation though how the things basically works behind the scene how we can correlate a bunch of things together that's what i'm gonna focus in this particular you know session so make sure you go through this uh understand this let me know if you if you are having any problem and by the end of the session i feel that you will have that foundation that i am hoping that you should have all right so let's go ahead and let's learn some simple stuff in this particular episode simple but necessary uh to understand the spring security in the coming days right so let's get prepared [Music] all right guys before we get started with this particular episode uh sometime while i was editing this particular episode i feel that my screen was lagging uh behind for one second or two seconds sometime in some particular person of this particular video so i hope you understand this is a live video and this particular things are not in my control so apologies uh if sometime you feel that you know the video is lagging a little bit maybe you even cannot catch it but i feel while i was editing it uh in in for two or three minutes i found that okay in the entire video so hopefully you are going to manage with that so let's get started with the system so anyhow this is the project we used to work spring security evening and um yeah so basically this is the login page the default page that uh spring security was providing us okay so it looks like yesterday we have we have done a configuration and this configuration we have done here and uh maybe we have just created one user yesterday and also i have not told um you know clearly like i mean this is fine you guys can understand we are doing it in memory authentication and we are creating a user and basically whenever we create a user we need the username password and roles the three things and also let me tell you we can add more roles to an user let's say this user is also an admin is also a user this is also possible but i will be anyhow coming back to that okay so yesterday we have created a user called ior okay and we have given him a role called admin okay maybe we can create one more user and we can do some pasting and how many endpoints we have if i'll go to the controllers here we got um you know three endpoints okay all right so can anybody explain me what is the difference between this endpoint and this endpoint is there any difference any visible differences here if you talk about this endpoint in this endpoint yes so in first where we are using annotation get mapping it's got this uh hello world so this going to sort jsp file right say the view resolver here we have response bodies are not going to search this page what we are searching in return yeah so this is just kind of a rest response isn't it because we have added response body so this one will be returned directly to the response i mean it will be written directly to the response itself so basically this is not going to use the view resolver but this is going to use the view resolver because here we are writing get mapping we do not have any response body on top of it so the spring will think that okay so there should be a page available called hello world so let me use the view resolver that you have configured here in the configuration file and maybe you know the view resolver will give you back this particular page if available if not it will throw you an i mean 404 not found page but here add response buddy is going to work in a different way basically if you are going to create a new controller and let's say my rest controller okay so now right here let me add uh controller okay all right so i have a controller here imagine that i have a you know url public string let's say greet okay and it is going to greet someone so i am going to uh take this as url let's say get mapping and let's say right now i want uh the url to be let's say greet and basically tell me who is i mean what is your name so let's say your name so basically you know right now i can capture this your name and that will be coming in my url so i'll be capturing it by using path variable i also told you about this path variable then maybe the path variable id is going to be your name i can place it here and whatever the you know url will be entered here the data anyhow i'll be capturing here and will store it with a you know variable maybe i'll say string your name and maybe right now i can simply return the string here i can say return good evening and then i can concatenate whatever the user name i'm capturing here just right here okay cool so right now this is what we have a gap mapping but this will not work because whenever you're going to hit this url it will think that okay there is a page here called good evening then whatever the username is going to be but no we uh we want it uh to be available as a response so i can either use response buddy here or if i want all my uh you know methods that i am having inside this controller if i want to have all these methods returned um things like this inside the response then i can put this particular response buddy right on the top of the classes so all the all the methods that i'll be having inside the rest controller right now i don't need to specify uh you know response body on each method on top of each method but one more thing why to write these two things why to write controller and response buddy together we can use one more annotation here called rest controller because rest controller if you hover over here it is having response body inbuilt if you if you see here controller and response body so without using that to annotation we can use this annotation directly okay so now my rest controller is ready so basically what i want i got another endpoint here can i copy this endpoint maybe i can go to my security config let me do control s for right now let me wait for some time my browser need to um i mean my code need to be redeployed and once this kicks in uh well there you go it's completed right now if i will uh do uh clean this i can basically go to my rest controller what is my url right now i can use this uh safari browser for today i can expand this okay