Spring Boot - Spring Security - Authentication & Authorization - Role base URL level, Method level

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay so today our objective would be uh to understand the Spring Security and uh with respect to the theity theory uh in the last class we have already discussed why need uh application security and uh as a general concept we discuss we discuss uh for accessing any API any URL uh our objective would be each and every end points must be authenticated and that means a required credential like username password and similarly might be after authenticated user they have some limited access and permission right that is known as authoriz so all the things we are now we are going to look at a example how these are Theory work right right let's start with the basic spring documentation right and you go to the spring website and here have a spring have lots of project you can like like a spring boot spring framework similarly we have a concept Spring Security right just click on the Spring Security and here is sping security uh details are the given given some simple project as well as right you whatever you do and if you want to Spring has many things on the left hand yeah spring have many things right yeah yes oh yeah so let's start our maybe you can start from the maybe getting from security start here start Let's uh basic so as usual there are details mention each things uh okay uh so first what I'm thinking Let's uh develop one uh basic uh application and that's uh give us some end points and that are previously access by everyone and then after that we going to apply the security right and let's check hey now our end points become a secure right okay yeah yeah instead of directly applying the security right so good option uh let's uh Google uh start fresh application right don't okay this is the fresh uh one mean project and use the uh Spring Security right right Spring Security demo right and this is just jar file and this is Java 21 and add dependency as of now just want to web implementation and uh maybe you want to when going to authentication authoriz that me see you need a user right user maybe want to store in the database right so that user can be authenticated right so let's uh need a jpa okay to store data and good option we can my SQL use right MyQ driver you can use Lok okay so these basic uh spring B for building the API data JP MyQ L right and one additional things we required is Spring Security right so this uh dependency we going to add later right so that he get the flavor why what this play a role right as of now I'm not okay yeah yeah okay okay yeah yeah so just simple let's download the application so quick and what I are going to do you already know yeah uh let's p let me clean and download okay where is that refresh where is gone something R down I just extract them and go there and open the project so here first objective Let's uh going to build couple of basic end points and we are going to by foret decide which uh end points which users are allowed to access which are not maybe some Endo that can be accessible to everybody without creden right as some end point can be accessible for the One login usual and some are the admin specific right so such viation we can create right based on role uh yes based on Ro you're right we have to base on rule yeah yeah we have to also discuss authorization part right so now let's my application is open most probably yes yes all the dependent are here resources are here so we added the my SQL to we need a myql dependency right right so let already we have my SQL configuration just use them again right myql configuration somewhere somewhere my SQL database conf just copy them and use them right same and here and use let's Port server. Port I there server. Port 909 okay right so you this database same database that's okay done this is the database configuration and if you want uh let's if already exist maybe drop and create again okay right my SQL login and just root and just drop database and again create the same okay create and uh Grant the permission right right so that's database done as of now it's good and now we are just develop some basic one to end point right come here so you want to use you want to use um soyer uh as of now later you can but our objective not to just SE the browser right later you can verify any and here I can just use the our rest controller my controller okay class okay and here you can uh public estatic uh instead of return string and default this is the my default P default uh default default method Miss uh so we have given one API like get map right get mapping get mapping and this mapping would be like slash if you pass anything this is the default for everybody right just return I'm not going to write any business logic just return the basic okay return uh this is uh default API for everybody for all okay this is the message I can get okay whenever I start whenever I say by default uh this API available for everybody so similarly we can going to create some points and uh like some public some private some admin user some role user and just I'm test there is no any problem right right it should started hope yes it started and let's go and say hey 9090 and this is the one right this is the default API for everyone that's good right and let's uh add couple of more similarly one uh API uh SL API okay SL API if someone access this is the means uh not this this not default API this is I want only authenticated person can right so maybe API method and this would be authenticated API this is for authenticated API right not right not for everyone okay and similarly let's I can create one more API for let's for uh admin okay this API only access my admin API okay API right this is maybe admin API this is for this is the admin API okay right this endpoint only access by admin this one by uh any user and uh maybe one more maybe some uh this let's Okay this is the three and lat part you can add anything right lat part okay I of our basic understand I want this end point is access for everyone without any authentication without authorization right but this end points I want only access by the authenticated person right this is also authenticated but not this user maybe admin user admin role only can access okay right this and if I restart currently these end points are accessed by the everyone because there is no any kind of login log out concept till now implemented right right no logic behind it no Logics okay and that's good and if you check hey this is for everybody and if I run SL API this is also for authenticated but still I'm aable toess right let's say SL admin SL API is still amable to admin API mean currently our API is not secure mean anyone across the world can right right till now same thing we have developed for all here you can uh return all the business Lo create update delete whatever the right right our objective is not to implement the API our law objective to understand how to to securing our API right right so let's now we are going to our objective now I don't want this two end point access to without authentication right so how do maybe I'm going to write some username password authentication authorization something right right so let's I'm going to use the help the Spring Security right right so here say hey I going to now we are going to uh spring uh documentation here spring security and here by default this is the maybe projectory prerequisite Community maybe module samples uh uh prerequisite what they mention something no no migration getting started getting starting SE right here here go here mention you can just add M dependency what is the me dependency is security right even you can hear or you can simply so this is my application here hey add security right Spring Security just select here and explore them here and you find this uh Spring Security here notice this is the Spring Security dep right right just I'm copy this and going to hey this is my pal application and I'm saying going to just add one more dependence right and once done and reload this me project and let's look the magic after that okay they are doing everything for you just this online dependency done and now let's uh start this application again say hey dependency already has code in it yes dependency mean jar file jar file means some code right right