Spring Security Crash Course | JWT Authentication and Authorization in Spring Boot 3.1 [NEW] [2023]

Thank you for your kind words. These words mean a lot to us. Your support is greatly appreciated. Thank you!

hello Alex i am struck can u help me setting up the code i need it badly

i have problem with methode signIn not function can u help me

bro can you send me your email to contact you

Thank you for your kind words. These words mean a lot to us. Your support is greatly appreciated. Thank you!

I followed the tutorial exactly why do i get a 404 forbidden for admin and user request????

me too

Thank you for your kind words. These words mean a lot to us. Your support is greatly appreciated. Thank you!

Thank you so much for your positive feedback and valuable suggestion! I'm thrilled to hear that the video helped you understand the basics. Your suggestion to delve into more complex projects with Spring Security 6 and Spring Boot 3 is noted, and I'll certainly consider creating content on more advanced topics.
Regarding your preference for Next.js over Angular, that's an interesting suggestion. While my current content includes Angular, I'll certainly explore the possibility of incorporating Next.js in future projects. Both frameworks have their strengths, and it's great to have variety in the topics covered.
I truly appreciate your support and encouragement. If you have specific topics or features you'd like to see covered, feel free to share them. I'm here to help you learn and explore. Thanks again, and happy coding!

@@code_with_projectsAngular ftw. Could you do a full stack project? With Role Authorizations? Maybe like a hotel website where the admin can create the hotel listings, and the user can only book them, sort them, save them to their favorites etc. (just something that come to mind with role based authorization) anything is fine really. It would really help seeing a project come to life like this please

Our current projects are structured around specific roles(admin and customer). Feel free to explore our E-commerce application and Car Rental project. If you're still interested in the Hotel Listing project, let me know!

@@code_with_projects thank you I’ll take a look at those! And yes, I’m definitely still interested in the hotel project, but only if you have the time🙌🏽. I’m sure everyone can benefit from seeing another fully implemented project form A-Z

Fantastic to hear that you completed the tutorial successfully! Attention to detail definitely pays off. Keep up the great work!

I take it back.
43:10 It should be
user.setLastname(signUpRequest.getLastname());

Thank you for your kind words. These words mean a lot to us. Your support is greatly appreciated. Thank you!

I followed the tutorial exactly why do i get a 404 forbidden for admin and user request????

You're very welcome! Keep up the fantastic work, and happy coding! 😊🚀

I followed the tutorial exactly why do i get a 404 forbidden for admin and user request????

Thank you for your kind words. These words mean a lot to us. Your support is greatly appreciated. Thank you!

Thank you for your kind words. These words mean a lot to us. Your support is greatly appreciated. Thank you!

@@code_with_projects Thanks, I am teaching new developers from Malaysia and currently building modules for them. Notes that your content will be very helpful and help others as well

Thank you! Glad you found it helpful! 🔥😊 Keep learning and keep growing!

Thank you for your feedback! I appreciate your honesty, and I'm glad to hear that you found the pace of this tutorial more comfortable. I'll definitely take your suggestion into consideration for future content and aim to provide a slower pace with more in-depth explanations.

Tha's a problem with a lot of youtube videosabout this topic

And one thing the video makers should keep in mind, as if they see the video in the eyes of fresher's, as a fresher who doesn't know things, we are approaching the you tube videos, but here videos are like revising for the people who already mastered the concepts, then what's the point of making the video..

Thanks a lot for your feedback! I appreciate your suggestion. I'll make sure to provide more detailed explanations in my next video, covering the various interfaces used in the code and their purposes. Your input is valuable, and I want to ensure that my content is as helpful as possible.

I followed the tutorial exactly why do i get a 404 forbidden for admin and user request????

