Spring Security Master Class - Configure HttpSecurity | User Authentication & Authorization #4

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] recording in progress all right I've started the recording so guys the things that we're going to be doing today is like how we're going to be configuring security configuration of our application now you might be wondering like okay overas we already have created users and done certain things but in this lesson we're going to be configuring the HTTP security and we're going to be creating our own filter chain and we're going to be controlling how different end points that we have in our application how we can restrict those end points uh based on the user roles and how can we configure those and basically you know we're going to be securing our end points which is there in our application the way we want okay right now what is happening if I'm going to start this application one second let me just start this application and deploy it on the Tomcat server now the application that we are creating by default spring has protected all our you know end points like hi hello by something right but imagine this high end point I do not want to protect or this buy end point I do not want to protect then I will be needing some custom configuration okay right now by default all of my endpoints are protected I might not need it for an example if I'm going to the selenium Express website right this main URL this is not protected at all you can go and can access this website but let's say if you want to go to this course okay this course is protected you cannot go to this s point right you need to have access to go to there okay so you may need you you will be having different um you know uh different need which is your website specific and today we're going to be learning how we can give authorization access to our application end points okay okay first of all just tell me right now um we have set up a Spring Security filter chain and how we have configured Spring Security filter chain anyone like where we have configured a Spring Security filter chain in our application like where we have done it anyone in our application in our configuration where we have done the Spring Security filter chain where we are creating anyone enable security enable web security okay we have not created it by ourself whenever we have written this annotation enable web security spring security behind the scene creating a filter chain for us okay and because of that filter chain if you're going to see over here we whenever we are hitting any end point like um you know let's say I did hit the end point last by but this endpoint is protected all this security filter chain has came into the protection and right now you can see the we haven't explored all these filters yet but we know there are a lot of filter chains are there standing in front of our you know URLs and protecting them okay but we have not created them this filter CH has been created by the web enable web security if you go inside this okay and if you're going to go inside the configuration from where it is securing our endpoints it's inside the web security configuration right here okay and if you want to scroll down as I have told you guys previously it is creating a Spring Security filter chain for you no need to look at the code as I said you guys always just concentrate over here see this method documentation is creates a Spring Security filter chain and return what this method return a filter what kind of filter look at that this filter represents a Spring Security filter chain and if you're going to if you going to observe it a little bit okay right now they're doing something over here just look at this part authorize do any request do authenticated look at this part okay any request do authenticated what does this means is any request which is coming to your website is now somebody has to authenticate himself in order to access them and that's why even though you have not written any Spring Security filter chain in your configuration Spring Security is kind of creating a configuration for you inside that configuration they have written some commands like like you know activate security for every requ request okay and that's why all our request is right now protected okay now the thing is now the thing is okay how we are protecting our URLs okay I have this question for you now let's say this endpoint is protected by this endpoint is protected hi this endpoint is protected hello how these end points are protected how we have protected them just a question for you your answer is just in front of your screen how we have protected all our endpoints yes yeah with a log with a login page right and I have told you guys this login page is over here because we have one filter in place right what is that filter what is that filter if you're going to see over here default login page generating filter okay now we have not created this filter also we have have not created this filter chain we have not added this particular filter chain to uh like you know we we we actually have no role defining this spring security has already done that because of this annotation Okay cool so right now this request we are hitting where this request let's say I'm hitting this endpoint where I'm hitting it I'm hitting it in my browser right so whenever I'm hitting all this request in my browser this default login page that I'm having which has been configured through this Spring Security whenever I'm hitting any end points of my application it is protected okay because I'm hitting it in my browser let's say I'm going to hit this another request let's say same request hi I'll go to my post man right here okay imagine like that hide request if you have seen before where we have it one second hi hi hi High request where we we have created it this one hi controller see it's a get mapping we have created which is returning hi everyone it's a rest controller um okay so we can also uh hit this end point get end point uh through our Postman right let's just go over here I have this request here called high okay uh Spring Security High look at this endpoint I have already copy and pasted it to your Postman now now tell me if I'm going to be hitting this end point okay if I'm going to be hitting this endpoint right now will I be able to get the details if I'm going to do send here will I be able to get the details no I'm not getting the details over here I'm not getting hi everyone I'm not getting the response over here so this is some HTML page it is giving what kind of HTML paste click on preview it is just saying unauthorized obviously I'll not be able to access to this endpoint because it is not authorized in order to authorize in order to access this endpoint I have to do Authentication ation but right now how I'll be doing the authentication because this request I'm hitting through Postman whenever I am hitting it through the browser mostly a human is hitting it so that we are giving a login pace so that the human can enter the username and password but right here obviously this is the rest end point mostly a machine will machine will communicate a machine will hit this particular end point or another application will hit that particular end point and that time he will not have like that application will not have a login page right at that time we have to go to the authorization we have to choose a type of authorization like what is this a oend points or JWT uh security we have here we have not activated any kind of uh thing so we will go to sttp basic where is that bu token API third one third third one basic o yeah over here we have to to give the username and password let's say my username is aill and password is aill I think I have this user in my database can I conf sorry not in my database I think uh somewhere here I have configured it right aill and this password means aill only if I don't remember it so if I'm going to go to my Postman if I'm going to do this do a send I'm getting high everyone right so here I have done another type of authentication what kind of authentication I have done over here the basic authentication and how I'm able to do the basic basic authentication because here spring security by default have created another type of filter for me that is called basic authentication filter this filter is by default activated for me that's why I can send my username and password like this using my Postman and whenever I do a send I'm getting back the response right so now what you understand is lot of things has been configured for you spring security has created a login page for you spring security has created a basic authentication for you so that you can utilize this feature whenever you are sending any endpoint let's say you are hitting any endpoint you have to make