#7 Spring Security Role Based Authorization with example | Step-By-Step

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hi in this episode we'll be learning to define roles for our application we'll be able to create users with roles for an example everyone accessing your site or everyone who is logging in or logging into your system they are they are not privileged to access everything that you have inside your application right imagine you have created an application which has around 100 pages right so you don't want someone logs in and he will be able to access all those pages that you have created maybe you want some pages only be accessed by the customers and some pages should only be accessed by the admins right let's say admin can access all the pages but not the user a random user can only access the pages what i have given the permission to him right so we'll be learned to define those permissions will be learned to create those roles okay and to define these roles and obviously we'll be also learning to create some error pages will be also learned to create what we call that spring security uh tag leave for jsp how to use that for an example in my application i have 200 different link but i don't want all the links to be visible for a particular user so how to hide those things let's say in my page there are some section which is only meant to be seen by the admin so i don't want to view those particular things to the random users so how to protect those resources so we will be learning a lot in this episode and this is this is the last episode i feel in the basic series whatever the videos will come next that's gonna be um kind of kind of theory not theory i never tease theory those will be a little internal and in-depth so enjoy this particular video because it's gonna be very very simple and if you have continued till now and if you have completed all the previous videos then obviously whatever the videos coming off after this particular video also you'll be enjoying them so first of all you complete this one then i'm gonna tell like you know what we'll be doing next but for now let's try to learn the role best authorization and how to define access for different users let's get started [Music] i can go to the configuration file my app config what i have done so far i have created the data source created.jdbc template password encoder things like that it looks good okay in the config file what we have done so far we know how to do authentic i mean how to do authenticate a particular request like hello by hello world okay so good progress so the next thing okay what should be the next thing we'll be learning right now okay let's try to work on roles right right now we if you see let's say this hello world page is authenticated or this hello page is authenticated so if this page is authenticated can i deploy this particular project first and i'll show you something then we'll slowly um i'll just make you learn something then i'm feeling like i should be wrapping up the class early today i have to go somewhere so let's see uh spring security evening then if i'll go with hello world enter it should be asking me the login page right or if i'll be going for hello endpoint it should be asking for the login page maybe i can say uh do i have a user call avilash in a v123 login okay i'm logged in right now let's say right now this user is avilash if i will go back to hello world page right now because there i have a logout button i can do log out and i came out of the page right now let's say i want to login as the leap and delete one two three login and right now i'm logged in and if i'm gonna say here hello again now also delete is able to access this now any user who has a valid username and password is able to access this endpoint called hello isn't it because this is what we have said here at matures hello and make it authenticated so if you have a valid username and password and if you are authenticated then you will be able to see the hello hello endpoint okay but what if it at this end point i want to restrict it for few people imagine if we any people who got a access imagine like okay only admin can access this last hello endpoint but not the user okay then how you're going to restrict that okay we can use the method has a role yes has role or heads authority or access there are various way to do it we'll be learning one of them today so basically let's let me create some scenario let's work on some scenario first of all um we can create some roles okay let me let me say i i got an organization and here i got two type of people trainers and maybe quarters okay so i got some users here so abhishek avilash ghalib karthik moyu reptivinita and if i'll go to authorities they have some authorities as well the leaf has admin user instead of saying admin let me uh change this okay i cannot do it freely right so let me do one thing okay i have to do update right so update okay if i'll be updating um it will be update everything let me do one thing let me truncate the table truncate table evening authorities copy that paste it here and then i should say truncate table evening authorities this is going to work i feel okay it's truncated now there should not be any data okay it's empty now who is the first user i also want to do a select start from of this select star from users so i'll say evening dot users so now uh i will go to the i'll go to the authorities table again i'll do a select star from authorities let me insert few data here and i i will be giving some different authority imagine right now i have two kind of people okay all these people who are who we are seeing right here let's say avilas he's a trainer and also he's a coder okay imagine abhishek he's an user dilip