now can i go for the username and password that i have created ayur in ir123 do login uh not now yeah it's saying hello from selenium express now can i test my new url that is called greet let me say create slash no and there you go it's saying good good evening oh no okay can i change one more can i say greet you know slash felix and there you go good evening felix right so it's working fine so now can i use just log out okay so now it's saying log out so right now you can see guys if i will be hitting this rest endpoints that i have created this is my rest endpoint right so here i am getting a form the login form notice that this is my rest endpoint slash greet and if i'm saying greet slash let's say um be my enter now see first it is throwing me this form and this is a this is a form based login isn't it so i can enter the username and password and i can log in here no problem but if i will take the same url okay and if i'll go to the postman and here can i open a new tab i can enter the url here is going to be a get request because i have written get mapping there my rest controller is a get mapping so right now here if i'm going to say send now here you go it will throw you a 401 unauthorized you can see the status here 401 unauthorized because this request has not been authorized and as we have added spring security to our project as we have added the filter chain if you go to your configuration class and edge we have added this guy right here and this is right now taking care of the you know security stuff is creating a filter and basically uh i also told you how many filters it is creating it's creating a lot of filters if you're going to go to the console you can see right now this is the call stack is not our error so now these are the filters that we are having previously whenever i was seeing a form this filter was was an action username password authentication filter and this filter was helping me to show me that particular you know login form that i used to have and i got one more filter here you can see basic authentication filter so by default spring security will be activating these two kind of authentication for for you guys let's say if you are just adding spring security right now by default spring security is activating the basic authentication filter and username password authentication filter these two filters are activated that's why whenever you are going to here and let's say first of all let me do log out um okay whenever you do whenever you do log out right now let's say i'm hitting that rest url that i have created uh greet and my euro see now i'm getting it in a form here okay because i'm hitting it from my browser but what about if i'll be going to my rest client which is postman here i'm hitting the same url hit saying it is also saying unauthorized and here also whenever we are sending this request we have to make sure that we are authorized and to do that you have to choose inside the authorization you have to choose the basic oauth you have to go here and you have to enter your username password what was that um maybe i can retype it io then i one two three you can do send now it's saying good evening moyu okay because i'm here writing mo you're here can i change with one more can i say uh mo he sent nice saying good evening mohi now one one fun fact is here is that right now you are doing a basic authentication you are you are clicking here basically basic authentication and right now the basic authentication is action right now right now you are not doing your form based authentication you are doing a basic auth and one more interesting thing here is that you guys can notice right now let's say let's go to first a web browser if i'll go to the web browser let's say um safari browser where is that there you go okay right here now you can see let's say i am entering the credential io one two three enter now let's say i am logged in right and i'm hitting here my or so moyu let's say right now if i'm writing hello now i don't have to log in again isn't it because i'm using a form based authentication and whenever i'm using a form based authentication what is happening internally where is that developer tool so so wave inspector okay can i go to cookies you can see i got a j station all right i got a session created i told you right this is my session id if you go to the client here also i can see uh something uh 8 d a b a b 3 is this the same session id that i'm having cookie decision id looks like a snot what is the new one can i go to all the way to down can i clear everything or maybe i can go to the down and i can check for the station id that i have been assigned maybe i can clear everything and i can simply do a logout maybe i can i can do close this browser and i will open a new private window okay now i'll be hitting that url enter and now it's asking me um i mean it's just helping me to sign in now let's go to and observe the console if i'll go here where is that session right it's uh eight four or one three five something just like that can i go here can i open the developer tool uh so web inspector it is the same session id yeah eight four one three five you can see the one it is allocating me the same one eight four one three five so now it is basically creating a station for me and for this station it is also going into the server and server is tracking through this cookie that okay whether the authentication has been done or not right now the authentication has not been done so if i'm saying here right now if i'm entering i or one two three sign in now the authentication happened right now this cookie as i said this is going to go back and forth and as the authentication has already been done there is an object created behind the scene i'll be telling you about more about that object but that object name is authentication object so once you do the login once the login is successfully done here in the server what happens behind the screen behind the scene spring security created a object and that object is authentication object this is the interface called authentication i will be coming back to this particular interface i'll be