Spring Boot 3 Security Tutorial | Authentication and Authorization | [2024]

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] in this tutorial I will teach you how to use Spring Security framework effectively we will be covering these important topics from the framework we will talk about what authorization and authentication is we will see how to login users that are stored in memory we will see how to log in users that are stored in the database and we will also see how to provide custom error pages and we will end with some special topics like how to provide custom login screens and uh uh we will talk about some password encoder methods and regarding the authorization and authentication plan I'll just give you a basic idea what authorization and authentication is so authentication is authenticating or verifying a user using their username and password so the username and password is the usual authentication approach and once we authenticate authorization helps us to control what each user can access for example uh in this project for this tutorial purpose we will have three pages one page for Hope and this page will be accessible for everyone so any user without login so without authentication and authorization they can access the homepage that will be the default page available for everyone and there is a user homepage that will be accessible for for every normal users so any user who has a role of user we will talk about that in detail in the tutorial so uh it is just a normal user so normal users will have access to the users home and there will be an admin user and uh the admin user will have access to both admin home and user home along with the normal home directory uh that is accessible for everyone so we will be implementing this and uh we will be talking about the Spring Security framework in detail so without further delay let's get started for this tutorial I have prepared a very simple project I will walk you through the code uh I have only two classes here the first first class is the main method so the application will start from here and I have a Content controller and from here we will provide the mapping for three pages uh just like we uh discussed we will have three pages one for home one for admin home one for user home and regarding the dependencies I have added only two simple dependencies the first one is spring boot starter web and uh the second one is spring board starter time Leaf this time Leaf is added to show the uh web page uh the contents for these screens admin home user home and home let me run this project and show you the current situation or current working of this project let me open uh Local Host 8080 and uh we have the homepage here uh that is directly accessible uh we have the admin homepage currently uh we have in added Spring Security so everything is accessible to everyone uh that is admin home and we have a user home the user home is also accessible so these are the three pages now we will add Spring Security uh framework into this project and uh make the necessary changes and learn how to use it so the first thing for uh adding the spring board uh uh security framework is to add that dependency so we have a thing called springboard starter security let me add that here implementation uh it is it is like this so similar to Spring Bo starter web and similar to uh starter time Lea you have to add the spring board starter security and this will add the necessary dependency for the framework let me build the project okay uh now the project is built let me run the program and show you what will happen by just adding a symol dependency so now you can see in the uh output log there are certain extra lines in the output and it is saying using generated security password so what is happening here is even without providing any configuration explicit configuration it is all it has already enabled the security for the App application and it is using a generated uh dynamically generated password to show you how it works let me open the Firefox and go to the home directory now you can see all the pages are protected under a uh under a login screen so I can't even access the default homepage uh yet alone the user home everything is under an authentication wall that is this login screen so here uh if you want to log in you can try like uh user and then use the password provided here in the output this will change this will change every time you restart the application so for this run uh the password is that and the uh username is always user and let me do the sign in and you can see we can now access uh the user page user homepage the admin homepage and every page is accessible so the that is the basic authentication uh the default authentication provided by the framework now let us see how we can control because in the introduction we said that only the homepage should be accessible for everyone the admin and user home should be protected for its own users right so let us to do that uh we need to create a new class to configure the spring security so uh let me create a new class called security configuration security configuration and here the first thing we have to do is is enabling the Spring Security like this so enable spring enable security web security so this annotation is required to just tell the tell that every the whole security should be enabled and then what we need to provide is like an at configuration annotation similar to any other springbot configuration class now what we have to do is we have to provide a bean here that will control the uh authorization and that can be done like this you have to Pro provide an ADB anation then public security filter chain and we have to provide a security filter chain and it will access HTTP security and so we have to provide a bean for the security filter chain class so what we are doing here is it provided a default configuration for me and made everything uh behind the login screen uh here we can customize it so using this uh uh Bean we should we can provide the customization so let me customize it like this return HTTP security do authorize HTTP request and here I can get a HTTP security registry and do the necessary customizations here and here it it has an error and it shows that I there is unhandled exceptions throw so we have to throw an exception and here we need to provide the necessary customization so first