imagine he is a trainer he is a coder and let's say he has some other role as well for now imagine he's a trainer and he's a coder karthik imagine he is only a trainer major imagine he's both trainer and coder okay you think like this okay so now now like that let me give some roles to all the users that i have maybe i can anyhow i'll go to the authorities table okay and i will be inserting some data into this so insert into evening dot authorities copy that and paste it here and maybe i'll say values and the values i'll be giving for user name username is avilash and let's say first roll that i'll be giving him is a trainer okay and let me run this okay strain fine and also i'll give a villas another role which is going to be uh let's say quarter see caps and let me write like this quarter okay uh there you go so if i'll be selecting the authorities now avila should have two roles trainer encoder the next one let's say they leave because this user also i got let's say he's in coder okay let me select the authorities okay they live got only coder access so who is the other users that i have let's say abhishek for abhishek i also need to make sure that name that i'm typing is right for abhishek i'll only give trainer access okay so let's run this let me see the actual table so the leap is a quarter avishaik is a trainer let me go for another user maybe i'll go to the users table and right here next one i'll take is karthik and for karthik i'll give both the access so right now velas is trainer encoder the leap is quarter of a sec is trainer okay that's fine that's fine we'll go with this much only we'll go with this much data only okay so now let's go ahead and build something maybe i can go to i can go to my controller imagine i'll go to my controller and there i'll be creating some more endpoints so this is my login controller and this is going to be my hello world controller okay so maybe here i'll be creating two more endpoints maybe i'll copy this and paste it right here and here i'll say trainer this is this is going to be for trainer and i'll give a page like trainer dashboard okay and i'll say show trainer dashboard okay and i'll do the same thing one more endpoint i'll be creating for quarter maybe quarter and let's say so quarter dashboard okay and i'll return quarter dashboard okay so i got two more endpoints trainer encoder so that is going to work and maybe this hello world i'll just change it to home page maybe i'll say instead of saying hello i'll say home okay and this hello world page name i'll also change it to let's say home page okay and that hello world where i have source main webapp webinar view hello world this one let's change it to home page or rename what is that uh refactor rename and let's say it home dash page okay home page maybe here i can give a h1 to show this is a home page and i'll say home page h1 control s there you go perfect so now let's do one thing so i i got this okay let me say inside this home page i'll be creating two links okay one is to show the trainer space i'll say anchor tag and i'll be creating a link let's say show trainers dashboard okay and here i'll be giving hrave and for now let me give nothing maybe i can create one more let me say so student dashboard okay there you go and right now i'll do control s i will go here let me do log out let me see right now how it looks like maybe i can go to home sorry what is that yes so here i'll be logging with right now available i'll be giving a b one two three uh what happened yes yes any question be one two three hello are you guys able to hear me yes yes thank you yeah yes you you got a question so i was saying we don't have to change in configuration file we have changed okay okay okay yep yep that also i need to do that also i need to do i'll be doing that i'll be doing that yes maybe first i'll do one thing for config from configuration file from the configuration file i'll do one thing is i mean i'll just remove everything and i'll say right now for now i'll do authorized request any request make it authenticated right every request will be authenticated i'll be coming back to here okay so now let me wait to reload my server my server server will start and we will just see that how will be securing all the endpoints we have created so right now maybe i can copy this right now maybe instead of saying uh maybe i'll do one thing guys i'll go to that controller instead of saying here where is that main controller hello world controller instead of saying home i'll say slash okay i'll do control s so whenever i'll be logging in this class will return the home page and here i got the homepage um okay now this home page will uh give me two links so trainers dashboard so student dashboard okay so let's see whether that is working or not then we'll start doing the other thing so i'll do copy this link i will go back to here i'll do ctrl b enter server started or not my custom login what happened security config my custom login this should have worked uh can i do dot um parameter because i will make sure that the custom login is permitted to everybody now let's try page is not working why is that okay let's wait till the server reloads okay now it's working right so make sure that you know if you are making everything authenticated this request will be also be authenticated so make sure that you know you will be permitting to everybody because to log in you don't need any authentication so the login page is for everyone so right now can i do um obvious ob123 enter yeah there you go so this is how my home page is looking like right now i got two links so trainers dashboard and so students dashboard but whenever i'm clicking it obviously nothing is happening maybe uh we can do what we can um we can