sure if I'm going to do Ascend okay it is giving me unauthorized access because I have not chosen any authentication but if I'm choosing a basic o I'm giving my username password like Akil Akil or I think I have another user called Anil I'm going to do Anil Anil then I'll be getting back my response over here and all these things are possible because of the filters that I have over here this is for my rest end point this filter is helping me to a basic authentication and this is helping me to do a login and login function um using my web browser okay in the chat vas your screen is lagging is it so guys it's fine my yeah it was like I think it's fine now uh okay DNA raak raak Anil anju AR can you confirm like it's lagging for you guys also yeah it's fine yes yes lagging ARA lagging it's lagging okay not for okay okay let me any okay okay just just let me know if it is going to lag uh one more time okay sure sure cool now my question is my question is to you guys is now you have seen that we have three now I think you should be familiar with this filter right now basic authentication filter helping you to do the login if you want to do a basic authentication mostly the rest type of request default login page and rating filter for the login page that you are seeing on your screen whenever you are hitting any endpoint from your browser the browser is prompting you like whenever I'm hitting this endpoint I'm hitting through this client this client is a Google Chrome which is a browser right that's why I'm getting this page and all this things is activated because of the enable uh web security whatever whatever okay now if you want to go over here I want to see how it is activating it if you want to go to this web security configuration okay if I'm going to see the basic filter chain they're creating for us this is the Spring Security filter chain this is the bean name if you remember default filter filter chain Spring Security filter chain is the default Bean spring is creating and that's why in your console you are seeing that security filter chain over here and these are the different filters which is activated um inside this okay let me just go down now I have hit many requests and right over here I'm seeing this couple of guys why these are here let's just see how they have configured the filter chain if I'll go back okay okay right here inside this method okay what they have done see they have created created one second right here they have created a object called HTTP security this is an object they have created okay what this object is going to do this is going to help us to intercept your secur like you know to configure your security in your application like uh any type of incoming sttp request are coming you can customize those request using this um this particular class okay if you're going to come down to the filter chain Bean see here they have done two three things all your HTTP security request now look at this much thing every request which is coming is right now any request which is coming is right now authenticated now they have authenticated they have done HTTP security. form login just see this much AP part they have done a form login this why they have called this method that's why I'm getting this page and also they have used this HTTP basic they have written this method that's why whenever I'm going to go over here and if I'm going to do a send by sending this username and password it is doing I'm just doing a basic authentication thing over here and that is been taken care by that filter that I have shown you this filter uh with Filter uh basic authentication filter and this filter is getting activated because they have written this line of code called HTTP basic okay you don't trust me let's just see what is going to happen right now let me close all this thing now what I'm going to do I will create my own filter chain instead of I will use the Spring Security filter chain that they have created for me inside this annotation inside this method all these stops they're doing they're authenticating all the request they're activating a form login they're activating the HTTP basic and they're doing all this thing through this object called HTTP security same way I will be doing it in my class right let's just see if I can do it so I'll be going to my security app config right here okay and here I'll be creating another method okay look at this guys here people are getting stock in our uh Batch who are following the previous or the old lessons because lot of things has been changed we're going to be talking about that right now let's say I'm going to be having uh a method and here I'm going to be setting up uh SEC HTTP security okay HTTP security I'll be intercepting my HTTP request and configuring it in my way okay so what I'm trying to setting off I'm setting off a filter chain okay or security filter chain I want to uh set up this thing okay and obviously I want I do not want to call this method by myself I I want spring to call this method and create a bean for me for Spring Security filter chain so that my bean my Spring Security filter chain will be used okay so I'm going to write a bean over here so I want spring to call this method and whatever the security I'll be configuring over here I want spring to apply those things over the default configuration okay so right over here how can I configure it so I need to return a Spring Security filter chain this is an interface okay so what is the implementation control T the implementation is default security filter chain so if I want to do this what I can what I can do right over here if I want to create a security filter chain I have to return a default a new default security filter chain over here but this is this is not a good way to create a default security filter chain rather I will be using the same approach which has been used by Spring internally I will be creating a builder class object called sttp security sttp security and I will be Auto wearing it this object will be created by Spring and I will be just getting the object from Spring and auto wearing it and I will be taking this guy right here and I will be doing sttp security do build and if I'm going to do build you can see it is going to return you at default security filter chain so instead of you know instead of doing return new default security filter chain I'm calling the build method and the build method is going to return me a implementation of security filter chain object so I don't have to give a damn like how they're creating it behind the scene inside the build method they have written the logic I don't want to return I I don't want to write all this logic by myself I know this is going to return a security filter chain object for me okay now this is going to throw some exception throw it to your method okay that's it we are done okay now do a controls so we have overwritten the Spring Security filter chain configuration which has been defined over here okay now if you want to see our um thing see this has been reloaded now if I'll go to Google Chrome if I'm going to try to access any of my endpoint High see there is no protection by see there is no protection hello there is no protection because we have not configured any security filter chain and look at our security filter chain right now okay this looks much smaller than the one that we used to have previously and where is our default login page generator we don't have it right now where is that HTTP even if you want to do over here right now if you don't want to specify any authentication if you want to hit this end point see I'm able to I'm able to hit them right so I do not have any security provided and for this previously there to be a filter called sttp uh what is that basic authentication filter that filter is also not available inside this filter chain right now you are not able to see them right previously we us to have it I don't know if I have that I have that in the previous loogy pre for our previous request whenever we used to hit our previous request like buy we used to have this end point which is protecting our request basic authentication filter for rest request default login page generating filter if I'm hitting the same request from a web browser but right now you can you can see those filters in my filter chain right now okay so I have to activate them okay so how can I activate I can activate them by using that HTTP security and I can just do activate it by writing HTTP basic that will create the basic authentication filter for you okay and also you can write HTTP security do form login which will activate the login form for you right so if I'm going to do contr s let's just see what is going to happen right now am I getting that in my filter list so if I'll go to my um so my core has been reloaded I think it's reloading