I was overwhelmed with others people tutorials about Spring Security but you made it so easy to see what is actually going on, thanks man I appreciated, +1 sub
what i like about Dan is he uses the most basic approach when teaching something, leaving out unnecassry details that might confuse newbies. this video is to teach us on JPA Authentication no more no less. this is what a tutorial should be. Thanks sensei
Great video as always Dan! I think @Arsalaan suggestion makes a lot of sense. This will be kind of an "endgame" like video for this series - where everything is combined - JWT, Roles (User,Admin,etc), Connecting to PostgresSQL (running locally via docker).
Hi Dan. Thanks for the continuous tutorials on Spring Security. It is very important and also very clearly explained. Could you please use a "real" database like Postgres for demonstrating. Thanks!
I just created this video, not sure if that will help you out. ruclips.net/video/_Gdb-jK3Sr4/видео.html If it doesn't please suggest a new video using this github.com/danvega/office-hours/discussions
Hi Dan, Can you drop a guide on implementing JWT in a Spring Boot App BUT include roles (user, admin), connected DB (to verify details) and UserNamePassword Authentication where the user calls an endpoint with username/password as body and the token generation happens based on that. Basically, a continuation of your videos "Spring Security without the WebSecurityConfigurerAdapter" and "Spring Security JWT: How to secure your Spring Boot REST APIs with JSON Web Tokens" Please consider this, it would be so useful and applicable to many projects!! Thank you.
Thankyou so much Dan for this video, I am following your entire spring security playlist and it's very helpful. 🙏 looking forward to more such learning content.
Great Content! Thanks for sharing your experience. Amazing teachi ! Would be amazing to see a complete backend API with PostgreSQL and JWT and how to store password in the Database !
Very well explained. worked like butter.... Thanks Dan. It will be great if you can comeup with a complete production ready like projects which caters for best practices security security over microservices security with OAuth and may be keycloak SSL cross scripting cors all in one course........it will be kinda like EndGame series
Great video about Spring Security. Can you please make video about how can we apply more than 1 approach (like JWT based security, JPA based security) using Spring security?
Hi Dan couple of questions Q1 : 24:45 you have autowired an entity, just like spring bean however we didn't had any @Component on User Entity how is this working, for me it was giving unsatisfied dependency exception. Q2. I was reading that it's not a recommend way to Autowire JPA entites as entity are not regular Spring bean but sometime that is managed by JPA provider, what's your recommendation, is my understanding correct ??
You don't need an annotation on User because you are not asking the Spring Framework to manage instances of that class for you. Here you are creating instances of User by calling its constructor new User(...) Can you provide me with a Github Repo that has this error? Someting else is going on here.
Hey Dan, great video! After watching almost all of your spring security videos, I believe I know a little bit more about how to secure a REST API haha. I have a question, why did you use Ouath2 on your JWT video and on this one you chose to pick up the bare Spring Security dependency? As @Arsalaan suggested, it'd be nice to see a complete road map of how to secure a real life API using JWT, real users with roles and data base! Thank you! Keep with the great job!
Hi Dan. Firstly It's a great tutorial beginners can easily learn spring security. Secondly I'm working on my project where I'm facing an issue that "user are able to access the data of other users". In simple words no user should have the authority to read or manipulate data of other users except theirs. There's no scope of admin and user-based authorization. because there's no such content that users should not see. Every user has their own data, and it should not be visible to others except the current authorized user. Please suggest me how to do customized authorization on each user. Thanks in advance Dan
@@DanVega Yes Dan you should not have the access to other users' data but at present the application giving access to the data of other users too. I'm not able to configure that issue, Please help me in fixing it.
quality material as usual Dan, I absolutely love it, one little question: any benefit of using an Authentication Manager as a bean in the security config class and passing the user details service to it instead of passing it directly to the security filter chain?
Hello Mr. Dan Vega, I wanted to thank you for providing such helpful tutorials. I really appreciate your effort in helping others. Could you please tell me what plugin you used to help auto complete your tutorials? Keep up the great work!