link it right whenever i click trainer's dashboard it should it should go to the trainers whenever i click on coders dashboard i have set student maybe i can set code let me go there and fix it so home page so trainers dashboard and i'll say so quarters dashboard okay so now one thing i'll be doing first of all this link is going to be what slash trainer and obviously this one is going to be slash coder isn't it slash quarter control s now maybe here i need to provide the root context so i'll go to properties and i'll go to web project setting root context cancel paste the root context here okay and i'll do the same thing here as well ctrl s now let me go back there let me do a refresh and i'll click here okay and now the trainer page we have not created so 404 not found and also this page also quarter page also dashboard also we have not created so let me do one work all right now let me go to the controller that i have created and here i got two end points for trainer encoder first let me create this trainer's dashboard copy this url maybe i can go to view i'll do new and i will go to other and i'll be creating a jsp page i'll do next and i'll say trainers dashboard.jsp i'll do finish so here i'll be giving a h1 tag only i just want to create some pages just to show you nothing fancy here so also i'll say h1 and let's say trainers dashboard maybe i'll say dash or okay and uh and i'll say welcome to let's say trainers dashboard will be enough and let me say i'll just give a paragraph and i'll just install them that work on the new spring security course okay command s so this is my trainer space similarly i'll be creating one more page for uh whom if i'll go to controller uh quartus dashboard let me create one more jsp page let me copy the name and maybe i can do control c i can copy this and i'll paste this page again and this one will be coder's dashboard right so i can can i say coders or coder dashboard it is quarter or quarters folder right enter let me go there go to dashboard now let me do ctrl s and here inside the coder dashboard i'll be changing it to quarter chorus dashboard control s and i'll say work on the i'll say check jira or check rally for the new task okay there you go control s so now i will i'll do what i'll come back i'll do a refresh i'll click on show trainers dashboard well this is my trainer's dashboard go back show coders dashboard click here i'll go back to the quartus dashboard right now one thing i'll be doing okay now i'll be doing one thing let me do log out i'm logged out of the particular page and right now imagine the first thing that i'll be doing here okay and now think like this okay now now let's based on this role okay now now let's work based on the role so here now avilas is a trainer and obvious is a coder okay now let's go back there let's login with avilas so i'll say avilash and obi one two three this is a village logging in okay he logged in now see avilas has bought the role so he clicks here he shows the trainer's dashboard clicks here he shows the coders dashboard that's fine log out so i'm logged out right now okay now let me login as another user maybe i can log in with delete okay now see the leap is only a quarter okay or music it's only a trainer now let me log in with the lip and let's see the lip should only access the coder page right not the not the trainer page but let me go there and let's try let me do the lip and delete one two three login and he logs in right now now the leap is only a quarter so he clicks here he got the quarter piece go back he clicks here in the trainer page now why he is able to access this you see this see the ellipse access see the leap is only a quarter but now he's accessing the trainer space as well and one more thing abhishek abhishek is only trainer now let's let's check with abhishek let me go here do a log out i'll go here and i'll log in with abhishek and maybe abhi123 login he logs in right now he's a trainer he clicks here he's seeing the trainer space but what if if he's clicking here in the course dashboard now he's also seeing the coder page now this is not correct right now the roles are not properly managed right now everyone does have a username and password and everyone logs logs into my system everyone who is i mean actually accessing the home page they are able to see both of the link obvious and obvi 123 if i'm able to log into the home page i can if i click if i keep clicking links i'll be able to access that but i don't have the roles now or i don't have the authority okay so now let's work on the authority okay or or or let's work on the roles now let me give instead of saying authorized request any request authenticated now let me make it specific which request can be accessed by whom let me give those permission now i'll be giving at matches if the request is coder then then i'll give you access here dot health authorities or has uh ro i can use has role uh has role or i can use has authority to give give him the access i'll just tell you what is the difference between has authority and has role but these are kind of same thing right now i only want to give the access to this last quarter who has the authority of coder okay now any people who are present in my database okay any person who is present in the database who got the coder access they can only access this last quarter option okay just like that any person who is present here who got the trainer access they can only able to access the trainer trend or url so i can do the same thing so i can copy this line and paste it again here and i'll say slash trainer url can be only be accessed to those people who has a trainer role okay so now this is also making sense so now one thing we will do okay so i'll do ctrl s so now