- Видео 1
- Просмотров 25 241
Backend Story
Швеция
Добавлен 15 фев 2022
I have been working as a software developer for 5+ years in the industry. Lately, I feel that I want to go for a niche and create content around it. It is how I ended up creating this blog.
You will find blog posts and videos about application security niche here. Since I mostly use Java technologies, I started creating content about Spring Security framework.
If you would like to reach out to me, you can find me here:
ugurcanlacin
www.linkedin.com/in/ugurcanlacin/
You will find blog posts and videos about application security niche here. Since I mostly use Java technologies, I started creating content about Spring Security framework.
If you would like to reach out to me, you can find me here:
ugurcanlacin
www.linkedin.com/in/ugurcanlacin/
Spring Security: Authentication Architecture Explained in Depth
#springboot #springsecurity #jwt
Blog post: backendstory.com/spring-security-authentication-architecture-explained-in-depth/
Github repo:
- Scenario 3: github.com/ugurcanlacin/backendstory/tree/main/spring-security-authentication-scenario-3
- Scenario 4: github.com/ugurcanlacin/backendstory/tree/main/spring-security-authentication-scenario-4
- Scenario 5: github.com/ugurcanlacin/backendstory/tree/main/spring-security-authentication-scenario-5
Hi! I’m Ugurcan, a software engineer based in Stockholm. You can reach me from one of the links below.
📝 LinkedIn: www.linkedin.com/in/ugurcanlacin/
🐦 Twitter: ugurcanlacin/
📂 Github: github.com/ugurcanlacin/
Equipments:
🎤 Microphone: Shure MV7 am...
Blog post: backendstory.com/spring-security-authentication-architecture-explained-in-depth/
Github repo:
- Scenario 3: github.com/ugurcanlacin/backendstory/tree/main/spring-security-authentication-scenario-3
- Scenario 4: github.com/ugurcanlacin/backendstory/tree/main/spring-security-authentication-scenario-4
- Scenario 5: github.com/ugurcanlacin/backendstory/tree/main/spring-security-authentication-scenario-5
Hi! I’m Ugurcan, a software engineer based in Stockholm. You can reach me from one of the links below.
📝 LinkedIn: www.linkedin.com/in/ugurcanlacin/
🐦 Twitter: ugurcanlacin/
📂 Github: github.com/ugurcanlacin/
Equipments:
🎤 Microphone: Shure MV7 am...
Просмотров: 25 250
This is the only tutorial that was able to make me wrap my head around spring security. Great Job!
super video!
Best tutorial on youtube
Pleasure to be your 1000th sub 🍻🍻
Thank you
You're welcome
Müthiş video, spring security'ye dair şu ana kadar denk geldiğim en güzel video olabilir
tesekkurler mustafa, yorumun beni mutlu etti
One of the top videos I have seen on explaining Spring Security Architecture. I have seen that you have uploaded only one video on your channel. Do you have another other channel or have you stopped making videos? I hope its not the second scenario.
Unfortunately, I couldn't prioritise youtube. Something I need to work on to get back. <3
I was expecting like that in details, u fully cleared each nd every scenario, well done and appreciate your time and effort. Just suggestion, if possible, replace your security class with latest spring version, so you don't need to use adapter class. Thanks Again!!!!
Glad it helped! Yes, I should release a new video with upgrade. Meanwhile you can read this blog. backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/
Thanks bro It helped me fix a bug Though I am using spring security 6 Still I got help Please can you upload video for Spring Security 6 coz a few things have changed 😊
Glad it helped! Yes, I should release a new video with upgrade. Meanwhile you can read this blog. backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/
@@BackendStory Thanks again 🙏🙏
Please create more videos. You are amazing!
bro keep going you are doing great...i have seen a lot of channels, everybody except some simply don't explain whats happening behind the scene. Thanks for the clip.
Thank you so much for this. Please can we have a follow up for authorities and granted authorities?
You are good in teaching make some more videos
i will recommand this video for anyone who want to learn spring security in depth and the way you explainied is so cool and diagram is so clear that everyone can understand easily what is what .. thanks man!
😍
Haha...what a chad!... Just one video, JUST FRIGGIN ONE VIDEO TO RULE THEM ALL
May I know what will happen if did not set "SecurityContextHolder.getContext().setAuthentication(upassToken);" in Scenario 3?
if you don't set it, then the request will not be authenticated. So, the request can't access the endpoint. You can check the following blog to understand why. backendstory.com/spring-security-authorization-mechanism/
@@BackendStory Thank you for the article. Would like to further understand: In scenario 3, since now the customJWTTokenFilter is invoked before UsernamePasswordAuthenticationFilter, will the UsernamePasswordAuthenticationFilter still get invoked and fully run through the filter logic if the request is authenticated in JWTTokenFilter and setContext()? Will the result be different if we did not setContext()?