Thank you so much 😀

Of course! It's completely understandable to feel uncertain when different tutorials offer varying approaches. When it comes to security, prioritizing reliability is key.
Here's some guidance:
Unique Key for Token Generation: Using a unique key for token generation adds an extra layer of security by ensuring that tokens are not easily guessable or susceptible to attacks like token replay.
Protecting API Based on User Role: Implementing role-based access control (RBAC) helps in enforcing security by only allowing authorized users to access specific resources or perform certain actions within your API.
Sending and Receiving JWT in Headers: Storing JWTs in headers instead of the request body helps prevent accidental exposure of tokens through logging mechanisms or other vulnerabilities.
Setting JWT Token Expiration: Limiting the lifespan of JWT tokens reduces the window of opportunity for malicious actors to exploit stolen tokens, thus enhancing overall security.
Using Refresh Tokens: Employing refresh tokens alongside access tokens allows for more secure token management. Refresh tokens can be used to obtain new access tokens without requiring the user to re-enter their credentials.
Handling Expired Refresh Tokens: If a refresh token expires, it's important to handle this scenario gracefully by logging out the user and prompting them to log in again. This helps mitigate potential security risks associated with expired tokens.
By following these best practices, you can enhance the security of your application and minimize the risk of unauthorized access or data breaches.

I followed the tutorial exactly why do i get a 404 forbidden for admin and user request????

That's a great suggestion! I'll consider it for a future series. Thanks for your input!

Thank you! Integrating with custom HTML and CSS involves calling these APIs using JavaScript. If you prefer using frameworks like React or Angular, you can watch any project playlist on our channel where we've integrated Spring Security with Angular in various examples.

The refresh token allows for longer user sessions, reducing the need for frequent logins. It has a longer time to live (TTL) to maintain user authentication.

Thanks for your feedback! Storing the hashRefreshToken in the database is indeed a good practice for better security and management. It adds an extra layer of protection against token theft. 👍

@@code_with_projects could you show us??

Thank you for your kind words. These words mean a lot to us. Your support is greatly appreciated. Thank you!

Thanks a lot! Glad you liked it, bro! 👍😊

Check and send server logs for any error messages or additional information about why the request is being denied.

time WARN 11496 --- [nio-8090-exec-2] o.s.w.s.h.HandlerMappingIntrospector :Cache miss for REQUEST dispatch to '/home/signin' (previous null). Performing CorsConfiguration lookup. This is logged once only at WARN level, and every time at TRACE.
time WARN 11496 --- [nio-8090-exec-2] o.s.w.s.h.HandlerMappingIntrospector : Cache miss for REQUEST dispatch to '/home/signin' (previous null). Performing MatchableHandlerMapping lookup. This is logged once only at WARN level, and every time at TRACE.
Well these two are shown after trying to enter .../admin/home (which is for admin only)@@code_with_projects

same here....

Has anyone found a solution and can help me?

Thanks for the feedback! While this tutorial covers the basics, I'll definitely consider exploring more advanced security concepts for production-ready APIs in future videos. Appreciate your support!

Thank you so much for your kind words! Your support means a lot to us, and we're committed to delivering continued excellence. Thanks again for your encouragement!

@@code_with_projects how can i add the user id when signing in? or other user related data? its for the frontend

no need i figured it out just added this line on the signin method jwtAuthenticationResponse.setUserId(user.getId());

👍

Your request for a video on OAuth 2.0 implementation has been noted. We appreciate your interest in this topic, and we're committed to providing valuable content for our audience. Stay tuned, as we will definitely work on creating a comprehensive video on OAuth 2.0 implementation in the near future.

Great question! Storing refresh tokens in a database can enhance security and allow for better management of token expiration and revocation. I opted for a different approach for simplicity and demonstration purposes in the video. However, using a RefreshTokenRepository is definitely a good practice for production applications. Thanks for pointing that out!

Thank you for your positive feedback, and I'm glad to hear that the tutorial was helpful to you! I appreciate your diligence in making the necessary tweaks to get everything working.
Regarding the issue with the admin endpoint, I'm sorry to hear that you're experiencing difficulties. To better assist you, could you provide more details about the specific problem you're facing with the admin endpoint? Any error messages or additional information would be helpful in troubleshooting and resolving the issue.
I'm here to help, so feel free to share more details, and I'll do my best to assist you further!

@@code_with_projects Many thanks for replying. I finished the code and trying to access the admin endpoint results in a 403 error using Postman with no additional messages to show. I have spent hours looking at the code and can't figure it out. The endpoint should be accessible since authentication was successful but it isn't.