okay right now if I'll go to the Google Chrome let's just hit this hello obviously this endpoint is not protected because I have not told my security filter chain to protect this endpoint but you know I'll be able to hit them but let's just check the filter chain okay so this filter chain we are getting right now see basic authentication filter is back in action and default login page generating filter is back in Action so using this couple of uh method call we are able to activate our login form that will be used through the web browser and the basic authentication filter which will be used through the uh which will be used for the Press based requests right so I'll be coming them out for now for a moment okay and right now let's just let's just remove this you understand I think uh this point and now let's just protect our end point Yeah Yeah question yes back if you want to secure only one end point how do we do exactly we're going to see right now none of our endpoints are protected right vag none of our endpoints is protected now let's just protect we are overriding here yeah because we are overriding here let's just try to do the same thing that you have told me right now first in case if you're not overriding uh if we if we comment at enable uh please go up uh-huh if I'll comment this yes what will happen obviously this will not renable the Spring Security filter chain for you right now right so I so anyhow whenever even if it is there whenever you going to create this bin your bin will have the priority okay you are overriding that particular if we didn't create this one then if we didn't create this if if you if you're not going to create this one then the bean which has been defined inside this web security that will be taken the priority we have already seen that if we comment out if we comment out that being now if we don't Define if we don't Define the you know security Bean over here and if you don't Define the security be over here then your Spring Security not will not bootstrap b as we have seen previously because when your Spring Security will bootstrap it will by default look for a bean called Spring Security filter chain and that being is being created by this um this um you know uh annotation behind the scene is creating that particular bin for me that's why I have activated activated this one right now it will do all the necessary configuration by importing the configuration from all these classes right it is doing a whole lot of configuration for you and I do not want to do that from my end it is also doing a configuration for me by creating a filter chain Bean right over here but here they have by default done some basic thing that's why we are enjoying that from the last three class by default it is protecting all my request authorized request any request authenticated this line making sure that all my requests are protected and they were activating a form login and a basic authentication filter for us for the rest based request and the web based request but right now I want to keep all the default they have set for me but this bean I want to overwrite okay pya this what I'm trying to do rest of the rest of the settings I want to keep so that's why this annotation I will keep over here only I'll be overriding this filter chain bin okay right now if I'll be overriding this filter chain bin right now I have overridden the default so no URL will be protected for me right now okay this much is making sense B yes right now obviously none of the URL will be protected this will not be protected this will not be protected this will not be protected right now let's protect them if I want to protect them let's just use their formula okay the way they have done it I'm going to use the same thing I'm going to do sttp security the object that I have defined over here in the top and then I'm going to call a method called authorize sttp request guys notice over here there are few overloaded methods I'm going to be coming back to this okay and one thing you remember right now knowingly I have used a version and this version is the Spring Security six version we are using for all our Spring Security jars like for web MBC for security all the security jars that we have we have used the Spring Security Six version this version is uh basically the six version right right over here 6 person so there there are few things has been changed as well in 6.1 vers of Spring Security remember that the 6.0 version is used by Spring boot 3 okay so all this configuration will be work for spring boot 3 but that is the difference between the spring boot 3 and spring boot 3.1 Spring Security 6.0 and Spring Security 6.1 right now all this configuration we are doing with Spring Security 6.0 and then I will upgrade okay so right now you can use all these methods to configure or customize your HTTP request now I'm going to use this request H authorize HTTP request previously if you have taken my older course you might be using this request authoriz rise request but this is been um deprecated right now do not use this one so right now use this method uh which one authorize um authorize HTTP request in 6.1 vers of spring uh Spring Security this is also deprecated but we will be talking about it a little bit but right now I'm going to do sttp security authorize sttp request dot okay any request okay dot authenticated okay like this all right so now what I mean by this I want to protect any request which is coming to my website and I want all of them to be authenticated I'm configuring it using this authorized HTTP request same thing that I have done here what Spring Security people has done for me inside this class okay same thing I have done I have done any request authenticated look at my code I have done the same same thing I I have done any request authenticate let's just see right now what is going to happen let's just do contr s let's just restart my server and let's just see whether all of our endpoints are protected right now okay so yes yes I'm little confused honestly because I think I have not ended the last class I'm it doesn't make sense that why are we overriding the Spring Security bin and also what is that uh in memory yeah yeah Arch we have discussed all those things in the last session um yeah maybe it's not comfortable that's what Arch I told everyone that you have to be very consistent with the spring security thing if you missed one session mean there will be a problem I am I completely understand that uh like for that Daylight Saving thing and uh you are from a different time zone and maybe uh your day job is overlapping with this or maybe it is too late for you in the evening um maybe you can just uh um You Know cover those three sessions AR if you can in the weekend right um just focus on the things that we are discussing right now don't stress pretty much like the things that we have done previously uh but yeah uh take time in the weekend to go through all the other lessons that um like I think two lessons only we have covered on Spring Security okay take time in the next four days and practice them and think things will make sense and just discuss with me in our call that we're going to be having if you have any questions on this okay uh yeah uh but yeah this is making sense to the other people right can you just make like people who have joined earlier Anil anju can you just confirm me okay digna ah yes yeah yes right okay AR it is very simple right uh like someone with with your caliber will catch it within uh you know very shortly so just go through those lessons you just miss them and that is the problem okay so uh just just just yeah just watch them for couple of uh like in a couple of license I think you should be okay okay now look at that yeah now look at that what is happening all of our endpoints are protected right but look at that all of our endpoints are protected we are not getting the data here hi by hello this is not returning me any data but it is saying access denied it is not prompting me the login page it's protected those URL see I'm not getting the data back right when ever I'm saying hi hello bye by default right now all of my requests need an authentication right and that's why it has protected all my resources but I'm not getting the the login page right it it is saying sver understood the request but refuses to authorize it I understand that you are trying to access this particular endpoint but I could not authorize you obviously it it cannot authorize me because obviously I'm hitting endpoint which is protected and I'm directly hitting it I'm bypassing the login that's why it is saying okay you bypass the login I understand that what you are trying to hit but I cannot authorize your request and I cannot give you the response for this particular endpoint and that's why we're just getting the 403 