Thanks for the great explanation and the playlist of Spring Security. Actually you can use @RequiredArgsConstructor for constructor injection and avoid the boiler plate code of declaring the constructor by yourself.
Hi, Dan! I tried to implement separated entity and user detail like you, but a have a problem with spring-boot session: when I restart an application I have to log in again, but if I implement UserDetails in User entity spring session remembers logged user and I can continue without re-authorization.
What is better? To check authorization inside controller via PreAuthorize annotation or in the securityFilterChain method with .hasRole/.hasAnyRole methods?
I assure you i have no problems with Lombok but I don't use it when teaching. If someone has never used it than its one more thing you need to learn I just find it easier to be verbose here and let the IDE help me out. In a single class or 2 I'm not gaining a whole lot by using Lombok vs in a real world project you are.
Hi, thanks for the videos. Just a question please: I could not make it work using @PreAuthorize("hasRole('USER')"), but I needed to change to "hasAuthority('USER')"). Any clue why it happened?
Thank you for your wonderful guidance. Can you please assist me in enabling HTTPS and installing CA's SSL certificate in spring boot app? I will really be glad.
A few things changed in Spring Security 6 (Spring Boot 3)... I did a video on those changes or you can check out the Spring Security documentation. If you have trouble upgrading this demo let me know.
If I use this, how do I send a post request for login to my frontend? I cannot seem to get to the actual endpoint of the login page that form login generates.
Hey Dan thanks for the video.My application is unable to sign in even with correct credentials even though I have done all steps correctly.Could you please help me out
thanks and my question at the end, we encoded the password but when will we decode it i mean shouldnt we decode it while checking password while logging in??
Could you make this video without leaving the jwt tokens part out of it please? I do not understand why the configuration happes without the .sessionManagement and oauth2Resourceserver here.
Thanks Dan this was useful. Any chance you can now take this and expand it into auditing? A natural extension of using the Spring Security libraries to building auditing on to your entities like @CreatedBy and @ CreatedDate etc. I have managed to conquer this in my most recent app but as a general practice I put auditing on all entities as it can become so useful in sensitive changes of records and general troubleshooting.
Hi Dan. On exactly minute 37:00, you successfuly encrypted the String, so it's not able to see its value in the database. Do you mind, giving a little suggestion or hint, on what to do, to make sure that the string "password" on line 23, also will be unreadable in the code, as it can easily be viewed on gitHub? - Best
Before I give you my suggestion solution, please keep in mind that you should never put your passwords, keys, or any sensitive information inside your code. Instead, keep them in a separate file and then gitigonre it, and my suggestion in this case is to manually encrypt it and replace it rather than encrypt it with this method.
@@developerbdarija Thanks for your answer. I did manage to use a System method to access Environment Variables. I stored these values that are secret in both the IDEA and where I deployed the app. Now they are hidden everywhere. - best
Thanks for the video - Is there a way to do this without using .map??? my code is givng me strange error: "userRepo.findByUsername(username).map(SecurityUser :: new).OrElseThrow... " is giving me an error " The type SecurityUser does not define SecurityUser(UserEntity) that is applicable here" 29:24.1
Hi Dan, Actually I was doing same kind of project and the thing is when I was doing InMemoryAthentication it was working smooth, but when I used authentication against db(MySql) it was prompting access denied, so can you please do it with MySql
Hi Dan - I'm using Spring Boot 3 (Spring Security 6) and I can't access the H2 console. With Spring Security 6 there is no antMatchers or mvcMatchers only requestMatchers which don't allow us the access the console - I have this line auth.requestMatchers("/h2-console/**").permitAll(). Is there a workaround to allow access?
use auth.requestMatchers(new AntPathRequestMatcher("/h2-console/**")).permitAll(), auth.requestMatchers(new MvcRequestMatcher(new HandlerMappingIntrospector(), "/api/posts")).permitAll(), and csrf.ignoringRequestMatchers(new AntPathRequestMatcher("/h2-console/**"))
thats a nice video, but a big chunk of the infos u share are already deprecated and marked for removal. Please Update the video or at least leave a comment somewhere so people dont waste time watching
I was following the tutorial but I decided to have my Role as an entity. As I would like some users to have more than one role I have created many to many relation between users and roles. In getAuthorities() method inside SecurityUser class I map roles names but I get an exception "failed to lazily initialize a collection of role". I am scratching my head but still couldn't find a solution. Do you know what could be an actual fix to the problem?
