How to configure Spring Security Authentication - Java Brains

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video you will learn how to configure the authentication mechanism of spring security we will learn this by creating a couple of users in memory and have spring security authenticate and verify against them the process you will learn in this video is the way to do identification configuration in spring security and it'll be useful to you irrespective of whatever your actual authentication approaches so let's learn how to do this [Music] the starting point for this video is going to be a simple spring boot application but the spring security dependency added the starter spring security dependency if you're not familiar with how to do this check out this video in the card that showing up right now when you add the spring security starter dependency spring security creates a default user and puts your application behind form based authentication you can of course configure what the default user is in the properties file but that's not ideal for most situations you would want to have the spring security authentication happen based on a bunch of users that you have maybe in the database or some other external state in this video we are going to try out configuring this authentication by actually hard-coding a couple of users and saving it in memory now the way to configure authentication in spring security is by affecting what's called the authentication manager the authentication manager is true to its name something that manages authentication in a spring security application so you can imagine authentication manager setting in a spring security app and doing the authentication it actually has a method called authenticate and that either returns a successful authentication or it throws an exception when it comes to authentication says hey I cannot authenticate so authentication manager is what does the authentication now how do you affect it the Vator affected is not by creating your own authentication manager but instead to configure what authentication manager does using a builder pattern you don't work with authentication management directly for the most part what you do instead is work with a builder class called authentication manager builder you use authentication manager builder to configure what the authentication should actually do so there are two steps here first step somehow get hold of this authentication manager builder and second step set the configuration on this authentication manager builder so you can imagine the interaction with authentication manager builder being that configuration so when you're dealing with authentication manager the first thing it's gonna ask you is hey what type of authentication do you want and you say well I want in-memory authentication and then the authentication manager says ok well then tell me what the username password and the role of your in memory users are and then you give it the user information it could be one user or it could be multiple users but once you've done this once you've configured authentication manager builder with these properties you can imagine a new authentication manager being created somehow which has the values that you want so you're not directly dealing with the authentication manager you're dealing with the authentication manager builder this makes the question how do you get hold off this authentication manager builder in the first place the way to do this is by leveraging a hook that's already available in the spring security app the thing is in a spring security app there is a class that's sitting there which has a method called configure and it takes in as an argument the authentication manager builder and the spring security framework calls that configure method and passes in the authentication manager builder the reason that class is there is so that it gives developers an opportunity to extend the class override that configure method and do the configuration that you want if you don't extend this class and override the method the default configuration happens however if you were to just extend this particular class and then override this method well now you have the ability to write a method which takes the authentication manager builder as an argument and once you put this in your code spring security is going to call your configure method and pass in the authentication manager builder now that's an opportunity for you to take that authentication manager builder instance and do this interaction that we talked about so this is exactly what we're gonna be doing in the following steps the first thing I'm going to do is go to my application or properties file and remove these properties we are not overriding the default single user that spring security creates now the next thing I'm going to do is to create that class so that I can provide that override so I'm going to create a class I'm going to call this security configuration you can call this any name really what's important is that this class extends a particular class called web security configured Apter alright so this is the class that's sitting in the spring security app which has this configure method if I look at the override options these are all the available methods for me to override so you there are a bunch of configure methods here which take in various different arguments the one that we are interested in is this particular one guess what it takes authentication manager builder as an argument now if you were to write a method here which overrides this you can rest assured that spring security is going to call your method but the authentication manager builder instance passed em all right so I'm going to do just that I'm gonna override this method remove the reference to super dot configure so that I don't call the parent class instead I have the opportunity to do whatever I want here and set my configuration to this auth argument that's coming in the odd is of type authentication manager builder all right so we've looked at the interaction that we have with the authentication manager builder first we tell it what's the type of authentication that we need and based on that we provide the inputs so I'm gonna take this auth object and I'm gonna make an in-memory authentication all right so I'm configuring this to be a in-memory authentication when I do that I need to pass in the user password and the role of the users that I need all right so I'm just gonna configure one user so this follows the method chaining pattern for configuring