thing we need to do is to allow our homepage to be accessible by everyone so that we can do using uh this request matches method and we will specify slome should be permitted by all so what does this mean is the home directory should be accessible by everyone then the next request we have is like next requirement we have is registry. request matches and we have the admin pages and the admin pages should be accessible only to users who have admin access and that can be controlled like this so anything that start with the admin because our URL uh here you can see the URL starts with admin for admin home anything that starts with admin has role of admin so what this says is uh this admin page should be accessible to only the users who have admin role we will talk about this admin role in detail and how to assign this role to uh users that we will see in a moment for now let us just set up the configuration then we have registry. request matches and here we have third type of uh request matching that is for the user normal user so we will say hasr user right so these are the three requirement for us and we also need to provide registry. any request any requests authenticated so what line means is we have provided Three Special rules here one for home one for admin one for user and if there is any other URL that is not specified here that requires authentication that's what is meant by registry. any request. authenticator now it still shows an error that is because we are supposed to build this HTTP security and then return it now all should be fine I will take this to the next line and uh that will be all so we have provided proper authorization settings here now we need to create our users and uh give give them the roles like admin and user roles so the first thing we will do for users is we will see how to create in memory users we will create the users in the memory I mean we won't store it in the database or anything we will just configure them in line in code here and try to login with them so to support users you need to create another bean and that bean is going to be user details service and the you and we will create a bean like this we have a user Detail Service and here we are supposed to uh create our users so let us create our first user so the first one is user d details I will create a normal user first so normal users user use this user uh Spring Security core user details user dot Builder and here we can provide all the necessary details for the user so the first thing is going to be the username I will give maybe genuine coder GC and we have to provide the password I will give the password just in a moment uh uh uh before that I need to set the role here and for the role I will provide the uh normal user role for GC so I will provide the user and the password so the password is like we we can give like one 2 three 4 here in plain text but that is uh severely discouraged I mean that is uh that is a very bad approach because here if we give the password in a plain text format if anyone get access to this code they can reverse engineer it that is why it is always recommended to do proper encoding of the password so that it cannot be reverse engineered I will I will uh explain that in detail so the first thing we have to provide is like we we have to encode this password in such a way that it cannot be reverse engineered to do so first we have to provide what kind of encoding techniques we are going to use for password so for that I need another bean and that is going to be public password encoder password encoder and I will return new return new bcrypt password encoder so at the end of this tutorial we will talk about different password encoders available and their advantages and disadvantages for now just understand that there are many types of password encoders and you can see them here you can see Arun to bcrypt delegate password encoder PK pbkdf2 script Etc so all these methods have its own advantages and disadvantages we will talk about them at the end of this uh uh tutorial video so for now we will use the bcrypt password encoder and here we cannot provide the password like this we have to encode it so for now I will use an online encoder so let me search for online bcrypt encoder and I will use the first bcrypt generator and I will give my password Here 1 2 3 4 and use the encrypt and this give me this string and I will put that string here okay now the good thing about this one is even if someone get access to this uh this text they won't be able to reverse engineer and understand that the original password was 1 2 3 4 that is not possible so that is why we do it so we have given the be password for normal user and we have to create one more user that is going to be our admin user and here for admin user I will give the username as admin itself and for password let me create another password so uh here I use one 2 3 4 uh let me use 9876 and create another uh encoded form and I will use that password here and for the admin admin should be able to to access everything right so it has a role of both admin and user so I will give it like this admin comma user so admin can access both the pages uh of admin and the user and now we have to provide this to the user details service implementation so I will provide in memory user details manager uh I have to provide new here and it it accepts the user details as an argument so so I will give normal user and admin users as the argument so far so good we have set up the authorization we have set up the authentication credentials for our users we have also also specified what kind of password and coding we should use uh so let me start the application and let me take the browser and go to Local Host 8080 and let me load the user home right now and you can see nothing is coming even if I go into slash login it won't work uh it is showing nothing actually that is because uh we said that when we provided register any request authenticated I told you that any request that is not mentioned here will not be allowed also when we provideed the special HTTP security here by customizing this we got rid of the default login we had the default login screen we had so in order to read that we have to provide an option here called form login and this by providing this form login we can Pro customize the form login here so I will provide form login here and inside