Forbidden and what is the problem that is happening we are able to protect our end points but what is the problem what is the thing which is missing over here anyone log login page right if you're going to see right now A login page is not there our that uh you know default login page generator filter is not there I have to activate that and how can I activate I I've have already told you that how can I activate it dot form login right now let's just see yes if you form log the authentication will come automatically right exactly exactly let's just see write that no need to write uh the code you write now authentication all reest authentication not prepared no no no no no one second this one will protect your endpoint this one will generate the login page if you're going to only write this it will give you the login page only right but that login page will only be used once you have some request which need the authentication which needs the authentication for an example right now hi I'm directly able to access them because this doesn't need a authentication uh details maybe if I'm right login I'll be getting this page because this page has been exposed by Spring Security but this page will only be populated once you going to be trying to access any secured resources right now this hi hello by these are not secured right DNA understood okay now let me activate them now I have secured all my in points and I'm activating the form login let's just see what is going to happen right now let it reload the changes and um I'm going to um okay let it reload the changes once uh okay so uh I will go to my web page now I'm going to be hitting hello no you cannot log in uh you cannot access hi you cannot access by you cannot access you have to give the credential right now let's say I'm hitting High I have to give the credential let's say um aill and aill here do a sign in now I'll be able to log in now he can use by now he can use hello now he can use use any of the end points right so we have activated this particular thing but what about if we can access something from uh from rest let's say if I'm going to do Ascend I have not selected anything over here let's just see what is going to happen okay see it is not helping me um so right now it is just throwing me a log in P which is useless because when I'm hitting it from a like if I'm hitting it using my post man my post main internally is making a call I told you guys right in our rest sessions uh highend point we made a call and this is a HTTP request okay this is a HTTP request this is some different type of request this is not uh it's not like you know we are hitting from a web browser we are hitting it from a rest client so you can copy this and you can hit it from a terminal also in the terminal you it is impossible like you know you'll be pilling in the details for the username and password because the request will mostly go like this you have to this is your request you can copy and paste it in your um terminal window and make a hit so at that time so that kind of thing will not make sense right where is that this kind of thing is not Mak sense this is what we don't need right so I I do not want to provide my username and password in a login screen like this right so this is what it is going to give you in a response the login page the default login page Spring Security is creating now to activate that filter that we are looking for what is that HTTP basic authentication filter which will be responsible for my rest uh kind of thing here also if you want to go over here and if you want to look for the basic authentication and if you're going to give the details unil unil in the username and password still see you are not going to get those things you are still going to get this login page this is what it is giving you in return but right now let let's activate that filter as well HTTP security do basic Bas HTTP basic or something uh HTTP basic now this is going to activate that filter uh so let's just reload the code I think this is there and uh let me just try to let me just try with the basic o with the no o I do not want to provide any authentication now look at that this is not giving me the login paste now the basic authentication filter is there okay and protecting me there you go protecting my resources when it is being hit by a client like Postman right and now if I'll be giving the basic o and if I'm giving the username password do a send and there you go okay so your filters are in action right now and you have you have created your own security filter chain over here okay so um okay so far is it making a little bit of sense guys little bit yes I cannot hear you properly Felix um can you can you come again please what happened approach csrf csrf okay I haven't went to the csrf stop yet Felix uh csrf stops come whenever you are hitting a post request all my request are right now uh get request right so the cross-side thing uh that thing we will cover right uh just let me introduce all these things then we can go into that I know that you have complet completed them previously so that you have curiosity but even you know Felix um even these things will not work in the latest persons uh and to everyone and all these things are possible right now you have created the Spring Security filter chain and everything looks good you can you can like you know use this in your application as well but this is not right now like you know most of the things has been deprecated in the 6.1% of the Spring Security Now now for okay before we go for that is this things making sense whatever we have written here is making sense or is not making sense guys can you confirm me once hello yes BL all everything is making sense right okay okay okay okay before I'll tell you about the versing thing how much time I have 820 okay um all right that's good maybe we can continue from here we can have a culation um okay mhm yes question like yes suppose we are creating custom login page for our application yes and in that case we want to authenticate so how we can do that instead of form login we need to do something else no here only form login and you're going to be giving your login page and you can uh customize your things like this your login page uh request will go like this let's say my custom login and you will be creating a login page for this URL which will be returning that okay but these are the things which has been changed uh uh Sunil uh so same thing same thing is there but I'm thinking like how to introduce it [Music] okay so right now I hope that we understand how all these things basically working but now we have some specific requirements I want you to see and Analyze This requirement before you move to the next part okay for an example right now all the request which is coming to our server is right now authenticated right but I do not want to authenticate all the request rather any request which is coming to my server right now should be permitted imagine my client has a crazy requirement like this he doesn't want to authenticate all the incoming request rather he wants to permit them in that case it can just write permit all and this will make sure that any request which is coming to your server is right now permitted and it doesn't need any authentication and that's why we have removed do authentication method okay this method we removed and we uh replace it with the permit all method like this okay now this will do what if I'm going to restart my server this is going to do what if I'll go to my Google Chrome and if I'll go to any of the Endo like bu you can see it is pered hi it also doesn't need any authentication let's say hello this also doesn't need any authentication right so right now all the requests are permitted because I have used this method called permal now what about if I want to use some method like uh deny all the method says everything right now every request coming to your server is right now going to be denied because I have used the deny all method now you can see now if if you want to hit like you know High uh see it's giving you the login page it is securing it but right now if I'm going to giving the username and password see it is just giving me forbidden okay not only High I think I won't be able to access any endpoint like hello I'm already authenticated so it is not prompting me the screen but hello is also right now denied by the server andless if I'm going to write bu buy is also getting denied by the server as well okay so these are the three important methods like uh deny all permit all and authenticated you need to understand the differences between them okay deny all is Deni denying all the request permit all is permitting all the request and authenticated is making sure that that like you know any request which is coming to a server is authenticated okay right