explaining you how things work but this object is getting created and this object is also getting stored somewhere somewhere where it is called as authentication holder maybe if you guys are interested i can show you a diagram but don't see the diagram and don't get confused this is some kind of advanced stuff we are talking in the morning batch but right now you just forget about all the things which is written here now you just imagine something just like this maybe i can do what um maybe i can do something just like this just give me a moment i'll just do something so that you will not be confused maybe i can just blur it okay now you can see all these things which are here imagine some kind of process happening behind the scene right now whenever you are hitting a request the request is coming some coming to something called authentication filter and this authentication filter is basically converting the request that you are have i mean whenever you are going here let's say we you are going here and you are doing let's say log out and you are coming here right now here you are entering your username and password right now whenever you do sign in now from the client this is a http request right because it's happening over web now that request will go to your server now that request which is coming to your server this is your computer you're hitting the request now a filter is there that's called authentication filter now the authentication filter is basically handling your request and now it is converting your uh request to a object called authentication object right now the authentication object is getting created right here you can think like you know your object is getting created here and now this object is going uh from here to here here to here here to here like it's it's going it's going through some processes what kind of processes forget about that just imagine that this object is going like this going like this through all these patches and last at last once this authentication is approved this object will be there like here there's some something called security context there is something called security context once the object authentication object is authenticated once this object i mean it will go through different filter once it's passed once the authentication is successful it will be stored here inside this context so next time if the request is coming uh again this object will not go through all this process right so this object is or will be authenticated only once and then it will be stored inside the security context so next time if a request is coming it it does not need to go through all this process this object can be directly returned to this that hey this user is authenticated or this request which is coming to the server is authenticated okay so that's why you are saying one time only whenever you do sign in now basically um you can see it let's say mo your great slash moyu okay now i am authenticated right whenever i did sign in but next time whenever i'm hitting the different url like hello see it is not asking me to log in again why because the login has already been done if i'm saying bye it is not again asking me to log login because this cookie that is using this is a valid cookie and this cookie is already been authenticated and obviously i told you that if the authentication will be done then again this object do not need to go through or suppose not to go through all these processes directly the object will be here the authentication object and it will be returned and or it it we can track like you know this is a valid request coming in and the user is already authenticated so no need to ask him to authenticate again okay so this is some kind of high level idea don't think about all this name don't get confused right now there is a time i'll be telling you about all these things but some kind of high level 10 000 feet overview i'm just giving you uh just to kind of creating an impression okay forget about it right now okay so now you are saying yeah so avilash so suppose once i sign in i just went all the url and then log out okay after log out again i will come back so that time uh that time again you will go through the same process same again you will go yeah yeah yeah the whole process you have to go through all this process only when you are doing let's say you are first time if you are trying to log in or if your if your request is not authenticated let's say you are hitting a request right the request will come from your computer to here now once the request come to here it will go go to the authentication filter now authentication filter will convert your request to an authentication object now this object will pass through different processes and once it is authenticated successfully this object will be stored here now let's say you are logging out obviously this authentication object will be gone away right that object will not be here because you are logging out so we'll be erasing everything from the object your username password or any or your authority what kind of roles you have everything will be removed from that object so this is obviously which collected like a simple word exactly next time again you a new object will be created here again this object will go through all these processes and will come and be stored here inside the security context okay okay let's not go through that thing anyhow i'll explain yeah so we're currently we are doing two authentication basic authentic we see we are seeing two of uh authentication one is basic authentication another one is form authentication exactly in form authentication we can see the form browser so we see but do you think and so do you have any differences like a basic form yes i'll be telling you i'll be telling i'm just coming back to that or no right now so right now i told you one thing whenever you are hitting it in the browser whenever you're hitting this url in the browser itself uh basically uh do i have it correct not found okay i am not logged out so can i do log out enter okay now i'm logged logged out right so now this is what i call a form based authentication