Adding Spring Security to new Spring Boot project - Java Brains Brain Bytes

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video you will learn how to add spring security to a fresh spring boot application step by step adding spring security to spring boot has a surprising and an interesting effect you will learn what this effect is and you'll also understand why that's happening [Music] alright here's our starting point it's a simple spring boot application with just the web dependency and I've added a simple API that you can use to test let me show you what I've got here so this is my spring boot application open an IntelliJ if you look at the Palm D'Or XML that is just the web dependency and of course the test dependency here is the main application class with the main method that you would expect from a spring boot app and here is this resource that I've added it's called home resource it just has a home method which is mapped to the root URL and it just responds a simple welcome text in an h1 tag now if I were to start the server and open localhost 8080 in a browser you should see the Welcome message that that controller returns all right so this is mapped to the root URL store accessing the root URL is going to show me that welcome message all right so now how do I add spring security do this kind of a web application project the way to add spring security to a spring boot project is by using a dependency called spring boot starter security just like with a whole lot of spring boot dependencies this is a starter pack it is a maven dependency which pulls in all the necessary spring security dependencies and makes them available for you so you don't have to hunt down individual dependencies you can do that of course but this is the best and the most recommended way so all you need to do is go to your palm dot eczema and I'm gonna stick this dependency here after the starter web i've got spring boots starter security dependency now most of the spring boot dependencies most of the spring good starter dependencies don't typically have an effect just by adding it to the class path you also have to have some kind of configuration that goes with it in order to tell springboard hey I have this dependency take it and use it and do something with it however with spring security have something different all you need to do is add this to the class path and spring security immediately starts working what does it do let me show you now if I were to start this application again with just the dependency add it and no configuration done and if I were to access the same route URL notice what happens there is a sign-in farm we didn't add this thing in here how did this get here and what are you even Li who's to sign in I can try something let's say tests and tests it doesn't work it's even doing validation it has a proper sign an endpoint it's checking to see if your credentials are valid and in my case where I've entered a random values it tell us that they are bad credentials and it doesn't let me sign it what's happening here well let me tell you so you remember the picture in some of my previous videos where I talk about spring security being this watchman or security guard in front of your application which is basically intercepting all the requests and making sure that the person who is making the request is the right person who is allowed to be making those requests this is kind of what spring security is doing just by adding spring security dependencies to the class path it's kind of sit in front and it's stopping you from accessing the application how does this happen how to spring security do this just by adding something to the class path how can spring security intercept and kind of take over the whole application like this well the answer is using something called filters if you're not familiar filters are a very basic concept of it sublet applications and spring boot and spring security and all of these Java web applications are serve their applications after all spoiler alert so you have basic servlets basics of the technology working underneath to provide all this kind of rich functionality and you have all these frameworks built on top of it so that you don't have to deal with the sublet layer but what's actually doing all the job are those servlet technologies and filters are one of the core concepts associated with some of the technologies now how does it work think of a web app and you have a bunch of sublets here which are basically what do the work when a user makes a request right so user makes a request to a URL and then there is a particular sublet that does the functionality and provides a response for that particular quest and the way it works is depending on the URL the right servlet aspect right the sublet container looks at the URL and says okay this URL needs to be handled by the sublet this URL needs to handle by the sublet and then it picks the right sublet that needs to do the job and then it executes a method on that servlet this is of servlets work but think of filters as kind of like cross-cutting concerns filters kind of stand right in the middle and they intercept every request and this gives you an opportunity to do something with every request you can kind of think of it as cross-cutting pieces of functionality that you can use to log every request for example or check every request to see a particular header as there or not you know stuff like that so while servlets are mapped to URLs filters can be applied to all URLs you can put a filter in there and say okay this filter needs to intercept all urls and then you have that filter allow or deny based on the request itself well guess what spring security is doing exactly that spring security is just putting in a filter there and saying ok now I'm going to sit here and examine all requests to allow or deny requests as per what I should be doing there are a bunch of things that spring security does by default first of all it adds mandatory authentication for all URLs let's say have a spring boot application with a bunch of URLs you throw spring security in there by default without any configuration it makes sure that authentication is required for all those URLs when I say all there are a few things that it does skip authentication for for example the error page springboard applications come with a slash error by default well spring security does not secure that because you don't typically need authentication to show error messages but in general it adds authentication mandatory for all your ap eyes it's the first thing that it does second it adds a login form we've seen that there is a slash login route which brings up the login form it adds that controller to your application next it handles any login errors it has this authentication logic where it exact your user ID and password and then it validates and make sure that that's correct if it's not correct it shows a login message which we've just seen but never might be thinking hey hang on what is a correct user ID and password because we haven't done anything it just added spring security it is it getting into user ID and password from well spring security is saying ok now somebody has added me to the class path I make things mandatory authentication by default but turns out this developer has not given me a user ID and password to authenticate against now here's what I'm gonna do I'm gonna create my own user ID and my own password which is exactly what spring security does so this is the fourth thing that spring security does when you add it to the class path so it's created a user ID and password and that's the reason why it's showing up a login form for us and it's not allowing us to enter but now how do I figure out what that user ID and password is but if you look at the console log over here you see this it says using generated security password so this is the password that it has generated and by convention spring security creates a user called user so this is user ID and password that spring security creates by default for our spring good application just by adding that dependency I'm going to copy this password go back to the form enter the user name user and this password and click sign in there you go we are in so this is the default behavior of spring security and just by adding spring security to the classpath we have achieved this functionality you can of course customize this automatically created user though so what you can do is go to your application read properties and you can add a couple of properties in here so the first property is spring security user dot name and then make it foo and then again you can do spring security user password I said that as foo as well all right so now you're basically telling spring security hey create the user with this name and this password that one default user that you're gonna create create this username and with this password so when you start this application now spring security thinks oh good now I want to do the default behavior of having authentication but I don't have to create my own user here is this one user that this developer has given for me so it's gonna create that user instead of the default user now if you were to start the application look at the logs in the console you will not see that created user with generated password message anymore right it doesn't do that because it doesn't need to it's just gonna use your user ID and password that you entered in your application of properties now if your opened the same URL and enter that username and password foo and foo fear in again so this is how you add spring security to your Springwood application now that the application property values what we've managed to do is to override the default user that spring security created but we obviously want more we want spring security to refer to some kind of a list of users that we have in our system in order to do that we need to configure the authentication mechanism and spring security click this video to learn how exactly to configure an override authentication and spring security I'll see you there [Music]
Info
Channel: Java Brains
Views: 188,327
Rating: undefined out of 5
Keywords: java, java brains, tutorial, brains, koushik, kaushik, brainbytes, explained, java tutorial, learn java, java tutorial for beginners, java programming tutorial, java programming, java programming for beginners, spring, spring security, spring security tutorial for beginners, programming, spring boot, koushik kothagal, kothagal, beginner, java training, authorization, authentication
Id: PhG5p_yv0zs
Channel Id: undefined
Length: 10min 51sec (651 seconds)
Published: Wed Aug 14 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.