now let's say I have a requirement and the requirement is like this okay let me just remove this part let's say the requirement is let's say hi request should be uh authenticated okay bu request should be denied by all okay it should be denied whenever you are going to access it doesn't matter if you are the admin or you are the user or you are who you are like if you're trying to authenticate and you are hitting bu request then you should be getting the denied denied response right it should not serve you The Bu request my server should not serve you the By Request request and hello endpoint by like this it is denied and hello endpoint let's say it is permitted by all okay permitted by all okay let's just check that how can we achieve it so how can we set up everything we can set up everything by configuring the HTTP security object copy that and let's just go to our filter chain and right here I'm going to I'm going to say HTTP security do authorize http request authorized sttp request this one with the empty parameter I'm using later I'm going to be changing it to this one make sure that this one is deprecated in newer version of Spring Security I'm just giving you some example and making you to do some practice with this but you know I I will be just changing it in some time in next 10 minutes or 15 minutes I'll be changing my Spring Security version as well and I'm I'm going to be upgrading to all the latest version right now I'm using the Spring Security 6 . version for my project okay coming back to the requirement authorize HTTP request dot I want to I want to intercept my HTTP request and I want to uh check the request which is coming to my server I want to match that request if it is matching with the request matcher I'm going to be matching and if that request which is going to be coming to my server if that is high then I'm going to be making it authenticated okay so now I'm matching the incoming request class High uh by using the request matcher um you know method over here okay so the next one let's say HTTP security. authorize request okay now the request I will be matching which will be incoming to my server if it is SL by if it is slash by then I'll make sure this is permitted right this is permitted for everyone and like that the hello requirement that I have I'm going to be saying HTTP security do authorize request dot uh request matcher and I'm going to be matching if the request is incoming if it is hello then make sure nobody is going to have an access to that okay deny all right now I have all these things ready let's just test this out if it is working fine so let me restart my server okay now let's just check the console I think there is some exception yes there is some exception my server is not able to start right now I think all my requirements uh all of my code that I have written is fine it's just like you know high should be authenticated buy should be permitted hello should be denied right but why I am getting this exception the exception says uh no being def definition exception no Bean definition exception that means uh it is looking for a bean and that bean is not present a bean named MBC Handler mapping Interceptor uh for uh like you know this bean I think it is looking inside um the Spring Security please ensure Spring Security and spring MC are configured in a shared application context it is giving us some crazy exception but what I understood from here is that a bean MBC Handler mapping interceptor it is not available I think Spring Security is looking for it uh behind the scene well this Bean you don't have to create if you're using spring boot but just for now just to make my application work I'll be creating this Bean so this Bean uh right now my Spring Security application is looking for so right now I if I'll simply create this bean I think I'll make my code work so don't try to understand you know what this particular thing doing let's just simply create that bean okay so I'm going to be creating a bean of Handler mapping Interceptor uh let's say Handler mapping Interceptor and let me just create the object for this new Handler mapping Interceptor and I'll be creating the Bean for this as well I'm going to be writing at bean and here I'll be defining the name of the bean and the name of the bean which my framework is looking for behind the scene is this one so I'll paste it over here okay so just create a bean like this I think things will be fixed let me just save this and let's just try to run the same example now my dispatcher is trying to restart again and my server has been uh you know started uh successfully now let me just uh you know try this end points right so I can just go over here okay and I can just look for highend point this is authenticated I have to login in order to access the highend point let's say hello now hello is let me see Hello uh hello is denied by all okay so I should not I should not be able to access the hello endpoint but whenever I'm trying to access it is still prompting me this space but I think if I'm going to be giving uh the details over here uh this is denied right so anyhow it is working good let me just do log out and let me just go out of it and now let's say I'll be trying the buy and point for bu I have not specified any security I think it should be accessed for uh for everyone even without uh giving any authentication for this okay and let's just check High one more time it is prompting me uh the login page and I'm going to be logging in with some user and I am logged in so hi needs than authentication and once we successfully authenticated the server is serving me this particular endpoint and giving me a response back I hope this thing is making sense to you guys a little bit all right so right now let's say we have a requirement if we have high okay and let's say my client says okay hi and hello both need to be authenticated right now don't try to deny it so let me remove this guy right now and let's say I want high is need an authentication and hello is also needing an authentication so maybe I can do the same thing one second let me let me just do this I can do the same thing hello and instead of deny all I can just keep authenticated over here and now my hello also will be authenticated something like this I can write right let's just do contrl s if I'll come over here if I'll be writing High okay uh let's say I'm going to write a kill and aill I'm able to log in which is good now let's just try the let's just try to do a log out let me just try to hit buy endpoint SL BU as well okay buy is like you know permitted by all let me just try hello endpoint hello endpoint right now I made it authenticated okay now let's just come over here and look for aill ail pre previously even after a successful authentication it was denying my request right now I have written authenticated method there now I can see hello everyone is coming over here so now hello and hi both are authenticated right so instead of making them to line uh you can see the request match method if you're going to come over here it is taking one method has uh multiple argument it is taking multiple string parameter it is taking so instead of creating a new uh statement for this I can simply write hell over here okay right now let me just restart my server and let me see whether this lineup code is working or not okay let's just check this out so right now um you know hello is authenticated high is authenticated buy is permitted to all I hope now this couple of sentence is making sense right now and this request matcher we are using to match the incoming request pattern and if the pattern matches we are defining our method in order to give them access or in order to deny them or in order to make them authenticated I hope this things is making sense a little bit all right guys uh one last thing here so you can see I have Define this particular Bean right um because without this we used to have some crazy exception and our server was um not bootstrapping in case you do not want to write this particular Bean you can also do something something else I just want to tell you about this so without writing this Bean you can also fix it in this way I feel here instead of uh taking the request matcher so right now inside this request matcher we are using this method I think there is another request matcher overloaded method not this one I'm looking for I'm looking for another one look let's just see like request matcher this is also request matcher yeah this one look this is taking a bunch of request matcher over here okay so I think if you're going to go to this request matcher there's there is a implementation uh there called anti paath request match I can use this class directly um I'm not telling you to do it just showing you there is another way around to fix that issue if you don't