right jar file yeah spring teams is written this code for you and let's start and so when you create jar it also create database in the as as well as in the package you can whatever the jar you can include you can include right okay I see so notice let's now I'm going to access my uh endpoint right 909 okay access so notice what they asking they ask password so you just include the yeah dependency yes and then start the application yes and after that I'm trying to access the 909 they saying hey no that means by default all these end points all these end points are secure you cannot anyone access this endpoint until you are not passing the username and password right okay even let's say I'm trying to access the different one let's say I want to access this API right before I want to access right here and let's I change here okay I want to access again the login page the by default our spring framework say you are going to access any application URL and I'm going to redirect to the login page and this page is created by the spring framework for you the spring framework given two by default API SL login and SL logout so this uh security Spring Security modules are added because we are add in P file in the pal dependency and palom dependency by default they are include this feature the question is how I can login right right so so if you look the documentation they clearly mention spring documentation oh very this so here say once you include okay and whatever whenever you're going to start maybe somewhere mention whenever you go to starting getting a start so whenever you going to start look helloing security whenever when they are say look the your log they have generated what password for you notice let's check my log and this is my server and notice this is the one secure password generated for me so this is the password we have to use this is the password and go here and say Hey I want to what is the user by default they create a username user and password this and just try no notice B credential maybe again I passing something copy and your user and password now it's okay notice I able to access the right and here you say SL Now accessable API I able to access other API as well as let's say I want to access SL API SL API okay SL API so now your applications are able to access API after login right okay yeah and so let's you can log out again say one API by default log out so you are log out so now log out after log out again you are trying to access the API API again they ask the login page so always they ask login page until you are not providing credy right so this is the default nature is that by default all the API are secure but our objective not I want this API would be available for everybody without authentication right right and I this must to be authenticated maybe some public API or private API anything right right so how will do so for that is being say if you want to do customization then you have to do something configuration right right so first things whenever I'm going to let's see something I change here let's see here say I change this API let's I say here maybe public API this is the public API let's assume right public API I changeed something okay and this is the admin API okay this is the public authenticated public API right right and this is authenticated admin API good mention name okay admin API and let's get restart whenever you restart notice this password change again so question is that ke this is not a good thing I copy paste password this again and again right it should be why not I put my password right right so for this purpose uh we can and one thing um Spring Security by default given only one user usern name is the user okay so you can say only usern name and only one user can access all the application also not a valid thing but the spring for the sample they given at least one user can access everything right but in our reality I need a multiple user right so first things let's I want to change this uh password let's see I want my own password would be right instead of this random generated password right so for this we have to go in application property and add Spring Security username and password here in the application property this is the one way so okay so good question is how do you know what is the property name what is the key name what is the property name so always be refer spring application property right spring application property and here all the common properties which available we are using the by default here you can find in the spring. security. username spring do security okay dot user dot this are the two property you can use username and password you can say hey this is my username I want to change username right here I want to change username maybe uh okay uh different and similarly this is the my password this is the my rules here you can change right so let's know I'm say just name user and user okay password user okay so now I can login from username user and password user as well right so this is the one way you can avoid this default generation password whenever you can add this entry by default spring is not generating this password to you right so let's start and check right so you just add it and rerun the application yes restart the one so this configurations whenever available in your application property Spring Security say hey user already want to configure from the application property file I'm not going to generate username password for you right right so notice here there is no any kind of password application started no password right so that means now I going to access my application from this username and password okay so here if uh let's go and access my application 9090 okay and they password just type user and password also notice we able to access right and even you can access any API public API public API this is a public API and admin API admin API you are able to access right here what you can create only one user they can access all the API so one level of security say at least all my endpoints which are developed are not accessible to anybody with without authorization right but our objective in the real case something I want to public and something authenticated right so how I do how I'm going to say hey this end point is not required any kind of authentication authorization just leave them but only these two you want right so for this we have to use the what some spring configuration I have to tell spring hey this URL and this URL must be authenticated and this URL is allow them right someone somewhere we have to tell this so let's do how do and whatever I'm going to uh show you all this available is spring documentation okay just say spring Spring Security here spring web security okay whatever by default whatever the you are getting first page all the configurations I'm going to write available in this document I'm not any expert just what the spring documentation say because we are using Spring Security so we have follow the same documentation which is spring mention right so here mention this is the how you do uh custom uh uh this is the things you have to do okay to tell spring hey spring I want some custom validation custom configuration right so let's do here I'm going to write here even a good option you can write separate class or anything right as you mentioned let's see I'm write the same page okay not an issue here say class Spring Security configuration right security configuration okay right security configuration okay first question is any doubt till now uh so far it's clear because till now we not written any code now we are going to write right before these already you know right how to develop endpoint and how to make a secure just add the form dependency Spring Security right these things weed and your application application property username password that will initially secure yes now you will override that right so this the correct understanding by default Spring Security come with only one username that is the name user and password they generated randomly right so I don't want to random generally then then given my password here but this is just for testing real application you cannot go whole application run for only one user right oh so the real one is different they look different because this is just a starting point so that by default say hey all my