@@grayyeung757 Sorry for the late response. UsernamePasswordAuthenticationFilter will not be invoked if the request is authenticated. The reason for that is UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter. If you check AbstractAuthenticationProcessingFilter, you will see that doFilter() method checks if the given request is already authenticated or not. I know this sounds a bit complicated, but things get easier once you debug these flows by putting breakpoints in Spring Security classes. So, I would suggest to debug these classes to check if the behaviour is expected.
@@BackendStory Thank you so much for the guide.
Thank you for your efforts!!😄
This video just keeps getting better.
Hey, man! I just wanted to express my heartfelt appreciation for this tutorial. It has been immensely helpful in explaining the difference in implementation between normal login and JWT (JSON Web Token). The diagram you provided was a game-changer. Initially, I was utterly confused about how it all worked, especially since authentication providers usually handle the authentication logic. I couldn't understand why we would give the JWT authentication filter all the responsibility when we could simply write a JWT authentication provider. However, thanks to your clear explanation and the diagram, everything fell into place. It felt like a breath of fresh air, bringing much-needed clarity. Once again, thank you so much!
I don't understand the UsernamePasswordAuthenticationToken's 3 args constructor: 1. (username, null, new ArrayList<>()) 2. (username, password, new ArrayList<>()) when to make credentials null and when not to?
At 44:40, I first validate JWT token, so we know that username and password is already checked before. This is because, user gets JWT token after username and password verification. At 44:40, we validate JWT token. Once it is validated, we do not need to provide password. Short answer: Provide password for login attempt. AuthenticationManager will need it to verify user authentication. You don't need to provide for authorization if you are validating JWT token already.
Thanks for the great video again. It helped me add spring security authentication/authorization to my API. But I am now building another API and would like to use same logic to add authentication there. For this, I dont want to simply copy / paste code and violate DRY. When it comes to spring security, would moving Spring Security Configuration class and AuthenticationFilter and AuthorizationFilter to a library and simply then reusing that library in my both API solve this problem? I know how to create a library but I am not very experienced with Spring Security and wonder if this is a good approach? Thanks again!
Hey Dino, sorry for late response. That's exactly how I used same code over different codebases before. You can have a common library that handles authentication and authorization, so just import it as a dependency. So, it is a good approach. :)
I just found this great tutorial, very good. Will you make videos like this again?
THANK YOU FOR THIS TUTORIAL
I'm little confused about UsernamePasswordAuthenticationToken . why sometimes we use this token with 2 parameters and 3 . What are the differences?. And last question: when we set authentication to contextholder is UsernamePassword filter going to check for authorization again or bypass.
Best explanation of Spring Security I’ve seen anywhere over the past 5 years. Thank you very much
26:45 heimerdinger
right to the point
Such content deserve a +1 subscription
Great video, please make more content like this !!!
I'm here to say thanks so much from Colombia. I've seen many videos about spring security to try to understand its architecture, and no one of them have you're excellent explanation (even the Spring Security Documentation). Thanks again!!
Glad to hear you liked it!
That was such a great video! Wish you create more videos like this in future
This is a really good video, thanks for putting in the time to make it. Question on all of this, since Spring Boot 3 is out and there's some new ways of doing things (WebSecurityConfigurerAdapter for example), would you still recommend using this same approach you have provided in this video or would you recommend doing things differently? Also, what about encryption? You haven't included any sort of encryption in your setup, is this something that I should definitely implement? I am creating a backend for a web application I am creating, where I will be using a front-end framework like Angular to consume my API endpoints in the backend. In this case, is everything else the same once you have implemented this setup you have provided? For instance you have a custom user with a custom UserDetailsService and just go about things as you would normally knowing that the application is ensuring that only authenticated users are gaining access to the right endpoints? Bit of a noob question but this is pretty new to me. If there's any way I can get a little more guidance from you (potentially paid 1-1) do let me know as you seem very knowledgeable on Spring Security. Thanks!
Hi! I will try to answer your questions paragraph by paragraph. I recorded this video for educational purpose, so I wouldn't rely on the code samples I shared in the video directly since your requirements might be different. What I tried to explain is how things work under the hood. That was the goal. :) Framework is changing during time as you say and WebSecurityConfigurerAdapter is the latest change. I wrote a blog about how to replace WebSecurityConfigurerAdapter. I believe you will find it useful as well. backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/ Regarding encryption, yes you need to use it. I use BCryptPasswordEncoder in the video and can suggest it. It is safe for rainbow attacks by adding random salt into generated hash. If you don't know what is hashing and salt, this video is great summary. ruclips.net/video/--tnZMuoK3E/видео.html&ab_channel=Seytonic You can use custom UserDetailsService most of the cases, yes. However, I need to understand your business needs first before giving clear advice. If you want 1-1 meeting, please send me an email regarding this thread. So, we can schedule a meeting. ugurcanlacin@gmail.com
Great tutorial. Please post videos on Single Sign-On and Oauth2/OIDC please. 👍
thanks very much!! by the way, can you explain how session is created、how set-cookie is worked and how to make session management?
That's a great suggestion! I am adding it to my todo list.