form login we need to permit access to this one for everyone just like the homepage this login screen should be accessible by everyone only then people can authenticate so that is why we require this home screen do permit all now let us restart the program and see if it works and one thing to note is that uh previously we saw a password mentioned here using generated password uh a message was there now it is no longer there that is because we are providing our own users and the default user is no longer valid all right let us go into the uh login screen again and we are getting the login screen properly so first thing I need to try is let me uh try the normal user GC so uh uh GC and then I will use my password 1 2 3 4 and you can see it has an error uh it is showing an error because after login we didn't specify which page to go from here what I will try is uh I will try to access the page user home and you can see the user home is accessible for me and if I try to access admin home home it is showing me 4 not3 forbit an error what that means is you are not all you are not supposed to access this page and this page is forbidden for you uh we will be talking about how to customize this this page and all this is like the default one spring provides uh we can provide our own custom screen with custom messages like oh you are not allow you are not allowed to access this one Etc uh for now I will try to log out that you can do using the log log out page this is also provided by Spring by default I have logged out now let me try to log in using the admin account so admin 9876 let me log in and now let me try to access the admin home and you can see the admin home is accessible both the user home and the admin home is accessible to me and the home is directly accessible for everyone so that is still accessible for me so that is the basic idea of authentication and authorization guys we have loaded the user from the memory now the next step is to load these users from a SQL database let's see how we can do that to load the users from the database first we need to configure the database for our spring board project I'll be doing this quickly because uh talking about database connection and all is not in the scope of this tutorial I'll just show you and and give you a basic explanation okay so first we will go into the buildout gradel we have to add two dependencies one for the spring board jpa and one for the MySQL connector we'll be using the MySQL and then in the build. application. properties we have a thing called application. properties and put some configuration in this file and this content is like very simple content like this is the username and password for the database and we are s uh we are saying that that we are using MySQL and uh uh this line is for automatically creating the tables uh for the first time when we are running the program and that's about the connection we have to go back to the buildout Gradle and uh build the application so that the necessary libraries will be downloaded so you can see it is downloading the necessary libraries uh let me just start the program and see if we can find any logs related to the database and here it is you can see there are uh some actions happening from the uh database side like initialized jpa repository like that okay so the database configuration is complete now in order to log users from the database we have to first set up the schema uh the class for the users so that let us do like this let me create a package here for users so for the user table I will call the user as my user uh I am using my user because there is already classes provided by Spring as user so I don't want to have the conflict that's why I'm calling it as my user and here I will provide it as at entity and uh I need to provide some values so for uh ID I will use a long ID so this is going to be the primary key that I will mark it as at ID and I have to use a generator value and strategy strategy equals maybe Auto automatic strategy is fine so that is the ID of the user then we need obviously a username for the user then we need a password for the user so string password and then I will add another thing called a private string role so this role will be will be used to store the role information like whether it is a user or an admin or a combination of both Etc now we need to provide some getan Setter uh alt insert getan Setter and that's pretty much about it so we have the my user now and now we have to provide a repository for the user so let me load that that is going to be user repository so my user repository and this is going to be an interface and we have to extend it we have to extend it from jpa repository so JP repository is like the uh class provided by jpa that provides us all the necessary database services so here I will provide my user and primary key class so here our primary key for the my user is a long value so I will provide it as here now what we need to do here is we need to provide a function to find a user by username because during logging in we the user will be entering the uh uh uh so let me load the login page so user will be first entering the username and in order to match the password we have to first find the user by username so for that I will provide like this my user find by username so I will find the user by username and for that I will provide a username like this string username and uh uh sometimes the user exist sometimes the user don't ex so in order to avoid processing null value I will put the optional here and and this is about the repository now what we need to do is we need to provide a user Detail Service so why do we need a user detail Services if you go into security configuration you know that we need a user Detail Service class here here we used in memory user detail service manager that is not enough so for that we are using a custom uh user Detail Service so my user Detail Service like that and I will Ex implement it with the user details service so we are creating a custom implementation for the user details service and when we Implement a method you can see that we have to implement a method called load user by username so uh so here what we need to do is uh there will be a username coming to this function we need to search the database using this usern name and return the user details for the user to do that let me make use of the