end points are secure this is the default feature of his Spring Security right right right but now I'm so this is reality I don't want all the end points to be secure I want something different customize right right then now we are going to say hey Spring generally whenever you talk to say hey Spring do something that means we have to give some annotation right give some hint so here say hey Spring this is my configuration class right configuration class and this configuration class is the uh enable security right this is the what this means enable web security right this the document right right so enable enable web security just this mention this documentation okay and good option whenever move the mouse they give the sample code how to write if SE everything right how to create user how to do something right each and everything are available here so good things let's do so here web security sa then what we have to write here by default say you have to write this annotation this is the in the last class we say uh security is apply by the filter filter means before our request start last class this is the my all the controller the endpoint endpoint one endpoint 2 endo3 this is my customer client client send a request whenever request go to our actual API before we have to check your request validation right this request is valid or not if valid then allow are here notice whenever request go and our spring framework say Hey you already enable Spring Security I'm not going to allow to call any endpoint first go to the redirect login page right login page whenever you are hitting any fi go to the filter filter redirect to the login page right so your applications this code is not invoked if you username and password successfully then redirect it again to the actual endpoint right right in this way we are going to implement some filters filters means before going to actual my endpoint something check happen right this is the filtering so here say uh let's do the filtering so by default this document say you can use this security filter chain right you have go the security filter chain this thing okay so just say hey same thing documentation here mention notice here also mention whatever you hear documentation mention Same by default our documentation here also me just move the mouse right so just here say hey want to one ban configuration at theate bean bean and here the secur Okay I uh this is the your security configuration okay I'm going to use this security chain filter chain right and just make and this will uh uh take the HTTP request because I want to all the request from HTTP I want to apply HTTP security right here say hey I want to take HTTP security right HTTP parameter okay and this and whenever say hey this can be throw exception okay then handle exception and return this HTTP security do build means they return the your object of the default is this a method what is it this is the just we are going to prepare this uh security filter change means this uh you're going to create the object of this class so that spring going to apply here for HTTP I'm tell what you do which URL secure which you are unsecure right so in this line what is the name of the class this is the class name okay okay and this is the like a this is the our configuration class by default whenever configuration class on the server is start with they going to read right and here say I'm going to create one object name as a security filter Chan so this object developed by the for which HTTP security notice HTTP security. build returning the build build method notice build method what return they return the one object what is the uh some custom created object I this will return this a custom object and this custom object internally implemented by your security build right so don't go detail understand here whatever the configuration same documentation here things mention detail if you want to understand what this right everything metion right okay yeah yeah why this what why enable this what this class do this class what do right so here mention the same thing here mention security so we are going to just HTTP authorize request just say hey now this is HTTP request and say dot authorize request authorize request then this is the one thing an authorized request and after that just uh uh and even you can move move the mouse here they help what the code you can right here right notice they return this code what you can return right here so good thing whatever you're writing here you can mention to write just I'm whatever request come let's I'm say whatever the request I have received whatever request request Dot and here you can say which URL you want to permit for everybody right which URL is for the admin which URL for the here you can specify now we have a request so here a request dot matcher means match the pattern here say what the my pattern SL slash for everybody right so here say so good option here say just new line request whatever the request we have whatever the request we have match for here just and and DOT permit all this is for allow everybody right good so this is the way you can write the request here mention this is authorizer request authorizer request and whatever the role if want I want to give the role as well as but in this way so here say uh this all and okay and after that uh let's dot request match I want this public API okay whatever the public maybe public API one two here you can make multiple AP this is the public API maybe public API this is the one right public API this is two maybe right multiple API one this is the one this is the two okay this is the public API one this is the public API two right and similarly might admin multiple API right might admin API one admin API to right right okay so here say I'm going to say here again say uh spring request anything start with the public okay SL public right any API that start with the public okay say any API that start with the public start with the public okay is dou okay and you have to check role okay has role okay as role what role maybe no user okay just this is the role is user I'm one user okay and similarly and similarly one more for the admin okay okay admin all the API that's start with admin okay admin I am go to the admin user okay this is the role H role right so in this way you can Define permission okay so anything after admin will be access by admin all the URL like right everything Easter means like after admin SL number here API 1 API 2 API 3 Edit create update delete something right anything right I'm not going to match exactly right just starting okay and after that this done and here say dot any request dot authenticated okay and the same thing here mention notice here mention what were the request match permit all and any any request authenticated here mention for example here mention any SL URL or slome you can type multiple URL maybe one more endpoint slome maybe right this two on to public maybe maybe someone say I see SL maybe SL home okay you can make by comma like multiple entry with home maybe home okay say this is home okay this two I want to allow publicly to everybody so here say hey this comma slash home maybe slash register page slash login page right these are not required authentication right right right here you can pass multiple me here multiple match you can Define and here also say role this public API which have a user roles they can here say ke this have a this role maybe you want to pass a admin can access this role as well as right so this API Also let's allow admin can access public API as well right right here hey admin you can admin as well as and you can user as well as here say user multiple role you can set them right uh maybe here roles something roles okay okay has roles roles okay let's uh has any Ro has any roles okay multiple roles you can add here right rol say this is the admin admin as well as your say user so user can access admin too no no here say this API is access by admin as well as usual okay yes yes here say this API only access by user but let's admin only as of now let's admin only ad right so add the more complexity but you can do multiple role you can assign here okay admin okay okay so as of now just test it it's working or not right and this done this done and after that what happen we have the password some PR password say here get the password for