Spring Security explained with no code

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey what's up tiies welcome back to my channel I'm thrilled to have you here for today's video where we were going to unravel the mysteries of Spring Security the best part of it we're doing it without writing a single line of code I know security can sometimes feel like a complex puzzle but fear not we're breaking down the Spring Security architecture step by step using a simple analogy by the end of this video you'll have a crystal clear understanding of how security really works but before we dive into the details I've got something exciting to share check out my brand new spring boot course it's your ticket to mastering the framework deep intricacies the link is in the description below of this video also don't miss out on joining our growing community on social media all the links you need are right down there so let's connect now if you're new to my channel hit that subscribe button give this video a thumbs up and share it let's spread the knowledge together and help this channel grow imagine you're throwing the ultimate party but you want to make sure it's exclusive just like organizing a party involves meticulous planning securing a spring application involves setting up the perfect entrance let's break down the party analogy into the word of Spring Security without diving into the code first things first think of your party space as your backend or rest API it's the heart of the event where everything comes together now this fantastic party space has doors and entry points in the take word we call them end points these are controlled by the party controllers each managing specific aspects of the event to avoid any Uninvited project egg scenarios we need a system to check check if guests are authorized enter the security team the bouncers of our digital party just like real world party needs tickets our spring application has a registration method in the authentication controller this is where guests get their digital tickets but having a ticket isn't enough you need to show it at the door and think of this as presenting a JWT token which is a digital version of your party ticket now to make sure only cool crowd gets in we hire a security company this is the spring boot starter security dependency they come with their own way of doing things but we want a more advanced setup so imagine assigning a security guy to each door or each entry point of our party space these are like the security filters in our Spring Security setup so their job is to check everything first does the person have a ticket which is our JWT token is the ticket correctly formatted for today's party then check the username and code on the ticket and finally ensure the ticket is legit and issued by us with the user registered in our internal system so if everything checks out we update our system let the person in and even give a route Guide to the party otherwise they just get rejection treatment so now let's break down the security diagram and see how it all works then I'll guide you step by step through each step and share the corresponding code links after deciding to organize the party this is the equivalent of having our backend or IPI ready and then calling a security company is the equivalent of adding the spring boot starter security dependency then we need to have a meeting together with the security company to explain the way we want to secure our party and how to get different information and validate them so this is the equivalent of the security configuration class where we need to tell spring what are the different components to use in order to secure the API now let me explain to you the configuration class so as you can see here this is the spring or the security configuration class from the previous tutorial so I will leave you also the link in the description of this video so here let's go directly to the security filter chain which is let's imagine it as the contract between the party organizers and security company so here we tell them that we want to disable the csrf and then we want to authorize some people so here we said that we have list of people that we want to authorize by default no matter what they don't require anything so this is how we have here permit all and then as you can see here for example in order to access this space or this VIP space the guy or like the the person presented in front of you needs to have for example let's say here or let's try to replace this role with a special ticket all right same here and then finally we say that that any request needs to be authenticated so this is the most important part after that as part of our contract with a with security company we want to tell them that the session management we want it to be stateless this means that each time even if a person was authenticated before and leaves the party parameters and wants to get back again so we need to recheck everything from scratch all right so each time we have have a person in and then we forget about him so we don't save any state so let saying okay I remember this guy he was checked in before no it's not the case every time someone wants to get in even if he was inside before we need to double check again then we need to determine what is the authentication provider so how to do that how to check the system how to check if the user has the correct ticket if the information of this user are the same as in the ticket or not and then here adding a filter before means that this is where we want to place our security guys so for example saying I want to have one or two people in the in the front or in the main entrance and so and so forth and the rest right here is just for the lout so now this is how this is how we can determine the contract between us or between the party organizers and the security company so it's just it's it's all about telling them how to do things because they H they have their own way of doing things but we want something specific for us all right now you get the analogy but we need to understand how things internally work so let me dive you now through a diagram that explains how the authentication really works and how to authenticate a user in Spring secret so as you can see here we have this diagram and and here we see that first of all we start with an authentication request where the user will send his credentials the credentials are username and password the request will reach our backend and the first thing that will get executed is our filter chain so we have many filters in our spring application even without declaring or creating a specific filters spring has its own filters and among these filters we see here here that we have our once per request filter which is the JWT authentication filter that we created in our tutorial and then the request will be forwarded to authent to the authentication controller since for the authentication if you remember we have a check to check if this request is coming for the authentication and if the answer is yes we don't execute