all these things so that you don't have to deal with the gazillion objects but basically what you can do is you can chain methods like this I can say with user username the password password and the trolls and I can pass in whatever roles that this user has I'm just gonna pass in username is blah password is block and I'm just passing roles as user this does not have any significance for what we're doing in this video because we're not doing role based authorization at all in this video we are ignoring this but we need to pass in the role so we are passing this in here as troll user feel free to ignore this for the rest of this video but basically what I've done here is created in memory authentication configuration but the user password and a role alright so after I've done this the last thing I need to do is put this annotation in here to say at enable web security what this does is tell spring security that this is a web security configuration web security is just one of the ways in which you can configure security the other is the application slash method level security which we're not dealing with here but since this is a web application and we need spring security to handle web the requests and authenticate we have put this annotation here called hat enable web security you need to do the same thing if you're trying to configure spring security for web applications all right now that I've done this there is one last step to do when you're dealing with user IDs and passwords you typically don't want to have passwords stored as clear text anywhere in your application what do I mean by clear text clear text is basically saving the password hazards as a string so that whoever is looking at that string can actually infer what your password is most passwords for most applications are saved in an encoded format right so there is a hashing that happens but passwords and you don't save the actual password itself you say we hash if you're curious to know how hashing works and what password hashing is all about check out this card which explains what password hashing is in a lot of detail there applications having clear text passwords are a strict no these days so spring security kind of has your back spring security says I am NOT going to assume that passwords are clear text I am going to encode passwords and I'm going to enforce my developers to do password encoding the word has password encoding imply here what do you have to do to do password encoding well what you need to do is actually very simple all you need to do is create a beam of type password encoder and expose it to spring security and Security's looking for all available beans and if any of them as a password encoder it is going to use it for password encoding so that's a requirement it so that's the final step that we need to do here to configure authentication so what I'm gonna do is create a bean and I annotate it with add beans so the return off my method is going to be a spring bean and the method is going to return an instance of password encoder this is what spring security expects now here I can return any encoder that I want for the sake of this video since this is a tutorial video I'm going to return a no op password encoder all right so now our password encoder is basically a password encoder which does nothing true to its name so you have actually dealing with clear text here in spite of all the things that spring security is doing here to stop you it is still possible to use nor password encoder notice how its striped out because no our password encoder is deprecated not because it's gonna go away in the future but as an as a warning to developers that this is not something that you should be using this is basically saying I'm okay with clear text password and the password is basically blah as you can see over here this is fine because it's a tutorial video but please don't do this in a real application should work for now we have satisfied spring security's requirement for providing a password encoder and all we have done here overall is through this class security configuration we have gotten the handle to authentication manager builder and we have set a couple of properties on first we have set it to use in memory authentication and we have created a user called blah the password blah and with role as user now that we have this now that we have this class in the code spring security is going to look at this and say okay now this developer has configured authentication so I am NOT going to do the default thing that I usually do which is basically creating that one single user alright so now I'm going to go to my main method here and start my spring boot application in this case restart and now when I access the page I get a login form and I'm going to use the user ID and password blah blah and I am in so this is basically us overriding authentication with spring security and what you can do of course is go back here and add a bunch more users all right so here well since this is the Builder pattern and method chaining is in effect you can actually use a handy method called and and what this and method does is return an object that is of the same state as what in memory authentication returns so you're basically getting hold of an object that you can start the user configuration chain with here so if you want to configure a bunch of users all you need to do is call this dart and for every subsequent user and then you can save that user password dot roll and then a dot and dot with user a password rather you can configure a bunch more users again nothing fancy here we're just managing to use the method chaining paradigm you can of course get hold of object instances save it into local variables and do this exact same thing it's no different now that we've seen the basics of configuring authentication although it's just an in memory let's take a look at how we can configure authorization for these users check out this video to learn how to do that [Music] you

Info

Channel: Java Brains

Views: 183,907

Rating: undefined out of 5

Keywords: java, java brains, tutorial, brains, koushik, kaushik, brainbytes, explained, java tutorial, learn java, java tutorial for beginners, java programming tutorial, java programming, java programming for beginners, spring, spring security, spring security tutorial for beginners, programming, spring boot, koushik kothagal, kothagal, beginner, java training, authorization, authentication

Id: iyXne7dIn7U

Channel Id: undefined

Length: 13min 30sec (810 seconds)

Published: Sat Aug 17 2019