because i am seeing a form basic authentication need to see basic authentication if you go to the rest this is a rest client right so by default i told you one thing spring security is activating two kind of authentication for us one is form based authentication one is basic authentication so whenever you are hitting this url let's say i am hitting this url slash read slash mohi and whenever i'm doing send now here i'm doing a basic authentication authorization type i have used a basic auth so right now what is happening it will go to the header maybe but we will be seeing that okay this is the basic authentication one and if you're going to click on the header you can see the authorization type i mean whenever we are sending this request you can see in the header that we are having key as authorization and the type that we are having the type of authorization we are doing right now it's the basic authentication right so basically when it comes from when this request basically comes from a rest client spring security is smart enough to figure out whether the request is coming from a web browser or from a you know race client if it is coming from a rest client then it will be using basic authentication if the request will be coming from a web browser just like this it will be using a form-based authentication but now an interesting thing here okay first of all tell me where a spring mbc is doing this magic right now so if we anybody remember from the morning batch where spring security is basically doing all this magic if i'll go to my spring security config i have this much code right i have not set off any form kind of thing i have not taken control spring security by default activating two filters for me you can see that two filters one is called username password authentication filter which is basically helpful for form based login and one more we are having basic authentication filter which is helpful for basic uh per you know base64 or what we say basic authentication right but we have not i mean where where's where spring security is actually configuring this thing um i mean i have not coded that one how i am able to see that particular form any answer to that i don't remember exactly what say user details in interface do you remember no sir okay so basically in the spring security configure yeah yeah yeah we have the implementation question where where karthik are you i mean i cannot hear you properly can you come again if you are there yeah yeah it's a concrete yes so guys you know i told you right if i'll go to here uh anybody anybody else know like mohi or the leaf or anyone else um you guys you guys know about this thing like where they are configuring this particular uh form based login or i mean basic authentication login any idea they live oh no okay okay uh okay so let let me let me do that i can go to stick a web security configure adapter see here my security config is basically extending the web security configure adapter right if i'll go here now if i do ctrl o okay you can see there are a lot of methods right and all this magic is happening just right here only right now if you can do ctrl o and if you can hit configure and you can see we have three configure method this one we have used to set up our user inside the in memory but right now we have few more i can go to this one which takes a http security edge and argument okay it's basically taking http request whatever we are getting uh i mean it is filtering that thing maybe we can go there now if i will uh you know zoom this now you can see some magic is happening here now this reference is http now it is saying http dot authorize request any request what it does mean that any http authorize any http request is coming to my browser or sorry any http request coming from the browser to my server make it authenticated okay now these are some methods maybe we could have write the same thing in the xml but you know if you'll be writing java code you can use some chain chain of methods just like this do no need to memorize this thing just do uh you know dot and do control space you will be getting the suggestion it will be coded for two three times you'll be remembering that but anyhow here is that http request any http request coming http the authorized request authorize the http request any request coming to my web server make it authenticated when you when you write authenticated now it is saying any request coming to your website make it authenticated right now that's why every url that you are having in our in your application every endpoints that we are having right now all the endpoints are protected okay and it is saying that okay to protect these endpoints do a form login or a http basic so now it is using two kind of approaches or two kind of two kinds of authentication we can do one is called a form login this because of this form login you are seeing this particular form right here and one more you are doing http basic because of this http basic you are able to do a basic authentication okay so right now this is the default implementation provided and actually you know the implementation provided right here inside where inside this method inside this class which classes that uh wave security configure adapter okay so right now anyhow if i close this right here we are extending to web security configure adapter so anyhow the code flow is going there but hold on i don't want that i don't want my code floor to go there so i can do one thing i can write configure enter and there we go i i'll be able to override this particular method you can see override the method that is available there inside that class override it now here i can right now i can say that okay i don't want to use the form login right i'll be using the base authentication or the basic authentication so i'll be doing what from this http i'll say http dot authorize request authorize request then any request okay any request coming to my uh you know website just or my server just make it authenticated so dot authenticated now there you go now it is going to protect all your urls right now a filter will be stand just in front of your dispatcher