authenticated us we require the password right so here say this done request done then uh with the default okay by default we need a password username password right so we can say uh with the default one so this is the till now we say whatever the HTTP request come check every request it good here okay here say any request SL and home permit all and any request public star has Ro users and any API that is start admin one access by the Admin role right right and all in request must be authenticated right so this is the way we are configuring our Spring Security right so this is the lots of permutation combination here given option now notice here just we are informing hey Spring Security you do permission for this that's right question is that we need some user that have a capability like admin and user right so how create role right first we need to some users as well as because currently I have only one user right only one user so I need not one user let's I'm going to create at least a two user one is the user one of the admin so that they can check this API right right so question how can I create user so similarly if you notice here already uh given option how you can create users this notice the documentation already here given a like a role in this way you can create and whatever I written notice the same thing code also written here okay look admin starts has role this has a role right so good part and whatever I code written the same code written here right right I'm not going to any just maybe completely you can copy paste here code right completely copy paste here right completely copy paste and and you can use there is no any SP just go to the completely copy paste and completely free thing okay they are accessible by default they code written for us okay okay good so let's uh by default I'm talking use uh import by default is spring given some kind of uh user object to you okay Imports so let's hear what I'm saying here say this is our whatever the HTTP request come th request and here okay they miss the permit all here say dot uh any request match with the slash comma SL home I okay home and say permit all okay not on this request permit all admin user and this is the your user SL public API okay good yeah so uh here you can create the users so user we have to dot uh builders okay in this way you can create user notice this user class is given by Spring Security notice this is the package come from the users class already given by the your Spring Security right and just create the one user object username user password let's user again okay and roll user similarly you can use a build here by default spring have a this is the deprecated method you can say so generally avoid use to duplicated method you can use the non duplicated method right build so here say admin user and admin user let's password also admin okay and they have a role two admin as well as the users me admin have a facility they have a two role admin role as well as the user Ro right so now notice I created two user one user user one is the admin user and both both user I'm not as of now saving my database just hold later part you can discuss currently just we created the two users and store my inmemory details notice the inmemory details this is the user details service user Detail Service provided by the Spring Class itself all the user management user create update delete authenticate some code written by the string due to that say they created the user service and user detail class to create the user so till now we have created a two uh here I missed at theed okay here we Define our HTTP security means our uh yes build here okay so here we Define our filter chain hey filter chain this request permit all and this API only for admin this API only for user so this role so here we have to declare two users user one and admin user one user have user name same username and password and role have a user role so that this user user can access all this my public API public API 1 public API 2 right and similarly if I'm loging from admin admin can access admin API as well as the user API both rep because here mention user roles can access by this and add Ro can access by this right so till now any confusion what we did we just configure our security which API which role can access right and here say hey user you user have a your role this this user have a role this so this is how you create user not from the schema nothing like that we'll do we'll do later let's slowly SL understand okay as spring Say by default you can create this way okay but I'm say we are going to take user from database okay don't worry okay okay okay okay that come later okay as of now it's clear it's clear now yeah and here these users we store in the in memory generally this come from the database later part I'm going to change here did this user conf Fromm database right surely I have a database I why cannot store data in the database right right so whenever these things you done and whenever you start application you are getting some problem okay by default notice this all the things I'm work just I'm getting from this spring documentation they are mention everything here right I'm not writing any St code notice they have given sample to code for you right right I'm just using the same there is nothing extra right but just only what I change our API here right which are permit all which are not permit all okay and let's start server started no let's start and here one thing notice password like a flat user and password Springs and any security Frameworks are really not interested password should be like flat text right right always password must be store in duplicated format right maybe some encrypted format some change format right right no one can read the password as of now testing we WR user admin but whenever you're going to access API notice let's try to access our API okay 9090 and notice this API are accessible SL right notice they're not asking prompt right let I'm going to access SL my public API which API I want to access so notice and let's try to slash home it's working or not right slash home home also accessible right good part and let's I access public API something so notice these two API are accessible right first two there is no authentication required right and let's I'm going toess this public SL SL this and and notice they are asking username password right right that means this API are not exess without authenticated right these are the authenticated so this route our work our route work this route say for this two URL they permit to everybody right but this UR say hey required this users role so question whenever let's I'm trying to log in from my user as of now user and password also user notice it will somehow not doing anything because they are throwing some exception main reason here is that they say password encoder by default spring say you cannot use flat password like admin and something I don't want Splat password it should be something in coded password this is also good part password should be not FL right so how to so good option we need this password encoder means some object some class that change my password encode my password right so here say I'm going to add one more bin means I'm going creating one more object uh password encoder okay import so this password encoder what is this password incoder this notice this is the interface interface me we need some implementation class right so you notice here click here lots of implementation class have so by default this documentation suggested whenever you go to password encoder you can use bcrypt password encoder right I'm from where I know this do mentation help whenever you go start running here here slowly slowly say whenever you're going to use the password by default your password this whenever you change you can use this your bcrypt password right password must be encrypted form I'm going to this decrypt password incode right here say hey I'm going to use decrypt in so say return B BK password incoder okay okay just say so here say I'm going to this bin available and here you can encode my password don't Store Flat password like a admin or something so here say hey I'm going to change my password I already have a This Is My Method they return this subject password encoder so say hey password encoder do encode method and here say this