let's go and check there what is happening so let me wait till the server reload the changes i will go back to my google chrome now let me first log out can i click on log out i'm logged out so i'll be logging in as a village no let me not log in adobe last let me login as delete remember the leap is only a quarter so delete one two three log in so he logs in right now he's the coder click here now he's able to access the quartus dashboard but if he clicks on the trainer's dashboard there you go he does not have the permission so we are saying 40 403 forbidden right that hey you don't have any access you can see the description server understood the request but refuses to authorize it i mean you are authenticated but you are not authorized to have this access you are not authorized to click on this link uh i mean this particular page content is only be able to shown to those people who are authorized to see that okay hopefully it's making sense and uh maybe if i'll do log out and if i'll be logging in as uh abhishek right now i'll be saying i'll be one two three make sure that abhishek only got the trainer access now if i'll go to the db obviously is only a trainer so now if i'll go here and if i clicks on the trainer's dashboard you'll be able to see the trainer space but what if what if you if you want to click uh right here in the course dashboard right now it is give them a forbidden error message right till now is it making sense or not [Music] okay making sense uh what about others i mean we're on the same page till now then i'll be doing some other things okay yes okay okay so now it's making sense we need lunch all right deputy uh making sense right now this thing so far okay so just just uh you know stop me whenever you are finding that you know it's going over your head i feel it's very simple right he has the access or not so one more thing uh can i go back can i do a logout what if i'll be uh you know login as a village so avilash ob123 is my password login if i click on coders dashboard click on that i'm logged in and if i click on that trainer's dashboard click on that i am logged in and why i'm able to log in in both of the url because i have i am both a coder and also a trainer and that access you can see in the database so velas has a quarter access and a trainer access right both the access of elastics and here in the url we are saying this url can access recorder so anybody who has the code access they can access it or anybody got a trainer access that can access it so hopefully it's making sense as a villas got both the access then he is able to sleep both of the pages right but as the lip has only the quarter access then he will be only be able to see this particular pace and as avishek only got the trainer access he will be only be able to see the trainer pace but not the quarter page or you will not be able to access this endpoint okay okay one more thing guys if i'll be going back if i'll be log out let's say i'm logging in as delete delete and delete one two three log in okay now let's say delete has only the quarter access so if it clicks here okay see he accessed the quarter space now if he clicks here now he is getting a 403 forbidden so this is not good if you are not able to give access to a people then or if you want if you don't want to give access to someone then don't throw a pages like this it will not make sense to them it will make sense to you it will not make make sense to them so for this what you can do you can create a another page a user-friendly page maybe a page called access denied others uh jsp jsp file next and let me say access denied or something just like that okay and here i can say i can give a h21 tag and i'll say access denied okay or i can say here maybe a style can i do a style color equal to rate that will become as red color and one more thing i can do you don't have authority to see or to access this page okay there you go this is a text for the person who is basically going to access this particular piece and let's see what is going to happen right now so now we want this particular page to be shown to someone who is having a problem who is getting an error page just like this so now when someone sees this kind of error page we don't want to show him this kind of error base we want to show him a 403 forbidden problem okay we'll be saying that okay you are having a 403 problem then i won't be showing you this default error message space i'll be showing you my custom error message space and i'll be showing you a custom exception that hey you don't have enough permission to see this particular page so maybe i can say contact contact to support okay or things like that so now i'll be creating a handler my handler method for this url so let me go to my controller and here i'll be click creating one more endpoint let's say i can copy this and paste it here and can i say this access denied okay and i'll say um error or something just like that and i'll just say here the page name is access denied okay command is so now what i will do this is my error base right i mean this page should be fired when someone sees some exception like this whatever i've shown you okay right now i don't want to show him this page so now what i'll do i'll go to my configuration file and here i'll do one more thing i'll add and dot exception handling can i do end dot and dot exception handling or things like i think exception handling only i can click on exception handling and i can show a access denied page okay and the url for that access denied page is this one slash access denied okay command s now let's see what is going to happen when some i mean error is occurring we are seeing the access do not url what is this access in our url if you will go to your