servlet so before the before the url will hit your dispatcher servlet that will be hit your you i mean that that will be heating the filter right now the spring security filter chain right now these filters will come into the picture and right now the request need to go through either i mean the request will go through which one i i just need to define now i'm saying that any request coming to my website make it authenticated but how you are going to authenticate it right so i can say end authenticate it maybe i can say dot end okay authenticate it by using http basic okay right now i'm saying that any request coming to my website make it authenticated by using the http basic that means the basic authentication right i don't want to use the form based authentication or things like that can i do control s if i'll do it right now i have overwritten the implementation right here now let's see what is going to happen if i am going to let's do one more guys let me stop the server maybe start the server again and let's see what is going to happen so all right now one thing one one crazy thing you will see right now first of all let me go there and let me hit the url enter and there you go right now it is not giving any form to you it's giving some kind of things like this maybe i can copy this okay you are seeing the form right what i can do i can close this i can open this again new private window open this enter this url there you go now it is not giving you a form it is asking you to do a basic authentication okay and you will be seeing here in the filter right now see there there are few filters missed one filter is missed that the other filter that we used to have to authenticate because right now we don't have any form right we are not doing any form-based authentication that's why we are only having basic authentication filter right now the previous one that we used to have um the other filter for the form that is gone because here i am saying that okay only do the http basic kind of authentication so there is no need to have that filter in so from the spring security filter chain that filter is gone okay now we are only having this filter now this filter basic authentication filter is right now do the work can i go to that can i okay also let me do one work can i go to develop and can i hit this so web inspector and let's do one thing if i click on cookie or i just want to click on network so okay anyhow enter there you go okay let me do a cancel if i do a cancel if you click on this request uh headers okay so now if we see the headers now we should be having something called uh what is the so it's saying 401 one unauthenticated because i did i did a cancel right right now my request is unauthenticated so it's saying four zero one unauthenticated there is already a cookie got created but where is that authentication type or authorization type something just like this see here the last one um basic and here it is saying that okay the server i mean this request is going to the server whenever i do enter the request is going to the server the server is giving me this pop-up right so if i do cancel obviously the request will be i mean it will be on authenticated if i do cancel obviously you can see it's red right now and we got the error code as 401 because obviously we did cancel the login and if we'll go here the type of login now www authenticate you can see this this is called basic authentication right now if i will be you know providing let's say i or and my password was io123 if i do log in now see i'm authenticated so it's giving 404 and here because there is uh you know no url i mean no page found for this but this is a different error 404 but anyhow i mean we we have logged in right and if we'll go here you can see that uh you know see authorization now what kind of authorization we have done are you guys think this one is it visible this is i mean you guys can see it yes yes okay yeah so now you can see the authorization has been done and the user has done a basic authorization type right so basic authentication we have done and it is encoding our username password you can see that just like this but do not think that this cannot be reportable i think i just told about this thing some days before maybe in the weekend match i don't remember but anyhow match morning morning okay this is your authentication type maybe what you can do you can go to for decoder okay click on the first link and now enter that uh you know whatever i copied from there oh from there and from the other tab right from here okay where was that uh there you go this one okay now this this one i have just copied from the authorization you know attribute now if i'll go here and if you do decode you can see my username and password is just right here so that's why you know i said basic authentication is not at all uh acceptable okay this is one kind of simplest type of authentication that we can do but try avoid it but yeah you know if you are the if this is for an internal project or things like that it is acceptable but you know it is never acceptable for a production standard um maybe you know i'll just tell you about that later but let's not discuss about that but anyhow you can see that from the url only i'm able to break i'm able to break the username and password for my user which is a really not you know i mean this is not good from this one if i'll be go reverse that mean you know you can understand that how much secure is this okay so basically this is all about the basic authentication now if you now now now again one more thing i told you whenever you are doing a basic authentication maybe i can go back to here whenever you are doing a basic authentication you can see the json id is here if you are going to remove that cookie if you are going to delete that cookie obviously if the authentication even right now i told you right i'm already i'm already authenticated so you can hit hello you don't need to authenticate again because it's already been done you can write uh great mojure all it's already done right as you can see it's all green and if i'll do um maybe one more watch buy this