I appreciate your effort in completing the code, and I'm sorry to hear that you're encountering a 403 error when trying to access the admin endpoint. Here are a few steps you can take to troubleshoot this issue:
Roles and Authorities: Double-check that the authenticated user has the necessary roles or authorities required to access the admin endpoint. Verify that the role configuration in your code aligns with the roles assigned to the user during authentication.
Path Configuration: Ensure that the path to the admin endpoint in your Postman request matches the path configured in your Spring Security rules. Minor discrepancies in path configuration can lead to 403 errors.
Token Inclusion: Confirm that your Postman request includes the correct authentication token, especially if you're using JWT. The token should be included in the "Authorization" header with the format "Bearer [your_token]".
Debugging: Consider adding logging statements or using a debugger to inspect the authentication details and roles at runtime. This can provide insights into whether the user has the expected roles.
If the issue persists, please share relevant portions of your security configuration and the Postman request, so I can provide more targeted assistance. Your diligence in troubleshooting is commendable, and I'm here to help you resolve this challenge.

Thank you for your feedback! I'll consider creating a video on OAuth2 implementation with user role many-to-many relationships for REST API. Stay tuned for upcoming content. Your suggestions are valuable!

I followed the tutorial exactly why do i get a 404 forbidden for admin and user request????

1) You can use the same key which I used in project. "413F4428472B4B6250655368566D5970337336763979244226452948404D6351"
2) You can generate this key from any online password generator website.
3) You can generate by below code.
public static void main(String[] args) {
SecureRandom random = new SecureRandom();
byte[] keyBytes = new byte[32]; // 256 bits (32 bytes) is a common choice for HMAC-SHA256
random.nextBytes(keyBytes);
String secretKey = Base64.getEncoder().encodeToString(keyBytes);
System.out.println("Generated SECRET_KEY : " + secretKey);
}

I followed the tutorial exactly why do i get a 404 forbidden for admin and user request????

Great observation! In the 'signin' process, the Authorization tab is active in Postman because we're including the user credentials (username and password) in the request body for authentication. This is a common approach when sending credentials for user authentication.
Regarding the 403 Forbidden issue, it's important to note that the 'signin' endpoint typically doesn't require additional authentication beyond the credentials provided in the request body. If you're encountering a 403 error, it could be due to various reasons such as incorrect credentials, user not found, or an issue with the authentication process.
Make sure the credentials are correct, and consider checking the Spring Security configuration for the 'signin' endpoint in your Spring Boot application to ensure it allows unauthenticated access.
If you have specific details or code snippets you'd like me to review, feel free to share, and we can dive deeper into resolving the issue. Happy coding!

@@code_with_projects Thank you for you quick response. Luckily I managed to fix it(had some inconsistency with my signatureAlgorithms)
Let me just say that I gone through so many tutorials here in youtube and all of them failed to produce the desired outcome.
Yours is the first one that finally worked and for that I am eternally grateful.

Thank you for your kind words. These words mean a lot to us. Your support is greatly appreciated. Thank you!

Hi, I am having this issue. How did you solve it?@@a.z.b.1916

@@a.z.b.1916 Thank you for your observation. How did you solve it?

Thanks a lot for your feedback, and I'm glad you found the tutorial helpful! I appreciate your suggestion about slowing down and providing more detailed explanations, especially from a beginner's perspective. Your input is valuable, and I'll certainly take it into consideration for future content.

😊@@code_with_projects

Don't worry about memorizing JWT details. When working with secured APIs, you typically receive the JWT from the response of the login API. Focus on understanding how to handle and utilize JWTs in your application rather than memorizing their contents.

Using sessions and JWT together is common and valid. JWT handles authentication, while sessions manage server-side state. I'll consider creating a tutorial on this. Thanks for the suggestion! 🚀Keep watching our videos. Thank you

Make sure you have added the Apache Commons Lang dependency in your project. Here's an example for Maven:
org.apache.commons
commons-lang3

Make sure to use the exact versions mentioned in the video to avoid encountering any errors.

Thanks

Sure thing! In Postman, follow these steps:
Open your request.
Go to the 'Authorization' tab.
From the type dropdown, select 'Bearer Token'.
Enter your token in the designated field.