want to write this particular bin uh you can do something like um I think U ant paath request matcher uh this method is taking a number of request matcher and this is one of the request matcher implementation that we have and here we have a method called Ant matcher okay and use this ant matcher method and just wrap this up like this all right uh and do the same thing for the other request as well I'm going to copy this out and for this request also do a control V and wrap this up like this okay ant match just put it inside this ant match method me and make it authenticated I think this should work okay and I think um even you can just simplify it a little bit uh so right now instead of writing ant paath matcher do ant matcher you can also do one thing this ant matcher is a static method so you can directly do a static import if you want to go to the top um right now this is the this is the class from where I'm using the method you can have a static import just do a DOT star like this okay scroll down uh to wherever you are defining this now you remove this ant path matcher from here directly use the ANTM method like this and from here also you can remove the ant path match like this and directly use the ant ant mature and Par your url like this and this should not bug you and this should not give you this exception what I feel okay so now you can come over here you can do the same thing for the by URL as well I'll just wrap this off with the ant matcher and and um just uh pass your uh string URL inside this okay I think this should also fix the issue uh nothing else I just used this method and pass my URL uh within this so let's just see like you know if the things are working fine and I think my server is started uh without a problem right now so I can go back and I can just tast the same thing by is never protected hello is protected and high is protected and everything is working good it's prompting me and login screen okay which is good but I will stick to my previous approach so I'll remove this and I will just remove the ant mature from here because this will make my cord look a little [Music] cleaner cool I hope everything is making sense to you guys right now but now let's just discuss the real problem here so if you can see the version that I'm using for Spring Security is 6.0.0 all my spring jars that you can see over here all are 6.0.0 jars even my Spring Security config Spring Security core Spring Security crypto wave um I think all these jars are 6.0 and also my spring framework jar for the wave MBC framework is also spring uh 6.0 and right now this is happening because I have mentioned my spring version as 6.0 only this is the new version this is the latest version of spring and right now spring release six is going on so now all the spring version that I have provided for web MBC you can see this version attains to this one and my uh security versions like security wave here only I have defined the version if I'm going to click on this this is where I have defined the version so the version is inherited and this this means it is 6 .0 that I have defined globally okay so right now uh knowingly I have done that whenever I have started this course because I wanted to show you the differences maybe if your project just migrated to 6.0 you might not see any issue if you have code like this but if you are using the latest version of spring then you're going to be having a problem okay I'm going to tell you how let's just go to the mavin repository right now okay and right here if you want to look for the spring MVC version let's look for the spring wave MVC the latest version that we have if you if I'm going to go over here and go to the latest version of spring wave MBC look at the version right now it is 6.0.1 3 this is the latest build maybe we have used this version if we have used this one right here okay it's a older version released in 2022 today it is 17th November and 2023 so this is the latest release as of now we have is 6.0.1 3 so if I'm going to go to my pom.xml let me just close all this internal classes so now here my spring version where is that right here it is 6.0.0 let me change it to the latest version right now which is 6.0.1 3 okay so I will copy I I'll go inside this copy this person only this one contrl C and go back to your application and change this version to 6.0.1 3 okay so this is the spring version Let me uh just uh save this for Spring Security if I'm going to look for now my Spring Security wave my Spring Security config is also pointing to the spring version that I have defined on the top uh the spring version that I have defined here right here but if I'm going to go to Google Chrome and look for the Spring Security latest persons let's see what is their version version number and whether the latest Spring Security jars that we have is it also from the 6.0.1 3 version let's just check that okay so Spring Security let's just check for all the security jars that we have like core wave config okay let's just go to the code one okay look at the version number is 6.1.5 and what is the version we have used over here for spring version this 6.0.3 so for my web MBC I'm using the latest version where is my web MBC for for this I'm using the latest version but from my Spring Security is already complaining you can see that my let me let me let me just stop all this thing uh because my server is going to complain right now okay so now for my Spring Security all my Spring Security jars that we have or dependency that we have is started complaining right uh because there is a version issue and um this this version I can happily use it for my spring web MBC because that's the latest version but for my Spring Security I have the latest version as 6.1.5 and maybe this this is complaining because this version uh that we have used 6.0.1 3 is never available for Spring Security jars okay so my latest spring core version is 6.1.5 let's just check for the Spring Security wave uh what is the latest version number or build number 6.1.5 for Spring Security config it is also 6.1.5 so maybe I can create another um you know specific uh you know version over here for like you know I'll make a dynamic over here spring. security. verion I'm I'm going to write here and this one I'll be making sure that this is pointing to 6 point what is that version number for what is the latest Spring Security version number it is 6.1.5 okay let's just update to the latest version 6.1.5 okay so I have my spring version and this is my new Spring Security version copy this and for all the Spring Security wave let's just change this to and change it to spring. security. verion this one also let just change it to spring. security. ver and this one also let's change it to spring. security. ver okay like this so my core my config and my wave all are pointing to this version right now which is 6.1.5 which is my Spring Security version and this spring version I'm only using it for my spring web uh MBC because that is the latest one for the web MBC J so what we got to understand from here is that our web MBC version for spring is not in sync with the Spring Security version Spring Security is currently having the build number is 6.1.5 and the spring uh the normal spring is running in 6.0.1 3 okay and uh if I'm going to do contr s I should get rid of all this error right now see it is gone and also you can cross check that if you want to go to the Spring Security web jar this is the internal project J up Spring Security web if you going to go over here see it is already using all those version 6.0.1 3 for spring Bean spring context for the container they are using 6.0.1 3 so I can ensure that right now if I'll go back if I'll go back I will ensure that right now um all the version that I have added right this version that I have added 6. 