controller where is your controller control f control v enter the match is here and it is going to return you a access denied page control shift r open this this is the page you are going to see or the user is going to see now let me go back to here and if i will let's say right now i'm logged in as uh delete right if i click here now he is seeing the access denied base now let me do go out if i'll do log out let me login as obviously login and right now let's say abhishek is only a trainer now he'll be able to see the trainer page but if he'll be clicking on the dashboard he'll be i mean the quarter dashboard now we are saying him that access denied you don't have any authority to access the space contact support i got a typo here sorry about it so making sense so far what what i'm trying to achieve here guys you guys are okay or not okay yes okay uh delete making sense so far we are on the same page okay yeah felix you're not okay felix i'm okay i'm okay sir all right okay now let's go to the next thing uh if i'll go to eclipse okay one more thing i think yours was asking it i can show you that thing also maybe i can do one thing so when the user logs in right now let's say avilas is logging in obviously one two three log in now i want to show who is the guy logging in right so there are different approaches to do it but i'll be telling you a simple approach right now and i won't be explaining much about it when we'll be jumping to the r1 section we'll be learning about it i mean we can achieve this in two or three different way but let me tell you one thing when basically a users logs in let's say a user is logging in available and i'll be one two three i told you when he clicks on login then this is a request which kind of requests this is http's update request right so that request whatever so when we are clicking on login a request will go to my server http request so i told you earlier that request will go through some process okay if i'll open that you know morning batch dock you can don't see right now don't see all these things don't get mad okay just think like a request will be coming just like this this is a http request then that request will convert it to so a filter is going to handle that request and this object is right now going to convert it to a object called authentication just remember this particular interface name the name is authentication okay so now this object i mean when the request will come come first whenever it is going to hit the server a filter is going to accept the request the filter name is authentication filter only see here don't see here only see here okay authentication filter now that authentication filter will do what will convert that request to a authentication object okay now that object right now will pass through different kind of uh you know services different kinds of classes it will go through different kind of things and then it will come here once it's authenticated it is going to be stored somewhere called security context okay what is that security context forget about it i'm gonna come back come back to here now one thing i'm i'm just giving you a priority to understand when the request is going to first hit here inside the filter this http request is going to be converted to an object called authentication okay and if we'll go to um if you'll go to your eclipse if you click on control safety and authentication authentication so this is the interface okay now we can see it is basically extending to another interface called principal if i go to the principal interface you can see there is another interface and it has one method called get name okay get name is what is basically the username so any point of time if you want to capture the username who is basically logging in you can use this interface called principal and you can do principal.getname and it will be giving you the username and i told you uh the pre this authentication is extends to principle so in authentication also so we have few things like get authorities if i want to see what kind of roles this particular user has let's say avila says two kind of role trainer and coder then that kind of role i can print you can see this get authorities is going to give me a collection okay so get authorities can tell me what kind of roles a particular user has just like that if i'll be printing get principle okay get principle is what get principal is i told you principal means user okay it's is is extending to this particular object right so it will be printing principle then it will be printing the username okay so right now just understand two things get principal if you will be calling then it will be printing the username it will be printing the get authorities it will be printing the authorities okay now let's try let's see that whether we will be we are able to print or not let me go to my which class hello world controller maybe let's say this is my home page right this is showing my home page so i'll do what first of all i'll do can i remove this hello and buy right now i don't need it i just want to work with this many endpoints okay now imagine here i told you you just write authentication or principle let me go with principal principal interface so principle in principle okay so this principle object why we're using to get the username okay so i can write here maybe somewhere in the as a note i can say principle means user name okay i hope it's making sense so right now you can do what from the principal object i can do principal dot get name okay now this is going to get me the username so can i do string user name so it is going to get me the username and can i print it can i do this out and can i print the username let's say i can say logged in user is someone i can