@@BackendStory and i also wonder what does the below code mean , is it mean let spring security remember this user is already authenticated to avoid authenticated again when the request comes again ? ``` UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(username, null, new ArrayList<>()); authToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request)); SecurityContextHolder.getContext().setAuthentication(authToken); ```
@@user-yw8np2ph3w No, it is only one time thing for this scenario, because we use stateless session management. The code piece that you quoted authenticate the incoming request only in request's thread, so request can hit the controller class. When controller class finishes its job like calling underlying service or util classes, request ends with returning a response. Once response is sent, SecurityContext is wiped out from thread. For every request, create a completely new and empty SecurityContext, hence with no stored authentication etc. This response might also be helpful. stackoverflow.com/a/67681782
@@BackendStory 牛逼!!👍👍👍
I started to watch this tutorial suddenly I thought, I need to see what other topics you have explained. I came to your channel and became sad finding you have only one video. Please cover some more topics. I am subscribing to your channel with a hope to find more content from you..
Glad you liked the video Rakib! I am creating content for both blog and youtube. However, youtube takes more energy to finalize a video unfortunately. But I hear you and will work on it for the next video as soon as possible. Thanks for the feedback! You can have a look at the blog meanwhile: backendstory.com/
I hope that you will have more course in the future.
I'm so suprised. I've never think that there is a someone like you. You teach so detail about behind the scence in default. Thanks
This comment made my day. Thanks for your kind words. :)
great video, please keep posting more
If I had to keep just one tutorial about spring security, this is the only one. How amazing that you can cover spring security in so much depth and so much detail in just one hour. Thank you for sharing with us, respected!
this comment made my day. thank you for your kind words!
I agree. This is the best course I found so far that explains Spring Security so well. Many thanks to Ugurcan.
He is simply a genius of it. I am just keeping it as my best tutorial. However, it looks so simple because we have watched several of security videos also, so we acknowledge the effort of those we had watched in the past. So sweet explanation. God bless you.
great video bro
Amazing video about Spring Security Authentication
Happy to hear that you liked it! :)
@@BackendStory Can you just come up with OAuth2 Authentication along with JWT token format where all the roles are defined clearly in the MySql db
@@rathinmaheswaran Yes, it is in my todo list actually. I will do it.
Sadly you are on spring boot 2.6.3 which means that you are still using the old way of configuring web security with now-deprecated classes, looking forward to see your code updated to the modern standards. thank you
Yes, you are right. However, I do not think I will record another 70 minutes video just for couple of deprecated classes. :( If you would choose one scenario here, which one would be your interest with up to date Spring Security version? :)
@@BackendStory You know the current trend is authenticating and authorizing with JWT, and if I was you I would just do a simple example with an admin / user log-in authentications with roles, also I have to disagree with the concept that it was just a few deprecated classes as that the classes don't actually matter more than it is about how to build and configure security and little things like using the Lambda DSL to name a few .. but you are right not worth making a 2 hours long video for it because your amazing slides explaining what goes under the hood with spring boot does not need to get repeated, you can have a straight coding example and refer people to this video as a foundation. I hope I did thank you in my previews reply because I see your explaining professional and straight to the point. but thanks again and consider me as a subscriber.
@@BackendStory and please don't do what everyone else is doing with in-memory authentication spring-jpa couldn't be any easier.
@@maxjustmax521 Thanks a lot for spending time for the comments. These are gold to me. I added into my todo list following video prep => create video for proper JWT authentication/authorization coding with jpa and up to date Spring Security.
Hi Max, I updated the code with component based configuration by removing deprecated WebSecurityConfigurerAdapter. You can have a look at it if you still need it. For your information :) backendstory.com/spring-security-how-to-replace-websecurityconfigureradapter/
Thank you for tutorial ! Understood every detail and found answers to questions that I had in my mind about architecture of security.
Great to hear that this helped you!
This video is very important for anybody using Spring. Thanks for this gem!
Glad it was helpful!
At 53:54 I had to change in supports() method the .equals for this: (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication)). Just in case anyone is struggling like me with this.
thank you for your contribution!
awesome explanation
This was the only explanation with clear presentation.all basic concepts clarified...you are amazing... I don't know why they make it complex this much...but you give us a heads up thank you 🙇
Bang bang. Enjoyed!!! Great man. Thanks.
As I understand, if we code a custom filter, requests will go through the filter chain until requests meet our filter, then stop right there. The filter will call the authen manager, which will call the authen provider. Did I get it right?
It depends on your design. But here it does not work like that. I trigger authentication manager in my login endpoint. Then, authentication manager triggers authentication provider and so on. My custom filter checks if there is JWT token provided in incoming request. If so, I create an authentication object and give it to SecurityContext. I wrote an article that explains why we give this authentication object to SecurityContext. backendstory.com/spring-security-authorization-mechanism/
@@BackendStory Thank you sir
Everything about Spring Security explained just around an hour! Superb!
Glad you liked it!