my user repos class so I will autowire it so private my user repository repository I will just name it as repository and here I have to provide it as at service so I can do the spring dependency injection and here here we go so here what we need to do is first we will check the repository using the query find by username and look for the user here we will get the result like optional my user right optional my user user and there are there could be two cases if user exist if user uh is present sorry uh if the user is present we will prepare a user details for the user and if if they don't exist we have to throw an exception so here I will handle the else case first so throw new username not found exception so this is a special exception provided by the spring security so if you look into that uh username you can it is from or. stream framework security core so this is a special exception and we can provide the username here so we can say yeah this username is not available and If the user is present we have to convert that into a user details so we have already use use the user detail here in the security configuration for in memory so we have to build something like this from here from this user object so I will copy that user details like this and uh rather than create creating an object I can just return it so user. Builder and username so what is a username that is from my user right so what I will do is V user object equals user doget and here from the user object I will simply process them like user object. getet username and user object doget password so again note that we are using the hashed password here or encoded password Here here so when we create a user we have to make the user my user. password as an encoded value right so here uh get password and here I have to provide some roles uh the problem is like this access more than one role and in the my user I have only one string so what I will do is when there is more than one uh role I will just use comma so it will be like this if there is both admin and user I will put it like admin sluser Comm admin comma user okay now let me do it like this so here uh I will write a function called get rooll roles and I will pass the user object here and there are couple of cases I will need to tell you so the the first case is if the user do not have any role attached to them that means if the user role is empty then I will simply return user so no special roles just a user normal user rle only otherwise I will just split it whatever the value there is I will just split it so string dot split uh what yeah sorry it is user doget roll.it and here I can give comma so if there is like admin and user then it will uh return those two values so instead of a single value I will make this as an array and here no problem so here again I need to convert it into an array I will put it like this I hope this is clear to you so get roles so we are providing the proper roles here and uh that is pretty much about it so we will process it and uh if there is no user found we will throw an exception so that's about the user Detail Service class now we need to link this user Detail Service class into this security configuration so I will commend this because we are no longer interested in the inmemory users and I will create another Bean here public user Detail Service user Detail Service and uh I will make it as a bean of course bean and here I will I need to return the my user Detail Service class so I will do the dependency injection here so private my user details service user details service I I will create get the object here simply return it like this return user details service so far so good uh one thing we need to do is like what we need to tell the user details service or the authentication provider what kind of password and coding and what kind of authentication we are going to use and in order to do that there is an important thing called authentic authentication provider so we have to provide another Bean here I will tell you why it is required in detail in a moment so public authentication provider authentication provider that provides no argument and here we have to create a class called Dao authentication provider this is also from the springboard security core Spring Security core so a provider new Dao authentication provider so Dao authentication provider what does it mean is do means data access object so this is for like explicitly created for loading uses from the database or any other data access layer and use it for authentication so here we have to to provide two things so provider. set user Detail Service and we will provide the user Detail Service here and we also need to tell them what kind of password encoder we are using so here we are using the bcrypt password encoder so I will just give that as here then we have to Simply return the provider return the provider and that's about it that's about the configuration we have like authentication provider uh user Detail Service and uh that is it okay let us run the program keep in mind that we will not be able to use the program because we do not have any users in the database but still let us see if it is properly loading so I will go into the login page now refresh it and provide maybe some other values like maybe GC 1 2 3 4 and you can see there is an error bad credential because there are no uses in the database it is searching in the database but there are no uses so the next thing we need to do is to create some users how to create some users so for that I will create a new controller here so maybe uh registration controller registration controller and I will make it as at rest controller because it is going to be a rest API and I will provide a post mapping here with maybe like register and uh register use okay and public my user create maybe just create user and here I want to do it like this so at request body my user so I will receive a user from here I will use Postman to create a user so basically I will send a user here I will save them to the database and return it okay so for that in order to save to the database I need access to the uh repository so my user repository my user repository my user repository and here what I will do is return my user repit do save and user and there is one problem here that is like whenever I send a password it will be in the plain text format you know that