What do you mean by normal English? Do the closed captions help out at all? Sorry you're having difficulties following along. I understand how that can be frustrating.
Hussein your comment about Dan's English is offensive and insolent, especially coming from someone whose country "speaks" a broken English. My suggestion to you is to get some REAL English classes from English speaking people not from the people in your country dude
why i get this error? Field userRepo in com.auth.jpa.controller.ApiController required a bean of type 'com.auth.jpa.repos.UserRepo' that could not be found.
why i get this error? Field userRepo in com.auth.jpa.controller.ApiController required a bean of type 'com.auth.jpa.repos.UserRepo' that could not be found.
![Spring Security 6 | How to Create a Login System with Spring Data JPA and JWTs [NEW 2023]](http://i.ytimg.com/vi/TeBt0Ike_Tk/mqdefault.jpg)
I was overwhelmed with others people tutorials about Spring Security but you made it so easy to see what is actually going on, thanks man I appreciated, +1 sub
what i like about Dan is he uses the most basic approach when teaching something, leaving out unnecassry details that might confuse newbies. this video is to teach us on JPA Authentication no more no less. this is what a tutorial should be. Thanks sensei
thanks Dan. You are only person who finally clearly explained all things with Bean approach. all tones of tutorials on YT have only old approach
Thank you, Serhii. I'm glad I can help out.
Great video as always Dan! I think @Arsalaan suggestion makes a lot of sense. This will be kind of an "endgame" like video for this series - where everything is combined - JWT, Roles (User,Admin,etc), Connecting to PostgresSQL (running locally via docker).
Thanks for the idea!
@@DanVega And maybe add a little frontend to configure CORS. I'm struggling to get it working.
Hi Dan. Thanks for the continuous tutorials on Spring Security. It is very important and also very clearly explained.
Could you please use a "real" database like Postgres for demonstrating. Thanks!
I just created this video, not sure if that will help you out. ruclips.net/video/_Gdb-jK3Sr4/видео.html
If it doesn't please suggest a new video using this github.com/danvega/office-hours/discussions
Hi Dan,
Can you drop a guide on implementing JWT in a Spring Boot App
BUT include roles (user, admin), connected DB (to verify details) and UserNamePassword Authentication where the user calls an endpoint with username/password as body and the token generation happens based on that.
Basically, a continuation of your videos
"Spring Security without the WebSecurityConfigurerAdapter" and
"Spring Security JWT: How to secure your Spring Boot REST APIs with JSON Web Tokens"
Please consider this, it would be so useful and applicable to many projects!!
Thank you.
You got it. Thanks for watching and the suggestion.
@@DanVega Is that video online already? I also don't seem to get the roles active in my authentication.
@@DanVega Was it done already? Would use it quite a lot right now!
Thank you so much for this tutorial it really helped me visualize and understand how security in spring boot works.
I'm glad it helped you out.
this video is kickass reference. Easy to implement, helps 100% in any backend development.
Another great tutorial from Spring advocate Dan Vega
Thankyou so much Dan for this video, I am following your entire spring security playlist and it's very helpful. 🙏 looking forward to more such learning content.
I'm glad my content is helping. Thank you for the kind words.
Hello Dan . Code works without setting userDetailsService in SecurityConfig class...
So clear to follow along and really great content! Thanks Dan.
This makes me happy. Glad you enjoyed it!
Great Content! Thanks for sharing your experience. Amazing teachi !
Would be amazing to see a complete backend API with PostgreSQL and JWT and how to store password in the Database !