say logged in user is and the username the username i'm getting from princepa hover over here it is going to give you a string so principal the same interface i told you the principal has one method called get name okay now let's see what is going to happen now let me go to here let's say i'm going to login as a villas logged in now see here in the console logged in user is overlash so if i'll do log out can i do it with the lip let's say delete one two three enter now can i go back there and can i see logged in user is delete so now if i'll go back to my controller so here i'm able to print the user and also i can print the same thing by using the um author authenticate object so i told you now authenticate is also extending to principle so i can also say authenticate can i minimize this i can also say authentication sorry author not authenticate authentication what is that authentication object authentication spring security.org and i'll say auth okay and here i'll say right now in this auth i i told you if i'll go to the authentication this is extending to principal interface so right now inside the authentication we got a method called get principle what is that get credential will give you the password but it will not be printing it i'll be telling you why then we have get principal okay get principal is going to give me the username let me use this method get principal method can i come here and i'll say auth dot get principal and i'll say dot okay this is going to give me an object okay you can see now this is going to complain because this is going to give me an object so i can just convert it to two string okay now this should work okay now here i'm printing the username using the authentication object not the principal object now let's see whether the things are working fine or not maybe i'll try to log in again i'll go back here log out let me try with logging in with the leap and delete one two three enter and let me go there logged in user okay logged in user is delete i am printing a lot of in its prints a lot of information but i'll tell you why but one thing you can see the username is the lib and also you'll be getting a lot of other information because this principle is going to have a lot of information like whether the user is enabled or not whether the account is expired or not what is the granted authorities granted authorities is coder so i can i can also say here a two string of username so i'll do one thing can i can i do one thing can i uh do principal here prince pal i just want to bring in two interface together right now so that you can understand uh principal and let me say principal i'll now now let's use two interfaces okay i'm going to use authentication to get the authorities and principal to get the username so let me say principal can i say principal dot i told you principal dot i mean got a method called get name and this is going to give you the username and i'm going to send the username and also let's say here fetching the username okay and right now let me paste the authorities from the authentication okay i can also paste the username using auth but i want to use these two interface together just to give you uh some clarity that we got two interfaces called principle and authentication and i just want to make you remember this thing okay so now let me pitch fetching the roles or authorities okay so to face the authorities what i can do i can do auth auth is the authentication object and i can say auth dot get authorities and this is going to get you a list of authorities and obviously this authorities is going to return me a collection so i can i can basically you know in a loop over this particular authorities don't get made by looking into this if you don't understand ignore it for now i'll be coming back to this but this get authorities is going to return you a list of authorities why it is going to return you a list of authorities because see in the database in the database we are having two authorities here trainer coder provillus maybe obelisk can have three authorities four authorities so it will be returning all the authorities right so i will do what right now i can just print this authorities can i do sis out in authorities can i do that authorities right now let me wait till it reload the changes and we'll be seeing that what is what it is printing okay so now i'll go back to here i'll do logout maybe username i'll give as um avilash and password i'll be giving of e123 login i'm logged in let me go there logged in user is available to authorities coder and trainer let me do okay let me do log out let me try with the leave delete and delete one two three log in and sorry clip and delete one two three log in and now let's see the leap is the locked in user and he has the quarter access right now if we get the data here okay we can also display it inside the home page right so now i can go to i can also send this authorities and um maybe this authorities data and the username data through a model to my to my uh you know home page so that right here i can show him that hi the lib okay so let's do that let me create a model okay and let me say model model and right here inside the home page can i do control shift o first to import it okay the next thing i'll be adding few things to the model as a model dot add attribute uh add attribute there we go and the user name and basically the actual username here i'm getting the username copy that paste it here there you go and one more model dot add attribute and here i'll be passing in authorities or roles whatever you want to say maybe i can say roles so that also you can understand it better but authority and roles does have a slight difference i'll be telling you about that later but right now