password in code right so this is the extra things when have to do password encoder so in this way you can encode your password before saving storing database okay this is the so as of now here you look like I'm able to see my username password but reality whenever you are going to create user this come from a user and you can encode password and show in the database okay right let's I'm say what would be the actually if you look this I'm just going to the uh print here that's out what would be the actual password would be just for your references I'm printing here you notice this user value can be converted to the in crypted encoded format just for FYI right right this is the user and this is the your admin password so this is just security purpose by default uh spring not allow you can store this password flat like a St right this password always hold the encrypted value like this password right in this way and generally it a good idea you cannot restore password later part I'm going to read data and database then you so this password must be stor in encrypted form right right so let's uh whenever notes this would be started notice this is the way password is this is the your user password this is your admin word notice you are going to store password in file in this format no one can understand what is the meaning right but notice this is what this is the admin password admin means this is the value admin words are encrypted the admin right admins are inced in the bcrypt format this format right and this information is stor in your database and whenever from the user login you type your actual password admin admin going to inrupt it by the bcrypt from here and already store this those those are going to the match right always password match by the encrypted encoded password not the actual password right so in this two lines the first line they both are referring to a password both both are the password because I mention here the for your references what is the meaning of this line what is this output right the output of this I mention here so the output means this user password user passwords are store in this format this is the actual password this is actual password right okay so just for references but yeah I'm going to and let's test now you can type with the user user and that work fine let's uh uh go to the apis SL home home home accessible lights public API public API ask password Let's uh user user okay what say is denied okay does user have access to API yes is must be accessible what say what the rules I'm Divine uh let's uh check the role public public SL I given the user rule right this is the rule I given Public Public public should be user and admin just check the name spelling here say Public public SL yes okay public SL API 1 right API 2 there is no API okay here I'm trying to S API only right I CH API okay that's okay fault okay restart okay this is is the public API 1 public API 2 admin API 1 admin API 2 it should work let's restart okay so by default we change the API not API API one right no here ER say uh does not authorize because this there is no such by default rule say if you want to access only this two URL then you are okay else all other request would require authorization right mean you are not authenticated user this rules are this is the only allow for everybody else any request try to the my application my application spring board say Hey you are unauthorized any wrong URL or something right let's restart it I think it's not oh sorry I missed to start and just little bit then server started and let's I want to go to access this URL public URL SL api1 right if I'm trying to only SL your home it's accessible there is no problem but no I don't want to access this I want to access this right and they ask password I go with the user password also user and they are accessible right let's user try to access this URL ad public two this is also accessible for user this is accessible for let's public us try to go admin API then now now you need admin but it will fail let's try no this is the authorization right because you don't have a permission to access the admin API that means admin API need the admin login right so you need to log out first now in this yes log out I'm going to the log out and I say hey I want to access the admin API so they ask pront right I loging from admin admin and I I able to admin right yeah and even let's try to the admin to when all kind of URL you can accessible and if you don't log out then it will save in the cash yes right log out will clear yeah log out will clear and uh whenever you trying to access it's public API let's say I want to access this public API admin can both have permission user and permiss they can access right they can ACC right here because here I am given the role admin have a two role admin Highway admin role and user role right right so is it clear spring configuration this is little bit configuration not so hard right not so hard but um uh this is a I you know these codes are big so but this is like U the configuration remember we used to generate data and uh save without database we used to generate data uh using uh uh the configuration right first yeah so this is this also start at the end of the server when you start the server right right right okay okay okay yeah yeah so almost all we have covered things only things these informations only user one user two I want it information come from database not hardcoded here right right let's do this thing as well because it till now okay we can configure any number of user and our according to the our roles and capability our application works but only things here till now all the user I'm created in in memory right in memory but I don't want it should it should be come from a database so let's create a database schema user and it stores the information first my database right right and after after that I'm loging from the my database right right that Mak sense yeah so let let's I'm going to create one uh class my user okay this is a datab SCH yes my user and let's create the private long ID okay database as usual you know private is string notice by default this uh class you user already have created by user I cannot create the username again but you can create my different class right usern name already exist right due to that I say hey Spring user collect class already used by the spring framework right so I'm going to say my user okay okay okay so this is my username and this is my password to fill right and I also need a rle right they need a role right so yeah like a private role can be one us can have one role two r that mean list a set of rle right let set of string rule okay roles okay roles yeah as of now this three field okay right right and you can say I want to St in database that means we need an entity right right and you the CER G data data right right and this should be id id and generated value okay now this is my database design done yeah okay okay done and now let's uh need the jpo to store data right right uh so net interface uh repo extend jpa are you going to use swager to create data or like or command line you can do you can do command line okay okay command line okay yeah right because you have a not so much time okay okay okay sure yeah you can do right these are the practice need now this comp and let's say I'm going to create one more configuration command line Runner you know B and the server startup I can create some user right two user three user so you know be command line run no no say command line Runner right yeah command line Runner uh maybe load initial user load load users in okay and here you need a repository my user my user repo yeah okay right and here just say return okay already we did this multiple time right yeah we did that multiple times and so let's create my user here yeah user one user one to new new my user and one. set username let's set user and you can and password set password and uh here password must be encoded you cannot store admin password directly right right right so how to encode I already this method encoder so say password encoder do encode and just give me a password okay right whatever password and Rule address user one. Ru let's this is the role can be uh user okay okay yeah yeah get roles yeah okay but here Ro required the set okay because I decide that here set right set of