Very well explained. worked like butter.... Thanks Dan. It will be great if you can comeup with a complete production ready like projects which caters for best practices security security over microservices security with OAuth and may be keycloak SSL cross scripting cors all in one course........it will be kinda like EndGame series
Really awesome stuff here! Awesome channel! Love your videos! 💛
Great video about Spring Security. Can you please make video about how can we apply more than 1 approach (like JWT based security, JPA based security) using Spring security?
Love your videos, looking forward to more Dan 😊
Hi Dan couple of questions
Q1 : 24:45 you have autowired an entity, just like spring bean however we didn't had any @Component on User Entity how is this working, for me it was giving unsatisfied dependency exception.
Q2. I was reading that it's not a recommend way to Autowire JPA entites as entity are not regular Spring bean but sometime that is managed by JPA provider, what's your recommendation, is my understanding correct ??
You don't need an annotation on User because you are not asking the Spring Framework to manage instances of that class for you. Here you are creating instances of User by calling its constructor new User(...)
Can you provide me with a Github Repo that has this error? Someting else is going on here.
Nice session, Thanks Dan! May I know what is the plugin/feature you are using for code prediction, looks amazing.
Thank you. That is GitHub Copilot.
Great video Dan!!!
Appreciate it.
Hey Dan, great video! After watching almost all of your spring security videos, I believe I know a little bit more about how to secure a REST API haha.
I have a question, why did you use Ouath2 on your JWT video and on this one you chose to pick up the bare Spring Security dependency?
As @Arsalaan suggested, it'd be nice to see a complete road map of how to secure a real life API using JWT, real users with roles and data base!
Thank you! Keep with the great job!
In this video I am focused on JPA authentication and not the JWT bits, thats all.
Quality Tutorial. Thanks, Dan!
great video as always Sir, miss one thing thought ... the logout 😅
Thanks Dan, it was a great session
Thank you!
Hi Dan. Firstly It's a great tutorial beginners can easily learn spring security. Secondly I'm working on my project where I'm facing an issue that "user are able to access the data of other users".
In simple words no user should have the authority to read or manipulate data of other users except theirs.
There's no scope of admin and user-based authorization. because there's no such content that users should not see. Every user has their own data, and it should not be visible to others except the current authorized user.
Please suggest me how to do customized authorization on each user.
Thanks in advance
Dan
Interesting. If I am an authenticated user do I have access to all data of all the other users in the system?
@@DanVega Yes Dan you should not have the access to other users' data but at present the application giving access to the data of other users too. I'm not able to configure that issue, Please help me in fixing it.
Hi Dan
could you do videos on Spring Security OAuth2
creating OAuth2 Authorization Server
or using existing Authorization Server
Hello Dan, thanks for lesson it's so helpful. Can you please tell what plugin do you use to help auto complete ?
Thank you@@lykkos290
GitHub Copilot
Great tutorial. Thanks Dan
Hi! Dan. Do you have any video on Spring Boot (specifically- Microsoft Active Directory) Authentication? Thank You!
Hi Dan. Congrats for your small tutorials. Well, Maybe Spring Security LDAP Authentication in Spring Boot?, just for having the full sequence. Thanks
Thank you for your suggestion github.com/danvega/office-hours/discussions/42
great video, thanks!
Thankyou for this great video.
What if we have two user tables that we wanna use to authenticate, do we add both of them to the securityConfig file?
Hey Dan , what is the difference when we are using this for Springboot 3+ version
Hi Dan,
Really thanks for the video.
Could you please do a video and authentication/authorisation using Okta or separate Auth server.
Thanks 👍
I am going to work on one for Spring Authorization Server soon!
Nice, thank Dan!😍
You're welcome!
quality material as usual Dan, I absolutely love it, one little question: any benefit of using an Authentication Manager as a bean in the security config class and passing the user details service to it instead of passing it directly to the security filter chain?
No, just wasn't sure if I was going to use that elsewhere or not.