the filter so we just pass to the next filter chain and execute the rest so here we come directly to the authentication controller which has a dependency which is the authentication manager so we inject our authentication manager inside our authentication controller and then it's directly in the service but I just didn't want to make this diagram too long so from the authentication controller we are calling the authentication Service and then we have the authentication manager as a dependency in the auth authentication Service so the authentication manager it attempts to authenticate the past authentication object returning a fully populated authentication object including granted authorities if successful and in case something is not working or something wrong with authentication we will get one of these three exceptions first whether a disabled exception a locked exception or a bad credentials exceptions so in case want to handle exceptions for the authentications these are the three exceptions that you need to take care of so then this authentication manager is an interface and spring has a default implementation which is a class called provider manager and this is the commonly used in the spring applications and then these provider managers needs or uses an authentication provider and the authentication provider is the object of the Bean that we configured in our Bean configuration or application configuration class so I'm talking about this one so if you go to the application config here you have an implementation or a bean of type authentication provider and here we are providing an implementation of this authentication provider which is already an interface all right and among the implementation of this interface we have the Dow authentic ation provider so now if we go back here we have or we are providing our Dow authentication provider and this Dow authentication provider needs two dependencies or two services at least first we need the password encoder this means how we encoded the password while persisting it to our persistence system so our persistence system it might be different things and also we need an object of type user detail service and this user details service will try to fetch the user and here we need to to have our own implementation of the user detailed service interface and its implementation provided by us it will try to connect to a storage system it might be like a post degree SQL like the case we had in our tutorial or or a mongodb or any type of other storage and this user detailed service will return an object of type user details and this user details will provide spring with the following information username password authorities is enabled is account non-expired is account nonlocked and is credentials non-expired and from is account nonlocked and is enabled properties you can see here that this is why and how we are returning the disabled exception and the locked exception and then of course our provider manager will pass an an object of you of type username password authentication and then it will be passed to the Dow authentication in order to perform the authentication process once everything is okay and once everything is fine we update the security context holder so the security context holder is a spring object that holds some information it has a security context and inside this security context we have an object of type Authentication which is the same object that will be returned by our authentication manager and this authentication object has the principle credentials and authorities which are returned from these user details right here all right so this is the process of authentication in Spring Security Now if we send a request with a JWT in the header with a token in the header and we want to perform and see how this token will will get verified and checked by our filters so now let's jump into it now I will show you a different diagram showing how this process or this flow works all right so now in the next diagram we will see how the filter really works so now we have a user that will send a request to our backend so it might be a get post past uh patch delete and so and so forth any type of http request or HTTP actions so we said that the first thing that will be hit in the application is the filter or the filters that we have in our application and among these filters we have an object of type once per request filter which is the JWT authentication filter we spoke about it in just few seconds ago and here we have something so if the token exists then what we need to do we need to go to the JWT service and we need to validate the token here we have two scenarios the first one if the token is not valid so then an exception of type token and valid exception will be thrown and this will be the response to our final user so as you can see here it's already in Red so this is an exception then if the token is valid we will go or we will call the user details service in order to find the user from the database after extracting the user email or the subject from our token using this JWT service then once the user details is called or the user details service is called we have two scenarios so let's start with the exceptional one so if the user is not found then we will throw a user not found exception and again we will return back an exception or an error to our customer if not if the user is already found what we need to do next is updating the security context holder once again so the filter as we showed in the previous diagram that's why here it's also linked to the on per request filter or the JWT authentication filter because any of them whether the provider manager or the our authentication manager object can update the security context holder or as well as like this the same thing for the JWT authentication filter so then what we do we update our security context holder and we update the authentication and then we pass the request to the dispatcher serlet and then the dispatcher serlet will take will take care of dispatching the request to the correct controller of our API and then of course it will be treated it will go to the service database and so on so forth and then we will return back a response to the final user otherwise you see here that in which cases we have or we might have a 403 all right now I think springing security and securing web applications and rest apis is much much much easier with this breakdown of the different components of security I hope you like this video and don't forget to join me and connect with me on social media and of course don't forget to like share and subscribe to my YouTube channel in order to help me grow this Channel and spread the knowledge to more and more people thank you so much and see you next time
Info
Channel: Bouali Ali
Views: 14,455
Rating: undefined out of 5
Keywords: spring boot, spring security, architecture, explanation, no code, spring
Id: n6pXL9M0ljM
Channel Id: undefined
Length: 16min 50sec (1010 seconds)
Published: Thu Nov 23 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.