here not the string you say set of okay rle as of now only one rle okay oh set okay that's why okay yeah us sorry set Ro okay now name password set and save repo do save user okay user one right so let's say I'm created one user and maybe I created one more user okay admin admin okay right and should be user two user two user two user two user two user two and password let's go to the admin okay now this uh password come from your Swagger and then no code no one no what the password okay and here would be the admin okay and let's give a two R here user right right and here say two so let's create one more user okay three user in databas you can create any number of right three user right admin admin admin so let's create uh one admin special user admin SP right anything okay right admin okay yeah Special admin okay they have only admin privileges okay okay good so here we can create three user maybe user here you can give any name admin and admin right right Ro admin special role okay might we create some private endpoint that is special user when connection let time create the private API okay hey this is the my uh private API okay private API okay private okay private API this is the authenticated private API okay private something very specific API that can access only specific and here I this one thing uh this uh uh things whatever what happened whatever I'm written here this is the one way to configure here right this is the one way to define the role something but sometime without here I can method level rule also def Define hey this special customer special Ro can on the each method label you can also test right so let's I'm show you so here uh uh password encoder what I'm doing okay username yeah two your saes and user three save right right so let's I restart this application so that this user can save three three user user one admin and SP three us save and let's say out user saves okay you just save okay so now our objective I'm not going to here it's clear I have a so whenever I start server this database going to create application in database right and after that I'm R so let's uh can restart it's clear and hope it should be created in a database so this is also very simple there is no any hard this all things you know right you how to right save data and database and help and let's see take the my SQL okay right my SQL so test DB uh notice here saving de some data save right let's check the database uh use use test D test DB okay uh select s tables s tables okay this is the my user table right right start from my user a user so notice these are the some notice here uh ID one some password notice this is the password right and username this is on okay so in this way we can create the password notice this is the one admin password and this is one admin space okay right right in this notice no one can understand what is this password right but the role is encrypted too role no no Ro is simple role Ro is not encrypted only the password we encrypted right right somehow due to the ID password username then something bigger your right hand side H maybe somewhere you cannot maybe just copy one row here something from here something from here admin rule is not encrypted okay okay uh let's select only the rule okay roles roles column name roles okay rules rules yeah these are the rules why rules is the array notice the rules is the list the list are by default in this order they I store okay oh okay okay list yeah yeah they list not string column okay and these are your encrypted password okay this is the password password okay this is the password right all three and corresponding username user name okay this is the username and this is the password right right now I'm going to authenticate from database not the admin okay it's clear now I'm going to comment out because each start they're going to create database right I don't want right right I just commented out just for our purpose now our data is ready and uh just uh stop here and now I'm going to comment everything which are the written here like previously we have created this user user one and I created this previously these three code written I am created uh this user right password and roles I created this one okay and similarly admin user why in yeah you yeah um you can just do the comment I I can I can practice that that part as well I am going to comment out here for your purpose I'm not going to read the user detail from the in memory just as of now just I'm commented for your referen right I'm not removing that help okay sure okay H you can good option I'm yeah yes okay done here I'm going to provide this implementation right so here say notice this is what this being this return you want to return return this is what is this not let's this is the interface I this interface only one method so we can overload this method mean we have to provide the implementation of this class right because this is the interface so here you have to just okay hey I'm going to you know interface can be implemented multiple way maybe write one class and it's Implement another way Anonymous way right so let's I'm go to the anonymous way right so return new yeah okay this way and here say just this way right you know say here you can override the implemented method right right so here you are going to implement using Anonymous maybe Lambda function Anonymous anything you can do but here is right so is it clear why I'm writing here because this is the interface they have only one method that we can Implement by a Lambda expression by a sub class by Anonymous class right any way we can do right yeah you can do using the Lambda expression right right and why why do we need why do we need that because I need the user Detail Service because the our spring framework need user detail to verify right you need the username and password username password means user details user details we have to provide now previously we are providing in the hardcoded here oh okay okay I see I see I'm going to I'm going to load from data from database right so here we can say maybe simply say hey I'm going to use the Lambda expression instead of that simply say here okay as of now just okay here I am going to say here I'm going to call my repository here repository give me all the user right by username they need the one NPI username so here you go in the repository say I need one uh uh return my user find by username right yeah you know how to write SQL and yes yes I I I I remember I know that I don't want to find by ID because us while writing the password they find the username we need the one repository method find by username right so here say I need the good so here need a repository so I can take here repository say hey uh my repository okay inject okay my repository right here I want to say even you can e the Lambda expression you can say Hey you can remove them and you can just write this way right and I I don't need anything just username input I need letter part you can do okay just here I'm going to say hey my repository find by username and this is the username I have right username okay this is my username okay right and then you return my user return by username ah and here say if no user then what say uh through exception right no user found right exception yes say if null might be someone type in throw okay uh th th throw new okay okay username not found right us not found okay got it yeah something you have to check whatever the username to user exist or not if exist then I have to return this question that is I return this user my user work or not here so notice our compiler is not happy because this your class your classing don't know what is your class right spring only know about his username because this is the my user class spring don't know about your class right I have say okay don't worry I can convert my user object to the your user object right and so already know in this way you can convert the object right right so same thing I can go here say hey don't worry I can create user in this way right I can create I follow this syntax right this syntax right because and this syntax and here already have my here I already have username so from you say from my user. get username right and here password already have a password you can give name as a DB user right that's good name rename DB user right this is the DB user okay right