is also going to work this is working because of that cookie that we have okay because of the cookie that we have created and if you are if you are hitting the same request from you know in your rest right now let's say i have a i have a request here greet mohi i have to go to the authorization here i have to provide my username and password i'm using best authentication type you do a send go to the body now here it is saying good evening mohi right so next time if i'm going to choose to know all let's see what is going to happen if i do send see still i am i'm saying good good evening mohi because i'm already authenticated now if i'm going to hear it um let's say something hello same i'm getting the result maybe bye i'm also getting the result all right see that i'm not authenticated okay i'm i'm using right now i've turned up the authentication but still well still it is working why because you can see inside the cookie we got a cookie created if you're going to delete this it'll not going to it is not going to work okay again it is going to ask you to authenticate or you will be getting a 401 unauthenticated error not 200 okay because of this cookie going through the request this cookie is already authenticated and that's why you know you are able to login i mean without having any problem making sense guys so far i want to hear yes no yes okay all right uh the leaves making sense for your yes sir yes yes all right so let's go for the next stuff okay how much time we have more uh maybe i can go for 10 15 minutes more okay let's do some fancy stuff right now okay i will not go so deep right now let's say right now uh okay so i'm able to authenticate the requests i'm doing every request coming to my server make it authenticated that's why if i want to make it authenticated then obviously you know um i have to say that okay which form i want to authenticate if you want to also use the form login then you can just do dot form login dot and okay and you can use both form login right now and http basic okay so right now if you are going to do control s maybe i can stop the server spring mbc got an issue i'll be telling you that later maybe sometime it will cause problem but i will just start and start the server again now same thing guys we'll be having the same thing in the boot something will be auto configured at that time it will be very easy for you guys right so have the basic foundation from here only while learning input you'll be just complete everything within 30 minutes right anyhow because this this stuff will be auto configured something will be auto configured we we we have to create these classes we have to do it on do it by ourselves there is no magic in the boot but the first time if you are having spring securities are in your class path in springboot then the initial configuration that we have done by creating this configuration file and initializer this is this is not required but yes again nobody will stay with the default right you have to create uh your configuration file just like my security config file the one that i have created so obviously at the time you will be needing all these things again so very important focus right now on this thing because you already know how spring mbc works right cool so right now i have added form login in http basic let's do one work can i go to my browser again i think this guy is already logged in right not found see i have already started my server but still this guy is already logged in right this is not good but this is still will not be happening in the production this is only a issue in the dave okay so nothing to be worried about it so i can write log out right now first and let me log out and see right now right now if i want to hit any url let's just plus what we say that let's say slash uh greet and moyur have i logged in already can i to log out now in safari you are facing these issues in beginning also so you chosen no i have choose safari i think okay let me try this one sign in uh something something here sign in back credential okay now let me go for more and more one two three sign in oh sorry this is io right now your i one two three sign in okay now i'm logged in now can i do great and mo okay i'm done right so now the thing is that now you just see that i i have used the form best authentication right now but previously whenever i was hitting that request i used to get that basic authentication in a pop-up i was not getting the form-based authentication pop-up just now right now i have activated the form login and whenever i'm hitting this request from a browser now my server can detect that okay the request is coming from a rest client or some java code i have written by using rest template or something just like that either a program is calling it or either a web browser from the web browser i'm hitting it now here i'm hitting it from the web browser okay so the form best uh you know login is right now on in action now can i go there and you can see the username password authentication filter is back because because of this guy that i have written here and also same thing if you are going to hit this request from you know maybe from a postman from here then obviously you know you have to do a base basic authentication right so you have to go to the authorization tab click on here basic auth and provide your password and maybe you can do update we later will know how to work with jwt uh old and things like that but you know i mean let's stick to the basic for now okay one more thing uh maybe quickly i can cover let's say right now i do not want let's say right now on sunday i i want my site to be on maintenance and i do not want any of the user to access any of the url in my site at that time i mean instead of saying authenticated you can just use one more thing called deny all right now what will happen even though you have the correct username and password right now you'll be denying all the requests which is coming to your server right now let's say today's sunday i will be going for a maintenance and i don't want anyone to access any of the url even though they are registered even though they they