uh we'll be using the password from the uh from the my user and give it it is supposed to be an encoded value so before saving the user we have to their password to make it encoded or encrypted right so for that I can set it like this set password so I will get the password whatever password I have provided and then encode it to get the encoder I can autowire it here so private password encoder password encoder so this will give me the B bcrypt encoder because we configured the bean here so registration controller we will take the password encoder and we will encode the password right we will encode the password and simply save it to the database and there is one more thing we have to do uh we this is a new endpoint register SL user and uh as per the security configuration we will not be able to access that link because we we did not permit it right we said that any any any URL that is not mentioned here should be authenticated but let's try let us try and make sure that what I am telling is true I will not be able to access it so you'll be uh you can confirm it right so let me open Postman and uh let me show you how it fails so let me create a new new request new HTTP request it is going to be a post request and it is going to be Local Host 8080 slash register sluser let me confirm the URL for a moment registration controller so register user that's good so we have the register user and the body we will give it Json value so here text Json and here we have to provide a username for the user so here to the database I will provide genuine coder itself like uh the last one GC and for password I will give the clear text here directly as 1 2 3 4 itself because it will be encoded in the controller uh registration controller and then for roles roles let me use GC has only the user role let's say it it is a normal user so only has user role let me confirm the schema here so roll password and username and let me check here Ro so it should be roll because I didn't add a rooll yes plural there so roll password and username now let me try this by sending a request and you can see there is a message called please sign in because I am not allowed to access this without Authentication to fix that we need to go into the security configuration and provide that here so here I need to permit like whatever start with the register permit it make it available for everyone public right then let me run the program again let's us wait for the app to start and let me open the postman and let us send a request again and it failed again so it failed again so this time we have allowed it to access via the uh and matcher so the matcher says that you should be able to access it but the pro problem here is like there is another setup here called csrf so csrf is called crite request forgery uh I will show you a Google B question here so when you enable Spring Security by default the csrf it is a prevention for a common attacking method cross site reest forgery technique Tech and by default in order to save the user this is it is enabled csrf is enabled and all the post request are blocked so that is why our request is getting blocked here so what we need to do is since this is only for generating a user data for our T purpose I will just disable it so uh HTTP security configurer dot disabled right and it can be converted into a Lambda function so abstract http configur hash disable so now the post request should not be blocked and since we have allowed it here using the permit function we should be able to create a new user here so let us keep the fingers crossed and run it again and here we go so we have created our first user username GC and you can see it automatically replaced the 1 2 3 4 with the proper encoded password and I have the role of user to test this this let me open the uh browser let me go into Let me refresh the page right so let me just go to login uh maybe I will try to access the user homepage so I will try to go into user home and it is asking me to log in so I will give the GC 1 2 3 4 as the password and sign in and you can see we signed in so now this sign in happened through the database user and it is saying welcome user if I try to access the admin panel admin home it is saying it is forbidden because for the normal user it is forbidden I will just log out and I will just try uh the previous credentials like uh uh admin 9876 and if I try to do so it is bad credential that is because the database we haven't created the user in the database I will just show you the mySQL database situation so this is the MySQL workbench and and the my user is created let me see the data select row and you can see there is only one user GC user so let us go ahead and create the second user admin and here I will give the password as 9876 and for the role I have two roles so the first thing is admin role and the second thing is a user role I will make the request admin user send very good and now I'll try to log in so admin 9876 and let us sign in and it has an error uh not found yeah that is because that page is not available right after login uh we haven't provided where to go after login so uh I will go to admin slome and you can see the admin page is accessible and I the both the user homepage is also accessible and the default homepage is also accessible because the user is an admin user so that is how you uh authenticate user from a database so we have used the mySQL database and our users are properly getting uh authenticated I will create one more user so just to show you so I will create another admin user so maybe idea and I will use the password as like 1111 and I will send it so I can have more than more than one admin user or any number of users is supported I'll just show you so uh here I will do a log out right logged out and I will try to access my admin page admin homepage I need to login so I will use Anya then 1111 sign in and I am signed in so you can have any number of users and it is all up to you so that's it guys that's how you uh uh use the authenication from the database side next let us see how to add some custom error pages right now uh if I log out and log in as a normal user uh let me log in as like uh G GC uh 1 2 3 4 and I will log in and here first of all there is a 4 note4 Page I want some other page and I want to show the forbid forbidden page better because right now if I try to access the admin