DB user. game and here say DB user. git password and role you need a role and here say DB user. get rooll get rooll but notice they are not happy role what is the role te role is expecting arrays right dot dot means array of string they are expecting and what our role our role have a list it's not mismatch the here say we know already know not a problem you can convert you know convert to uh list are set to array just to array and here say string column column okay so you are going to convert to the set your list to the ARR right right in this way say hey this is the my user and you can you return the user here just done okay so is it clear in this what say local variable is okay so he said don't use declare just return this right not any right right okay and even just do it and just let's logger you can okay you can select this is my uh DB user and I just PR my uh spring user this is our spring user okay right just check my conversion happen or not right right is this is the things we have to change here just for now I'm getting data from my database not notice here not any hardcoded thing right previously we are doing it right right right now I'm saying no hey Spring use my repository get data from the database okay and what is the DB user and this is my converted spring user okay right this is my DB user okay and let's test so this is the things you have to do for your data username password authentication right let's test I'm let's do so here notice there is no user in this now all the user come from my database so these are the simple the way where you can use the Spring Security to authenticate and authorize is your resources your your Endo right right let's uh start it and let's this this will take some time to get yeah slowly so let's start my BL this is accessible slash home accessible and let's try access some API that's are specific to the authentication right let's I want to access this one okay they asking password and now I'm using the password this password come from my database right authenticated notice Let's uh and took the my logs notice this is the my hynet query run and this is my database come from my database notice this is a password this is the right and this DB user converted to the spring user and this is notice spring user spring user username password protected right and all the other Fe and notice these are the roles roles they are appended something under role by default is thing internally understand this role right yes right so this is the way let's key I can try to access other resources so that means now our authentication come from my database right and let's I try to access this Endo to accessible or not accessible let's try to access the admin API accessible or not not accessible because you not edmin right right so let's log out and I'm trying to access from uh a admin API I'm going to login from admin admin admin done AP well right and let's access to admin API 2 right right admin API 2 that's good and let's access this private API these are the not match here right let's access notice this is not allow this this is sp sp special because we have not till now given any permission to hear right right this are free available this public by user this by admin but this end point I cannot Define anywhere they cannot access okay so let's I want to access by a special admin because I have created one more user like a admin that have a privileges admin special privilege right right so how do so one way we can go write here again code and one we I'm going to write here again say hey any request any requests okay I say hey here go any request here say any request uh that roll SP admin and here say that is start with a private right this is the one way okay this is the one way and we can uh do it this is the we can do it okay but I don't want see so let's comment out I don't want this way another way using the Java code here I something mention here have like a pre authorized here you can write the same thing whatever you are writing here like you writing a h r like h r here you can say has role okay has rooll and single code and what is their role you want to admin SP here admin SP okay oh you are writing there yes on the method wise I want to specify this method which role I access this is another way you're showing another way yes generally whenever you're bigger application sometime I'm not going to confuse each and everything on the Me Maybe on the each method level I'm going to generally preferable way right right right me for which role here say admin SP the only admin SP the kind of user can access this n API right right right yeah and no here you have to whenever you do here okay okay and let's test right now restart so in this case for this API I'm not defining this security configuration here right and let's see even I am comment out I don't want to Define here right I'm commented here right no right let's start the server okay so here I am going to access this private API who can access only the rle have admin SP privileges is there any user have yes I created one specific user that is the admin that have this privileges right admin right so let's test because in the database I have a one customer with the admin SP privilege right right so let's test I start okay let's start some Let's uh start here the little bit till now clear but uh yes yeah good so two way to define Your Role one in your uh your HTTP security like a request match uh you can method meev one thing I miss here whenever you say method level security here you can to enable uh method level security enable enable method security this you have to enable so that ke spring know uh some uh uh code are AP we you the method level SEC right okay okay I see here you have to tell this thing right right right else it's not work please note that whenever you are going to enable method level you have to mention here right right and here one thing uh let's say I'm getting one I'm just giving one more suggestion here while enabling this method label then what happen so let's application is started little bit yes so let's uh go and here let's try to access only home home it byble accessible let's I'm going to access admin API as of now directly right this API this API admin needed admin needed okay accessible and let's I am trying to access this private one this is the private one I'm trying to say not accessible let's log out okay log out and again try to access this again now here I'm going to log in through the uh which is your admin admin uh admin admin SP notice uh they have again unauthorized accessor look the error notice here admin privileges have a role what role role underc admin right by default spring internally append rule underscore right these things we have to append here notice this have to append Ro underscore something this is the additional things you have to taken care but not for others not for others why why this required because notice this role method string internally whenever you say do set roles this roles internally they are appending this thing notice hardcoded role underscore Your Role so this is the way spring internally implemented concept each give the prefix like role underscore something right due to that programmatically if you are here here you building they can append the role right but whenever you are giving here that's how you have to mention role underscore right oh it's only for method method level yes and let's started and test okay MH this want to test so this is the additional step but these are the more convenient way because each developer many many methods many many API sometime it's help method level security as this method which role have access right right excuse me and hope it should run in these times okay started let's say 9090 AV Lael let's I want to try the direct private okay private API admin s p admin SP now what say again what users say role don't have admin I'm given this is uh must be accessible Ro has enable free so let's test this is say authoriz and failure why say it should be admin SP admin SP we are able to access private API should be accessible should be accessible here I not mentioned I mention role pre-authorized enable here I mention I'll test but it should allow in this way you can also test again let's I am going to add Ro here then it's what happen first check this maner and something like private let's check