have a valid username and password with them so for that right now if we'll go to here uh maybe to safari where is that okay now if i hit this one now see 401 forbidden and now you see uh the error the funny error that we are getting the server understood the request that means well you have sent all the valid information but the request refuses to authorized it and is saying that okay it's a 403 forbidden because i have told that okay do not accept any url by writing this piece of code called any request coming to my server deny it okay so now if you are going to hit any of the url now from here also you can try hitting it send now you'll be getting a 403 forbidden unauthorized access maybe you can click on yeah preview is not coming right okay no problem so it's saying that you can see that is for three forbidden maybe i can try with hello this is also going to be a 403 forbidden i can also try with um you know greet and my euro this is also going to say 403 forbidden because i have denied all the requests if i want to permit everything just write your permit all instead of saying deny all i can say any request coming to my website any request coming to my website permit everything okay now if you do control s right now i can see if i'll go there maybe i can go to my web browser to test it and maybe i can go to so party browser that one i was using okay there you go right now if i'm going to hit this one i'm saying it's saying good evening myer if i'm going to hit any request right now right if i'm going to hit hello i'm able to access that if i'm going to say bye i'm able to access that so all the urls are now permitted because of this guy call me down because i'm permitting every request but hold on this will never be the case right i mean imagine in your website let's say right now if i'll go to safari let me go to my website okay if you'll go to any website right now see imagine to access the live course page okay or to access the contact or space or i mean things like that let's say someone you know i mean someone want to go to the contact page right to access the contact page do do he need to log in not at all so this url selenium express last contacts last contact i should not restrict the user to access this one but what about someone go for a video course okay and someone is trying to go for let's say something right here maybe a spring nbc is clicking here now if he is trying to access this content no you cannot access this url right because you are right now logged you are not logged in to access this url you have to log in first okay so this url is a secure url but the other url the contact one that i have is not a security url so right now i cannot format everything or i cannot deny everything i have to make sure which one i have to give the permission and which one which url need to be protected okay so for that we'll be using something else okay and uh maybe uh tomorrow maybe next session i'll be taking i'll be telling you how to uh permit a particular url for now i'll just make all the urls authenticated there you go okay i i don't want to break this uh code right now maybe next section i will be saying that how to secure a particular url and things like that okay so so far how much comfortable you guys are making sense a little i have not done anything i think for the last three session i'm just telling basics um yeah you guys can say that whether it is making sense or not or you guys are okay or not um maybe you you want me to go fast slow things like that i'm done man i'm done benita you can stop recording if you want yeah so just one question i was having okay then don't stop okay yes okay okay ask me the question huh so uh in production when we are going for the deployment so we need our application to be um we need to apply the downtime so i wanted to i was uh connecting such that when we are applying the downtime so at the back end is it behaving the same way which we are trying to do now that permanent permit or deny or it is working the other way well something else is happening let's see venita whatever the flow we are discussing right now and whatever the flow will be discussing after this everything is going to be remain exactly same so one quick question i don't want answer in detail just you can see me yes i know so how we are looking deny all we did and uh we are not able to access so in real time also does it happen like in most of the time we go our system is not working based on your requirement or no if you if you want let's say i want um on my sunday right for two hours every request coming to my website yeah it happens i see system is not working and under you know enhancement yeah so they have given you methods it's up to your choice like how you are going to use it right let's say you will be using this deny all method right this authenticated one i'll say deny all i i can make it some kind of i can make it dynamic so that you know if it is sunday two o'clock then every request will be coming to my application we'll go through this one deny all right i'll be i'll be using some kind of method i'll create a kind of scheduler or i'll be create a kind of corn and that convent run in that time and that i mean and by that time this particular method will be called and it will be denying all the requests right so yes it's all up to how you are how you are going to use this particular method they have given us api methods it's all up to us right uh which method will be choosing and one more thing i have keeped in spring mbc just remind me sometime we'll take one hour and i'll complete that that's called interceptor anybody know about interceptor interceptors why we use that any idea about it but i don't a bit of it like uh logging in and form but it gives the entry to your application something like that yeah yeah that's just like a filter only this is nothing but a filter if the request will come to the interceptor first and basically you can use the interceptor this is also a filter to make uh the maintenance stuff done also right i mean it's all up to you how you are thinking uh maybe how your lead is thinking or how your architecture thinking