0.13 is compatible with this Spring Security version because the Spring Security uh configs are or cores are if you're going to go inside this internally the spring projects they're using they are using the latest version of spring uh the spring framework version which is 6.0.1 three so just make sure that the build build numbers are not in sync when it compares to the normal spring uh vers jar like web MBC spring context spring Bean and the Spring Security framework it is it is having a separate build number which is not matching with this that's why I've created couple of uh dependency over here okay now now everything is looking good now we have upgraded to the latest version of spring so now let's just do a contrl S and right now uh let me just grab all the latest and I'll go to this file and boom just see right now we have the issue for each line of code that we have written because Spring Security 6.1 version is not recommending us to use this kind of method authorize HTTP request form login HTTP basic rather Spring Security 6.1 is recommending us to write all this code the deprecated method that we have it is it should be in Lambda DSL style okay I'll tell you what you mean by Lambda DSL style is um is basically right now uh they are encouraging us instead of writing like this I will I will I'll explain you everything don't worry about it it should be something like this let's say HTTP security do authorize HTTP request don't use this one that we have used over here use this one okay and this one takes a Lambda over here along the way I'm going to be explaining you like you know every detail about it but remember that they're encouraging us to write this method and here they're asking us to take some customizer over here like this and they're asking us to write our call like this okay they do not want to write a call like this rather they want us to write a call like this and here they want us to do like you know all this thing now you can just take this customizer over here do a DOT and you can just put the same thing over here like this contrl C paste it over here okay and it can do something like this customizer okay dot and just use the request matcher permit all contrl c contrl v something like this so instead of this code they want us to write code like this using this method the method which text a customizer interface uh as a parameter not the method which STS nothing inside it so right now from now on we're going to be coding with this method okay which T some Lambda style of coding we're going to be doing over here I'm going to be explaining you each lineup code right [Music] now [Music] now I think I have upgraded everything let's just go to our configuration now look at that and you now you understand in your group why people are freaking out who are following my previous Spring Security course because they're getting deprecated message like this okay and lot of things has been changed now Spring Security is saying you can keep on using this kind of thing for the next um couple of years till the spring 7 vers Spring Security 7 vers uh will come till then you can use them but this will be deprecated if you going to go to this method you can see for removal true that means it will be removed whenever Spring Security 7 vers will come so if you have code like this in your office application you used to configure things like this this is time to upgrade now how can we upgrade right now how can we change all this thing see now uh Spring Security is focusing on Lambda DSL style writing okay so that it will be good for reading purpose and some chaining thing we can avoid I'll be telling you what I mean by that why security people are forcing us to upgrade to some new methods they're saying instead of using this HTTP request method this one you can use the overloaded version of it like this HTTP security do authorize HTTP request if you want to authorize all the requests just do authorize sttp request but use this one this one text uh see previously we used to use this one the previous one this one okay this one look only look at the method name guys don't get made by looking into the return type right now see this doesn't allow anything in the parameter right but this one the new method that they are recommending right now this one this allows a this has one parameter there is a long thing maybe you you're going to be get mad if you are not good in generics don't worry about it not at all worry about it just understand it is taking one thing in the parameter and this is a this is taking a customizer in the parameter okay what is this customizer this customizer is a functional interface which has two method there is a method called customize if you want to customize anything okay and there is a with defaults method if you want to set all the default thing okay so for an example if you're going to use this customizer interface right now to customize any of your request what they are saying inside the HTTP request instead of giving the parameter like this you have to give a customizer parameter so you have to customizer is a interface right you have to create a object for that like this customizer like this but customizer is a like you know what kind of interface this is a functional interface right this method has only one abstract method you have to overwrite this and give it a implementation I will just tell you the same thing no need to look at the class name and what it is having right here we just need to understand inside this interface there is one method over here called customize only look at the parameter it is taking one parameter I will call this as let's say customizer okay just focus on this customizer interface is the interface we have to create a uh implementation for that so right here I'm just um overriding the method that I have inside the customizer that's called customize it's a void method and it takes one argument called customizer Now using this argument you can write like this okay I have this argument customizer just guys just focus on the next five minutes I will be removing all this thing this is just for your understanding just look at this lineup code customizer do any request. authenticated do things like this now you might say okay well let how it is helping this is looks so ugly but yeah let's just do one thing this customizer is a functional interface right so we can write lambra style syntax over here so we can remove the method signature that we have over here okay the method name the method return type everything we can remove the class name everything we can remove just like this delete it right this is the parameter name this give a Lambda symbol over here and and now we can simply remove this guy so instead of this you can customize like this right you can customize other request also like bag was asking okay AAS I want to customize another request let's say I want to customize the high request I can customize like this customizer dot let's say I want to intercept a request called hi do request matcher like this and I can give my request like this SL high and for this I want to permit all the requests so I can just do permit all okay so right now using the customizer interface I am customizing my HTTP request I'm saying that okay for high request allow the access for everyone there is no need for any authentication but for any other request make it authenticated all right guys so right now as we have upgraded our projects to 6. 1.x vers as you can see the form login and HTTP basics are also giving us stried Mark over here what it does mean that this methods has been deprecated from Spring 6.1 version and marked for removal that means in near version that means in Spring 7 version or spring security 7.0.0 version this methods will be removed so if you going to be keep on writing code like this then when your project will be upgraded to the latest version of spring then you'll have compilation problem so make sure to be safer even if if we are coding in 6.0 version or 6.1 version you write your call like this whenever you're activating the form login and HTTP Basics just pass in a customizer do with defaults what this will do this will configure your form login and HTTP Basics with spring security defaults okay and the meaning why they are giving us this methods these are the overloaded method that we have over here so we also have a form login method without a parameter and also we have a form login method which text a customizer interface if we want to customize our form login for an example here I do not want to customize anything I just want all the defaults given by Spring Security like I want to use the default login page what is getting populated whenever I'm trying to signing in and I want to use all the defaults that's why I'm using this with defaults method which is a static method present inside the customizer interface which instruct the framework is that this guy want to use all the default thing that the framework is exposing but let's say if I have a custom requirement like I want to customize the form login with my custom login pce that I want to create I do not want to use use the Spring Security login page rather I want to use my own login page that time I might need to customize this uh form login method with a customizer and I have to do something and we will see that things later but for now if you want to fix this deprecation thing you can stick to this approach okay guys that's it for this video and now let's just go ahead and hear some of the questions from the audience uh well you might see some of the patch work in this video just like this uh voice over you are hearing I'm doing it post the video has been recorded because there was some issue happened in the live and the complete video was not recorded this why I'm re-recording it okay guys this much of things is making