that's fine so i this is my authorities uh here only i'm getting the authority's value send it by using a model to the view base right now this model whatever we have it it will be available right here now let me just paste the value right there maybe right here in the login so not in the login let me close the login where is my home page okay here i can access those first of all yell node is false make sure that you have this guy false the next thing maybe instead of saying home page i can say hi and maybe i can access the username okay this is the name i'm sending from backend so username ctrl s there you go and maybe i can have another uh rules i can have another maybe i can have a s4 tag and i can say rows assigned r or is let's say rows assigned and let me also access that particular attribute that i'm sending from hello world controller what i'm sending roles copy that go back there and paste it okay ctrl g paste it here ctrl s okay so now let's see what is this is not an error i always tell close it and open that again where is my home page select it ctrl shift r open this there you go okay so now there is no error here now let's see whether it is working or not so i'll go back to here log out let me try to log in with avilage avi one two three enter there you go hyovillage roles assign is coder and trainer and here is your dashboard okay now if i click a log out and here if i'll be logging in as uh the leap uh delete one two three enter yeah there we go he has assigned with quarter row and it will be trying with av set obviously you'll be getting dynamic data right i'll be one two three enter there we go right uh making sense so far guys what i'm trying to achieve here we're on the same page yes this is what you are you you wanted right yes yes sir and you said one more thing and i want to tell you that but we are 7 43 right now anyhow we have started late guys can i go for another 15 minutes yes uh you are so busy or we can we can manage 15 minutes your voice is breaking the lip you are okay yeah i'm okay okay okay karthik another 15 minutes empty 15 minutes more uh i can i can also wrap it up right now i want to do some one more interesting thing okay that will excite you so let me do one thing we have a we have a problem here now see let's set the lip the lip one two three enter now he's encoder right and okay so now he can click on the coders dashboard okay there we go coders dashboard he can access it let me go back and he can clicks on trainers dashboard also now he cannot access it because he does not have the role he only have the quarter role now tell me one thing if he does not have the access then why do you want to even show him this particular link isn't it let's say right now i'm vlogging with logging in with abisek and abhi123 is his password now he's a trainer now he can click on the trainer's link that's fine but we are showing him this coders dashboard so if he clicks on obviously we have a header page but why do you want to show him this particular face if he does not have the access then we really don't have to show him this particular page it's a particular link then how to restrict the uh i mean how to restrict the user to to i mean not even to stop clicking here i mean we will not even showing him this particular link if we'll be showing him after that only he'll be clicking here right so to do that we have again we have few other ways as well right now i can go for i can show you one thing that's called spring security tag leap okay so maybe i can go here to some here maybe i can go with the spring security tag leave 5.2.2 where from i'm copying uh i want to go i want to copy from mavin maybe i'll go to i'll just type it up and type it by myself mavin repo and you can there is just like a jstl right we have a spring security tag leave enter and uh where is that spring security tackle what we say that can i go back to that uh website tag lib tag leave only right yes tag leaves okay copy that i don't want to copy from here maybe there will be something mismatched and i'll be gone search okay there you go click here i can go i can copy any of the one and i will change the version number there copy that go to the form file eclipse and go to the bom and maybe i can paste it right here command v ctrl a command set f and maybe the security person i can copy from here and i can paste it right here okay control s now this is going to give you the tagly feature and now i just like uh what i can do let me first collapse everything you can go to spring security evening you can go to source main web app webinaf view and let's say inside the home page we got two links right this link we only want to show to the trainer this link we only want to show to the quota if you have both the permission you can see both of the link so to do that we will be using the security tag leave just like uh here home tag will be using another tag called security tag right can i go to that i don't remember the tag leave can i copy that from the internet maybe i can go to that same website that i went previously and just just copy adjust uh you know type spring security when you'll be getting that okay and make sure that it will be this particular uri is going to be exactly same as like this and prefix you can give anything okay so now i can go here and paste it here and this is the this is saying sec as uh prefix so i can do one thing uh this is one link right so i'll say acc and there is a there is a you know attribute called authorize and i'll wrap it up with this particular link okay and i'll say here access and i want to only give the access to those people who can see this trainer link now for the trainer i only want to give the access to those people who has a role or or has a authority