and how is your client is thinking i said that's most important and accordingly we can use all these features right we have so many options to do so many things but which one we'll be choosing that's all all depends on us right we have the api methods we just can call it or we can have we have the features like interceptor filters things like that so the call will anyhow coming to those things first so we can take our action let's say i want to take my website to maintenance to maintenance uh sunday two o'clock to four o'clock i can obviously do that right there okay it's all up to me cool so yeah let's not you know talk about this thing yeah yeah what is the difference between authenticated and permit also authenticated informative yeah authentic authenticated will authenticate all the requests if you are saying authentic authenticated is going to authenticate a particular request not all the requests if you are saying here authenticated that means you are saying any request is coming make it authenticated you can also say dot and matchers okay i'll just tell you one thing authorize request dot and matchers then this request some request let's slash something make it authenticated that means authenticate this request right i mean right now we are just telling that okay this request only authenticate then maybe rest of the request i can give permit all maybe i can write any any other one let's say add matches again and i can give some other url and i will make it permit or this login form best example i can give you permit all means you know for that you don't need to login let's say for the login form if you want to see the login form do do somebody need to log in to see the login form do i need a login do i need to authenticate to see the login form no anybody can see the login form without authentication so i can do dot permit right for the form login if i have any default url just make it available to everyone by writing this parameter but if you're writing authenticated that means this url should be go through the authentication process making sense okay but if we are using permit all uh instead of that authenticated then uh for the first request uh do we need to get a login page or not no so right now if we'll be permitting this particular request obviously this request will be available without even login form you will be seeing whenever you have to authenticate isn't it let's say something let's say this url does not need authentication why you need to show the login page isn't it there is a url you don't want your user to do login to access that url then why you will show the login form to them isn't it just show him that content of that particular page directly okay okay yeah i got it anything else any other questions felix you are silent today no questions ma'am yes no question refti mohi they live i had two questions but already asked by veneta okay okay and and i have not given satisfactory answers and i will be giving on the right time okay i don't want yeah that's why i didn't ask again yeah yeah i understand yeah that's why and of course initial 5-10 days you know it's very difficult because you will have a lot of questions whenever i learn also the things i'll have a lot of questions but i do not research once i complete then i start researching okay if something is getting skipped but anyhow just give me around seven days more i'll just give you all the foundation then go ahead and ask me as many questions as you want and at that time i can answer okay and i can just give you references like okay do you know that do you know this i mean you can visit do that particular class or code and you can take the reference i can give you the reference okay so everything is happening here the code is written right it's not no magic is happening here so yeah i have to show you the code to explain something but i don't want to show you those code right now it's as simple as that okay and yeah showing the code unnecessarily will give you a lot of confusion so let's not go into that for now okay anyhow let's stop the discussion right now tell me are you guys planning for tomorrow class yes okay how many years ago so can i stop recording yeah sure sure go ahead please and if anyone have urgency you guys also can drop all right so this is it for today's session in the next video we are again going to talk about some uh you know more interesting stuff about spring security and we we will be preparing for the war that we will be fighting maybe after 10-15 episodes so uh let's get started with the journey of spring security and as i said they promised that will be in a journey of zero to hero in spring security so uh our step-by-step process is working good let me know in the comment section if you are liking it or if you have any other suggestion just like if you want me to go past slow whatever you know just let me know with a comment and also let me know whether this kind of stations are helping or you want me just to write or type code and also i'm gonna quote according to you you know i like this approach but i don't know about you so you just suggest me that avilash this can be better you can try this one you can try you can you can try that way keep suggesting guys this is your channel i appreciate all your suggestions and all kind of infos that you give me so practice it and let me know if you're getting any issues and uh yeah i'll see you in the next session till then bye bye take care and happy coding [Music] you

Info

Channel: Selenium Express

Views: 3,829

Rating: 4.8983049 out of 5

Keywords: spring security form login, usernamepasswordauthenticationfilter, basic authentication spring boot, spring security basic authentication rest, spring security rest basic authentication example, spring security by selenium express, spring security configure httpsecurity, spring security step by step, spring security course free, spring security in spring mvc, spring security full course, spring security tutorial, spring security in spring boot, spring security fundamentals

Id: L-pfk5wkNbI

Channel Id: undefined

Length: 57min 59sec (3479 seconds)

Published: Fri Apr 02 2021