homepage it is just showing type forbidden status for not3 what if I want some I want some nice Pages nice HTML pages so let's see how we can do that in order to create a page for this one HTML page to save some time I will use chat jpt and I will ask chat jpt to design a page for me so uh create uh HTML only code HTML only page create full HTML page in a single file uh CSS plus HTML that's what I meant single file for the error page with po was for Note3 forbidden let's see if it creates it properly yeah okay and uh the CSS is there the error message is there yeah let us copy this so this is the page we want to show and uh to do this what you can do is you can create a folder inside resources called public and within that create a folder called error sorry uh I made a mistake uh rename let me open it open File Explorer I will just rename this as error okay now we are good now I will past uh create a new file here and I will name the file as 43. HTML this is very important so for the 4 not3 error this page will be loaded by the uh by this springboard so let us let us try this right so uh I will open the admin I will try to open the admin home by giving the username GC 1 2 3 4 that should cause a forbidden error sign in and you can see we have a nice forbit page so this way for any error code you can provide a proper error page so uh we have seen like uh uh uh like a 4 node4 right if I try to access admin do something like that it is an invalid page so let me try something sample one two three you can see I have like a status 4 note4 a not found exception so for that case let's say I need another page then I can do it with a chat jpd so uh create another one for for node for error and I can provide a for node for HTML page there and for for note4 errors it will load that page so is the generation complete yes yeah generation complete I will create a new page called 44. HTML paste the content here and let's see so Local Host other than login let me try some random page uh I haven't restarted the project that's why it is not loading I have restarted the project okay let uh any any page requires authentication right so that is why it is asking for me to log in before accessing that page so I will access it as gc12 3 4 and you can see 44. for because this page is not does not exists so that's it that's it how you handle special error cases and provide customized Pages for that next let us see how to customize a login page so by default we have this login page from the spring Boot and let's say you want a customizer solution with your own logo and your own Styles so let's see how we can can do that so using chat jpt I will create a simple login page so we don't have to spend time uh with creating that so I will ask chat JP here like uh create a Syle login screen to use as login form for springbot I will ask it to create one and let's see so CH is creating a nice login screen for me and I will use this HTML code uh this login screen and put it here inside templates and let me name it as a custom login. HTML right so this is a simple one these are all CSS I have uh one input field one two text Fields the first one for username the second one for password and there is a submit button called login and that's it very simple and it will make a post request to the login that is that's it no complex logic here and uh we have to provide some customization here in the security configuration to support this custom login screen so here you might remember uh we set the form login here and we said that yeah you need to permit this for everyone so other than permitting we have to provide some customization here so for that I will provide it like this HTTP security form login configurer and here I can specify the special login page here and here I will say go to/ login and permit all so this is the default one we are still using the slash login if you want to have some special login screens like maybe login uh security login like that you can provide your endpoint here or login URL here so here I am uh keeping it as SL login itself and in the content controller we have three pages and here I need to provide a special m for the login so that our own custom HTML page will be loaded so SL login and handle login and here I have to provide the custom login so that the new HTML will be loaded so custom login so for so good uh we will restart the application Let me refresh the app and you can see we got a very new much better looking login screen I would say and let me try to access the uh user page uh and here we are uh we can enter the username so GC 1 2 3 4 then hand login and you can see we are logged in so that is how you provide custom login screen that is also very easy similar to the custom error screens we have implemented simply provide the proper mapping and create the HTML and that's it you can have your own custom HTML page and you can also do the same for log out uh it is very similar to login so I am not providing that so for/ logout also as well you can provide your own logout screens next let us look into another problem we have uh right now after login as you might have already figured it out we have a problem like uh if I log in uh as like gc1 1234 it goes into a for node for error page right uh because we don't have a slash homeage uh the question is like what if we want to go to a special page like after a user logs in if the user is a normal user I want to automatically go into the user homepage and if it is an admin user I want to automatically go into the admin homepage right so how can we do that rather than going into this for for error page so let us see how to do that so in order to do this we have to customize our form login page so right now we have specified the path for the login page uh on top of that we have another option called success Handler so this success Handler allows us to customize what to do next Once the authentication is successful so it accept a authentication success Handler object so let us create a new one here new Java class and here I will name it as authentication success Handler and I will extend it it with a saved request authentication success Handler this class saved request aware authentication success Handler that comes from the spring security module itself and we need to override a method called the name of the method is on authentication on authentication success so we can do