Hello Mr. Dan Vega, I wanted to thank you for providing such helpful tutorials. I really appreciate your effort in helping others. Could you please tell me what plugin you used to help auto complete your tutorials? Keep up the great work!
Github copilot
Great tuttorial! Thanks a lot! =)
after this video i know a few things more :D
I love learning new things! Glad you were able to learn something
Really enjoyed this great tutorial. Thanks !!
Glad you enjoyed it!
Thanks for the great explanation and the playlist of Spring Security. Actually you can use @RequiredArgsConstructor for constructor injection and avoid the boiler plate code of declaring the constructor by yourself.
Hi, Dan! I tried to implement separated entity and user detail like you, but a have a problem with spring-boot session: when I restart an application I have to log in again, but if I implement UserDetails in User entity spring session remembers logged user and I can continue without re-authorization.
What is better? To check authorization inside controller via PreAuthorize annotation or in the securityFilterChain method with .hasRole/.hasAnyRole methods?
hey guys ı want to ask something if i changed My Role Types String to List what ı have to change my code ?
Thanks for the lesson
Thank You Dan so much!
You're welcome
Awesome Contents, as usual 🎉🎉🎉
Thank you, Anish
Yes lombok can help with boilerplate code like getter and setter
Same here! When fo you start using lombok? Maybe it us some kinde of internal rejection 🤔 from using lombok?
I assure you i have no problems with Lombok but I don't use it when teaching. If someone has never used it than its one more thing you need to learn I just find it easier to be verbose here and let the IDE help me out. In a single class or 2 I'm not gaining a whole lot by using Lombok vs in a real world project you are.
Thanks a lot! Really helpful!
Hi, thanks for the videos. Just a question please: I could not make it work using @PreAuthorize("hasRole('USER')"), but I needed to change to "hasAuthority('USER')"). Any clue why it happened?
You need to use the annotation EnableMethodSecurity(prePostEnabled=true)
by default prePostEnabled is false and PreAuthorize won't work
Dan > Spring Boot! That's it!
You just made my day Fred! Thank you!
Hi Dan, can you please show a case where API Key is used for the authentication?
I have done this in other tutorials. If you look for Spring Security JWT on my channel I have a few videos.
@@DanVega thanks Dan, will definitely check it out.
Hello, how do i write testcases to test the authorizations of the home controller since its a different type of authentication
Thank you for your wonderful guidance.
Can you please assist me in enabling HTTPS and installing CA's SSL certificate in spring boot app? I will really be glad.
Thank you for the content suggestion github.com/danvega/office-hours/discussions/48
In the case of `SecurityUser` since we only get data without setting anything, can we use `record`?
Thanks Dan)
where will the session token stored in this approach?
Every tutorial i watch for Spring security, it always fails at the configuration, methods are always depricated, same with this video.
A few things changed in Spring Security 6 (Spring Boot 3)... I did a video on those changes or you can check out the Spring Security documentation. If you have trouble upgrading this demo let me know.
@@DanVega I was able to create the demo except for the headers in the security config, i couldn't the updated version
If I use this, how do I send a post request for login to my frontend? I cannot seem to get to the actual endpoint of the login page that form login generates.
Great video!!
Thanks!
Hey Dan thanks for the video.My application is unable to sign in even with correct credentials even though I have done all steps correctly.Could you please help me out
thanks and my question at the end, we encoded the password but when will we decode it i mean shouldnt we decode it while checking password while logging in??
We don't need to decode it. Spring Security is comparing the encoded password that is part of the login credentials against what is in the database.
Could you make this video without leaving the jwt tokens part out of it please? I do not understand why the configuration happes without the .sessionManagement and oauth2Resourceserver here.
what about if i implements userdetails in users class like public class users implementes userdetails ?
Please make an example for Mysql
It is really as simple as replacing H2 with MySQL. Have you tried to do it? If you're facing any issues let me know.
Thanks Dan this was useful. Any chance you can now take this and expand it into auditing? A natural extension of using the Spring Security libraries to building auditing on to your entities like @CreatedBy and @ CreatedDate etc. I have managed to conquer this in my most recent app but as a general practice I put auditing on all entities as it can become so useful in sensitive changes of records and general troubleshooting.