sense what I have done over here is it making sense guys yes what if you comment line number 76 line number 76 75 like if you comment any of it okay line line number 76 this one yeah what role it's playing I forgot I think yeah this will just activate the login form if you're going to comment out this obviously this will be permitted by all but the other two will be needing the authentication as we have written this do authenticated one second so this one if we're going to go and WR High here you you should be able to access that but the uh end points what you need authentication that will not prompt you the login page right that's why to activate the login page I have done like this okay but if you keep only one of it like form login on but form log is fine if you're going to keep one of this the form login will appear but whenever you'll be logging in from let's say from here on you'll trying got it yeah right that time you need to provide the authentication uh the customizer form login is their method customizer form login uh written uh customizer request matches for all right like that oh okay like form login it can be used only on top of HTTP security no it's not like you can only write uh form login over this HTTP security object it can obviously do like this or you can just do something like uh customizer um do with defaults you can obviously do that a apart from that that I think you can do something like this uh let me just do something like this authorize HTTP request okay take the one which which takes a customizer take a customizer as a argument okay this is to filter out all the request and customize them the way you want right over here and on top of this I think it can also use a form login something like that let me just show you how can we do this for an example this is my customizer and I can take this customizer right here customizer do any request. authenticated and on top of this you can just do dot form login and also you can just write your form login like this also this is also a valid piece of code ignore the warning it is giving me right over here but you can write something right over here it can just concatenate and join it like this and it can just write it can take it another customizer object like this um let's say customizer and then just do dot with defaults if you want to stick with the default configuration and in the future video we will learn if we will customize the form login you can just to login customizer this is going to be a customizer uh you're going to be taking as a reference and then you can just do various um configuration over here inside this for an examp example you can take this login customizer that you have defined and over here it can set okay what is going to be my login pce let's say you do not want to use the Spring Security login page you want to create your own login page then Define your login page over here right you can do various configuration we will see later in the course how we will be doing it but yeah various thing you can do with the form login customizer later but right now as we haven't studied about it I'm going to stick to the default it can either make it blank if you want to make it blank then make sure that this method will be removed in the Spring Security 7 so you might have problem so better to Define uh you know the default default configuration over here if you're not defining anything uh specific for the form login with the with default method you can just do customizer with with defaults if you're not customizing your login form if you are planning to stick with the default don't leave it blank just uh give this guy and just chain this uh form login along with this particular method okay so you're going to be seeing this kind of pattern a lot you can over here also you can do dot HTTP basic and here only you can just do again customizer do with defaults right like like this only you can keep on coding right so it is absolutely fine if you're going to remove this if you're using 6.0 version if you're going to remove this thing but later you may have problem so this is going to be a set option if you're going to be coding right on 2023 and Beyond if you want to rest for at one page uh then how to do uh restrict hello is only accessible for ad yeah then same thing hello is only accessible for admin then we will be learning about this DNA in the next class you can just do do hedge rooll and just put admin over here now hello will be only be accessible for admin let's say right now I have two user I have a I have a user called um aill I have a user called Anil right Anil has only user role Akil has both the admin role and user role so ail has the admin role so if ail has the admin role ail only can access the hello endpoint Anil cannot access the hello endpoint because Anil does not have the admin role let's just check that if I'll go to Hello and do an enter it is asking for login but let's say Anil is login Anil and Anil he will not be able to access the page even after he logs in he'll not be able to access the pach because he does not have any role for this but let's say Anil locks out okay and o is trying to log in like this now Akil should able to access the hello endpoint let's say if I'm going to write hello he'll be able to access it right so if you are writing this if you're writing like uh this right here hello hedge rooll there is no need to write authenticated after it right but if you want to auth if you don't want to specify any role if you're directly writing authenticated that means anyone who is authenticated who has provided the username and password and logging in they will be able to authenticate this particular endpoint or they they will be able to uh log into like you know once they log in they will be able to see this particular endpoint DNA making sense yes yes yeah but we'll be going into that pretty much in detail in the next session uh any other questions guys a you change the version to 6.0.0 for Spring Security I think that I didn't get yeah can you show the pal once just wanted to check the version pal here I have I I have just used a 6.0 version for everything okay this method is present from this method is present in 6.0 version also right but this is the recommended way the other version is this one is also one second don't get confused with the version this one authorize HTTP request this version is working is not giving you the deprecated Mark over here but once you switch back to 6.1 this is this is deprecated and it is marked for removal from 7.0 version so don't use this okay use like this okay uh making sense guys they introduced two two Styles okay in 6.0 yes right in 6.0 is not like they have this method is there I think from uh 4 point something since 5.5 see they have they have created this method they haven't forced us to use it but eventually um you know they are recommending this one and the other one they are removing this one is also a new method only 5.6 vers which takes no argument right here uh previously if you see my old Spring Security course we used to use this one authorized request only uh not authorized HTTP request and this is they have deprecated it and I think this will be removed from the 7.0 version so use this one to be secure things like this in your Cote okay so practice this much I will cover more things about this in the next lesson did I confuse you guys did I confuse you no tell me no confused uhuh VJ if we don't put any yeah yeah AR okay so basically if if you remove these two lines right 64 and 65 uh it's going to authenticate it everything right all the because it is not going to authenticate anything because you have not specified anything right oh yes sorry sorry so basically we are going to reach the end points right exactly you have to give either you have to give specific end point or you have to make like you know all the end points like customizer do any request do authenticated this is going to authenticate everything right now okay you can befic uh the way that I have shown you with that you can be specific right yeah yeah next question yeah AR yeah that's it that's [Music] it [Music]
Info
Channel: Selenium Express
Views: 9,840
Rating: undefined out of 5
Keywords: spring security, spring security authorization, spring security tutorial, spring security without the websecurityconfigureradapter, Configure HttpSecurity, Spring Security Master Class, spring security user authentication, spring security 6, spring boot security, spring security form login, spring security httpbasic, spring rest security, spring security architecture, spring security selenium express, selenium express, authorizeHttpRequests, spring security lambda dsl
Id: 0RbL5Ps2V-w
Channel Id: undefined
Length: 79min 40sec (4780 seconds)
Published: Mon Dec 11 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.