some code here once the authentication is successful there's a function here like I will show you that has set default Target URL so here we can specify which URL should it take once the login is successful so we have to add some logic here based on which user got authenticated right so for that first we need to determine whether the logged in user is an admin user so I will create a Boolean function is admin and how do we determine the admin user when it is an admin user our users role will have a value either sorry our users role will have a value admin right so we need to look for the admin values so is admin equal authentication get authorities so the authority is derived from the role actually role will become the authority so we can do it like this uh authorities do stream then we need to look for any match like if the granted Authority equals so let me check what is the type so granted Authority get Authority equals uh what is the authority we need ad and uh we have specified only role we didn't specify Authority so when role become an authority there is a role behind that so admin will become Ro admin and normal user will become roore user so first we will look for whether it is an admin user if it is an admin user we will set the tar default Target URL as the slash admin slome so it will go into the admin's home else we will set it as default user home so I will set it as user slome now we need to link this into the security configuration so success Handler new authentication success Handler right uh we will provide the success Handler like that now let us restart the program now the application is starting uh let me take the browser and let us load the Local Host 808 P 0/ login page our login page and here let us give the credentials of an admin user and it should automatically load the admin homepage right so let us try that so admin 9876 and you can see we have successfully logged in as an admin and this works for the user as well so this is because we in the success Handler we can specify like what kind of authorization the user have and then make a decision based on that so that is how you automatically forward to a link just after the successful login now another important thing I need to show you is like the comparison of password encoders so during the security configuration setup at the beginning of this tutorial we said that there are multiple password encoders and we are using bcrypt password encoder for the time being so if we look into the password encoder implementations you can see a lot of password encoders so we have the Argan to bcrypt uh delegate and script Etc so I will show you a comparison between these password encoders and go through the points so let me take the comparison table I have prepared a table for you and here I will compare four most important password encoders so we have the Argan 2 bcrypt escript and pbkdf2 okay so we are right now using the bcrypt which is the most commonly used method and if you look the ideal for what is it ideal for it is ideal for web applications and Legacy systems that is because each encoders have their own CPU and memory uh requirements right so if you look into the memory usage it is moderate only so web applications usually uh runs uh for a lot of customers in a restricted Hardware resource right like if you're running a program on your system you can use your whole memory and whole whole Ram but in the web applications or in the Legacy systems the resources are limited so each each CPU cycle counts or each MB of ram counts so memory and CPU usages are very important for certain applications and for Boog Crypt it is only moderate and what about the CPU GPU resistance so what this means is nowadays the encryption can be broken with very powerful systems especially gpus so uh the with the invent of AI the CPUs and gpus especially the gpus are getting really powerful and it can run billions of operations per second and you can Cascade them if if one GPU can do maybe like 10 billion operations per second you can purchase 10 uh gpus and make it 100 billion so if a encryption method uh is sorry an encoder method is susceptible to the GPU processing or if it is vulnerable for GPU then we have a big problem so that is the problem with the pbkdf2 you can see it is vulnerable to gpus and AIX asix is like the kind of system that they use for mining like Bitcoin mining and all so it has the lowest security right now and you can see the CPU GPU resistance as poor so if you ask me like which one should I use uh for your application that totally depends on like your uh environment and uh uh how much security you need if you want the highest security go with Argan 2 because it has the highest security out of these four options and the second highest security comes from a script right there is always a tradeoff the problem with Argan 2 is that it is computationally expensive the memory memory usage is high uh but this but it is more secure but the memory usage is high and it is computationally expensive that means the CPU also has to work harder to make the encryption so there is no simple uh Choice here it is always like there is no free lunch kind of method you have to choose what is right for you and uh choose the choose the password encoder wisely and uh I think that's it guys we have covered a lot of topics in this tutorial I will just take the content section so in order to recap the tutorial we talked about the authorization and authentication so authentication is uh authentication is like uh logging in using the username and password and authorization is specific roles what you are allowed to access and what you are not supposed to access and then we saw how to load users from the memory and uh in memory users and then we talked about database users like we connected to mySQL and then loaded the users from the database we talked about custom error Pages we talked about custom login page implementations and we talked about custom uh and we talked about the multiple uh password encoders we have in the springboard and uh I think that is the end of this tutorial thank you for watching this video see you on the next one bye
Info
Channel: Genuine Coder
Views: 29,776
Rating: undefined out of 5
Keywords:
Id: 9J-b6OlPy24
Channel Id: undefined
Length: 55min 19sec (3319 seconds)
Published: Sat Feb 17 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.