Thank you for the suggestion Paul. github.com/danvega/office-hours/discussions/45
Hi Dan.
On exactly minute 37:00, you successfuly encrypted the String, so it's not able to see its value in the database.
Do you mind, giving a little suggestion or hint, on what to do, to make sure that the string "password" on line 23, also will be unreadable in the code, as it can easily be viewed on gitHub?
- Best
Before I give you my suggestion solution, please keep in mind that you should never put your passwords, keys, or any sensitive information inside your code.
Instead, keep them in a separate file and then gitigonre it, and my suggestion in this case is to manually encrypt it and replace it rather than encrypt it with this method.
@@developerbdarija Thanks for your answer.
I did manage to use a System method to access Environment Variables.
I stored these values that are secret in both the IDEA and where I deployed the app. Now they are hidden everywhere.
- best
Thanks for the video - Is there a way to do this without using .map??? my code is givng me strange error: "userRepo.findByUsername(username).map(SecurityUser :: new).OrElseThrow... " is giving me an error " The type SecurityUser does not define SecurityUser(UserEntity) that is applicable here" 29:24.1
Hi Dan,
Actually I was doing same kind of project and the thing is when I was doing InMemoryAthentication it was working smooth, but when I used authentication against db(MySql) it was prompting access denied, so can you please do it with MySql
Hi Dan - I'm using Spring Boot 3 (Spring Security 6) and I can't access the H2 console. With Spring Security 6 there is no antMatchers or mvcMatchers only requestMatchers which don't allow us the access the console - I have this line auth.requestMatchers("/h2-console/**").permitAll(). Is there a workaround to allow access?
use auth.requestMatchers(new AntPathRequestMatcher("/h2-console/**")).permitAll(), auth.requestMatchers(new MvcRequestMatcher(new HandlerMappingIntrospector(), "/api/posts")).permitAll(), and csrf.ignoringRequestMatchers(new AntPathRequestMatcher("/h2-console/**"))
thats a nice video, but a big chunk of the infos u share are already deprecated and marked for removal. Please Update the video or at least leave a comment somewhere so people dont waste time watching
Hi Dan, can you make a tutorial onto how to implement JWT in Spring boot GraphQL API?? Resources about this subject are very rarely
Thank you for the suggestion. github.com/danvega/office-hours/discussions/39
Great tutorial and big thanks from me for your hard work. Subscribe on and will watch more of your tutorials.
Awesome, thank you!
07:22 can you please add the link to the video you mentioned here at 07:22
I didn't mention a video at 7:22.. did you get the timestamp wrong?
CoPilot rules!! :)
It certainly does.
Do one using MYSQL
I was following the tutorial but I decided to have my Role as an entity. As I would like some users to have more than one role I have created many to many relation between users and roles. In getAuthorities() method inside SecurityUser class I map roles names but I get an exception "failed to lazily initialize a collection of role". I am scratching my head but still couldn't find a solution. Do you know what could be an actual fix to the problem?
I think you have to set the fetch on the JPA relationship to Eager.
Why did you use Crudrepository?
CrudRepository gets me all of the CreateReadUpdateDelete methods
its good but you should use DDD
thanks
Merci
12:53
Dan your English We indians feel uncomfortable and please try to use normal English but explanation was good
What do you mean by normal English? Do the closed captions help out at all? Sorry you're having difficulties following along. I understand how that can be frustrating.
Hussein your comment about Dan's English is offensive and insolent, especially coming from someone whose country "speaks" a broken English. My suggestion to you is to get some REAL English classes from English speaking people not from the people in your country dude
why i get this error?
Field userRepo in com.auth.jpa.controller.ApiController required a bean of type 'com.auth.jpa.repos.UserRepo' that could not be found.
why i get this error?
Field userRepo in com.auth.jpa.controller.ApiController required a bean of type 'com.auth.jpa.repos.UserRepo' that could not be found.