admin SP okay and restart but it should in this way also works right I have tested right but the but different mechanis uh this spring Frameworks supported right right so let's again Test spring api2 directly accessible okay and now say let's private admin SP admin admin SP now accessible right right so in this way you can only the private and notice these are the private and uh this but they have only role of the private they cannot access the other uh and admin a public API right let's try to this because then don't have admin permission right right let's try to accept this okay they are a problem right because they are not permission because in case of our admin roles I'm given only a specific role admin right and they have only one URL which can access right here they not access this they cannot access other so it is the clear any doubt any confusion so notice little bit coding required here me configuration required for enable Security in your application right right right just mention which URL which a role user can access right right so for this is um like if any company needs more um uh let's say user or they have they need more access to more um API so you add those add add yeah role privileges capability and good part here you can all the details store in and database right and from database you can do verification but in the real real world they always use database not not like finally always your user name somewhere is store right because without your detail credential is store in the database house who can know right M but surely we have also learned how to store user in the database and password are store in the encrypted format right right right and also uh we just tell hey Spring you can authenticate my user from the database not from the default user you can call my database user get your user and accordingly you can verify right so each and everything uh about the username and password verification role verification that's all taken care by your spring framework itself and all is the code written by the Spring Security team for you just you included this Library spring boot security right right I just include this library and all the benefit by default your all the end points go to the auth authoriz means authentication oration happen okay and how you define which are the publicly available not available just need one HTP security configuration right right you mention Hey whenever request come these all allow permit all means allow and this request match whatever the match public is star star only user role can access admin only admin private only Administration what is this role role means whenever you creating user you can set the role right so whenever I'm going creating my user user at that time say hey your username your password and your role and this role come from a database right right the accordingly rle this Endo someone can access right is it uh any doubt any confusion this is a very simple this you already know how to design the model how to store data is only thing is that this security part that's only this this configuration you have new yeah it's new a good part here whatever I written each and everything just spring documentation mention I'm not writing any extra thing notice here they all written for us Noti right right right all given for us just we can use here by default they not they have not given example of how you write on the database you can see this is the user detail I'm I know I don't sping say I don't know your database right I can just give the inmemory user you can change this to the your database right the same thing here we did here say I'm not going to use default I'm just using load from database right is it good yeah it's good so let's do practice and and this is the one kind of a spring security and this is the and this is required generally each and every application maybe you have web applications or stream boot application anywhere any URL you want to protect that must be protected right what is the difference between web application and springboard application here you notice you're responsing not an HTML page right here you are responsing any data right directly string yeah so this is web this is the simple string uh I see okay I see I see okay okay this is the only rest I just my application is STO right yeah okay so any URL you can protect maybe I can say here not only rest controller you can say just like a controller web application right and here you can control all the mapping right whenever any mapping going to anyone hit and they are going to prompt username and password so till now today we have covered how all your URLs are protected from the Spring Security are from the role based permission right is it okay yeah good so this is the one kind of your API authentication and authorization and nowadays there are multiples things Sur we are not going to the cover but if you read the documentation is brings a other way to also Implement nowadays maybe notice uh JWT V token API key authentication right so all the things here mentioned authentication authorization to whichever you want to implement you can just implement this right it's the same way same yeah here you notice sometime you want to JWT token API key everything here mention how kind you will do right each and everything how to how to do but if you know the basic things the rest other similar right right right right whenever we are going to uh if anyone want to integrate O2 JWT API key V Key by default each and everything supported by the Spring Security as just provide your configuration as of now we are provide our all the credential username and password my own application right this is the one another way notice nowadays you can go and log in any maybe chat GPD any websites they are going to authorize from your Facebook or your Gmail right they're not asking to your username and password that means some other person if already you have aoriz they can also give some so these are the some different mechanisms to the Authentication authoriz right right so lot of things spring support but so Sur we are not going to cover each and everything as per your application need you can just explore the Spring Security documentation they have La everything for us right right right but this is the basic things which at least we should aware right right right whenever okay that's good yeah it's good thank you uh let's do practice yeah it's a good one a long one at least now you are able to secure your application right right right yeah yeah I have to practice few more days to get used to yeah that's idea thank you and this is not just need some little bit configuration and just need to study the documentation how because we are not writing anything right we are just taking the help of a spring framework so if the way string support the way you have to write the configuration right I cannot write anything from my logic what I am thinking what I'm thinking not works what Springs documentation thing that's work right right right right if something is not work that means we are not following the spring documentation be careful right so this is the thumb rule whenever you are going to study in any framework any documentation please read carefully how those framework design and you have to follow the same rules which Spring Security say to get the spring benefit right because uh I will see many Frameworks at work like when I come to work right like different scenario yeah okay so let's do practice and follow the string security documentation for more detail this the complete details available here right yeah okay thank you take care thank you bye

Info

Channel: KnowledgeSharingG

Views: 1,975

Rating: undefined out of 5

Keywords: spring, boot, security, user, authentication, via, application, properties, in-memory, store, database, mysql, authorization, role, base, url, level, apis, configuration, enablewebsecurity, enablemethodsecurity, securityfilterchain, userdetailsservice, jakarta, persistence, Column, Entity, GeneratedValue, lombok, Data, springframework, CommandLineRunner, SpringApplication, SpringBootApplication, Configuration, JpaRepository, PreAuthorize, HttpSecurity, EnableWebSecurity, EnableMethodSecurity, UserDetailsService, BCryptPasswordEncoder

Id: EN4Ldo4IZqY

Channel Id: undefined

Length: 104min 5sec (6245 seconds)

Published: Thu Dec 28 2023