called trainer and to do that what i can do i can go to hello world controller maybe my configuration page a configuration file what is my configuration file can i click all these unnecessary classes that i have that i'm not using right now trainer dashboard coder dashboard there you go and here i can use this method directly i can call this method uh here in the jsp page where is that okay access and here i can say access is going to be hedge authority who has the coder sorry this one is going to be for trainer right trainer access right and the same thing i will be doing here for this one maybe i can copy this one and paste it for this link and copy this one and paste it i mean end the tag here and i'll say only show to those people who has the quarter access okay now let me stop uh let's okay i don't need to stop right now let's try it maybe i'll go to here i'll do log out let me first log in as uh the leap and uh delete one two three log in and there you go right you are not saying two two partic two links he is only a quarter so he's seeing the coders dashboard he can click on coders dashboard and there you go that that that's his dashboard right so check rally for the new task come back logout is locked out let's check with avishek and abhi one two three enter now we got a trainer's dashboard he because he's the trainer so he's seeing only one link click here now there you go he's logged into the trainer's dashboard now can i do log out can i can i log in with avilash and obviously one two three log in okay sorry obvious ob123 login now he is saying both the coder and the trainer trainer i mean um both access he has so both third links is available you can click on any link okay and he clicks on logout is successfully logged out okay this this is it i i will not take your more time i am done so now let me know if you guys are okay with this i'm okay just i have to write by myself to understand yes please yes please you have to do that okay make sure everyone is going to practice and or no please do me a favor send this particular video to boot group and tell them to watch the last 15 minutes i'm not sure karthik have i covered this one in the morning batch no no no please please send it you know i i just recall this because um you know i just i just thought that okay uh let me tell you this thing also i feel that i have missed that in the morning best i just you know i'm just just getting a feeling that i have not told yeah maybe maybe just share them and just tell that okay last 15 minutes yeah what is that spring security tackling how do you spring security and how how we can show or hide things based on the role let's say somebody does not have the role i don't want to i don't want to show him this thing then no problem put that inside that security authorized attribute it will not be shown okay i hope you guys are getting it cool then see you guys tomorrow and before i go quickly tell me same time hello hello yes yes felix okay before we wrap up i just wanted one to ask one question maybe yes you want to invite me for dinner today yeah is it possible to return to hello yeah yeah yeah felix yeah now the information we are writing on the console like the the the user's details like the the username and the user authority whether it's a trainer yeah yes yes alex so is it is it possible to have a file separate to the user's page to write those information like maybe if possible okay so you are you are saying that loading it from a different file felix yeah yeah yes we can we actually can but but see uh here there is no need to do that because this is a view file but if you want to maintain that same thing in the back end is possible here also it is possible but there is no need right we are just sending uh the user i mean from the back end right from the back end only we are sending and this is this will be dynamic so there is no need to load the user these are when when the loading stuff will come when something is static if the username is always going to be felix then we can load it we can put that inside a separate file like a properties file or things like that but here the usernames are always going to be changing isn't it username and roles will be always be changing based on the user who is logging in so his information we can show him here in the home page and just we need to whatever we are sending just print it right here in the home page right so i don't think there is there is any need to do that felix but yes whatever you want you can do that and whatever you said that is possible making sense clicks we can do that we can do that but there is no need to do it okay okay all right okay hey guys thank you very much for watching this video and in the next video we'll be get started with the user detail interface and we'll learn about the user details user details manager uh you know so many things i'm gonna i'm gonna tell you i'm really excited to teach you all those things and i'll see you in the next video and we'll get started with the spring security internal hope you guys are excited so see you bye [Music] you

Info

Channel: Selenium Express

Views: 2,898

Rating: 4.909091 out of 5

Keywords: spring security role based authorization example, spring security taglib, spring security roles and authorities, authorization and authentication in spring boot, spring boot authentication and authorization example, spring boot spring security, spring security roles, spring security roles and permissions from database, authorization in spring boot, authorization in spring security, spring security fundamentals, spring security in spring mvc, selenium express spring security

Id: HaKlcheBDA0

Channel Id: undefined

Length: 59min 36sec (3576 seconds)

Published: Fri May 07 2021