@@code_with_projects I'm getting this "Using generated security password: 30ecd606-cca2-4876-bc10-0b4f06027ffb" when application starts.Where and how to use it ?
It asks me to login when I'm invoking "localhost:9092/api/v1/auth/hi" through explorer .

If both your original token and refresh token are lost, you’ll need to log in again to generate a new token. This will reauthenticate you and provide a new set of tokens.

Kindly double-check the spellings of 'signup' in your Postman, in the controller, and in the config file.

Please ensure that the authentication token is being sent correctly in the request headers. If the issue persists, double-check the configuration and permissions in your backend code.

Why are you utilizing the privateKey? In this project, our approach involves constructing and returning a java.security.Key. If your intention is to utilize PrivateKey instead, please ensure compatibility and verify that you are not returning null, as it seems the key is currently null.

"Query did not return a unique result: 2 results were returned," indicates that there might be two users in the database with the same email address. To resolve this issue, please ensure that you don't have duplicate entries in the database.
If the problem persists, could you share the relevant code snippet where you are executing the query that triggers this error? It would be helpful for me to take a look and provide more targeted assistance.

@@code_with_projects thank yo, i figured it out. i was just a ug with Mysql.

1) You can use the same key which I used in project. "413F4428472B4B6250655368566D5970337336763979244226452948404D6351"
2) You can generate this key from any online password generator website.
3) You can generate by below code.
public static void main(String[] args) {
SecureRandom random = new SecureRandom();
byte[] keyBytes = new byte[32]; // 256 bits (32 bytes) is a common choice for HMAC-SHA256
random.nextBytes(keyBytes);
String secretKey = Base64.getEncoder().encodeToString(keyBytes);
System.out.println("Generated SECRET_KEY : " + secretKey);
}

Glad to hear sign-in and refresh tokens are working. For the 403 Forbidden issue with the admin controller, ensure you're hitting the right URL. Please share your security config for a quick check. Also, confirm you've followed the video to authenticate the admin URL with the correct role.

Getting the same issue . Is your problem solved?

@@mineeleppa2654 Solved. You take a look "doFilterInternal" in JwtAuthenticationFilter, I recognized I missed "!" in if condition -> "!org.apache.commons.lang3.StringUtils.startsWith(authHeader,"Bearer ")"

Yes, once the refresh token expires, you'll need to log in again to get fresh tokens.

Please use the following secret key: 413F4428472B4B6250655368566D5970337336763979244226452948404D6351

@@code_with_projects I did what you said, but I'm receiving the 'Invalid compact JWT string: Compact JWSs must contain exactly 2 period characters, and compact JWEs must contain exactly 4. Found: 0' error. I'm watching again and searching forums for a possible solution.

Kindly reach out to us on Instagram for access to the source code.

You're absolutely right. Currently, we're not checking for existing users before signup. The prime focus of this video is Spring Security, and email checking is a small detail that you can implement very easily. To address this, consider adding a check using existsByEmail. If it returns true, display an error message. This should prevent creating duplicate users.

@@code_with_projects Yeah no problem, I've already implemented it myself. I thought I missed something in the video.
Thanks for this tutorial, I'm learning a lot !

👍

Indeed, the 'JWTServiceImpl' should implement 'JWTService' interface. Please double-check the implementation and make sure it's correctly annotated as a Spring Bean with '@Service' or '@Component' so that it can be autowired in the 'JwtAuthenticationFilter' class.
Also, keep watching our videos. Thanks

Make sure you implemented CommandLineRunner like below. If you are still getting the error then please share the error logs.
@SpringBootApplication
public class SpringsecurityApplication implements CommandLineRunner {
@Autowired
private UserRepository userRepository;

@@code_with_projects that works now... thanks......
but there is one more problem im facing.... im getting the Invalid credentials exception by my authentication manager in signin method or auth service even though the email and password are correct(created by run method).... pretty sure i followed every step from your video.... can you help me fix it....

Show me content of Item.

you're welcome!

Make sure you've correctly annotated the userdetailsService class with @Service or a similar annotation to allow Spring to manage it as a bean.
If you can share a snippet of your code where the userdetailsService is declared and injected, I might be able to provide more specific guidance. Ensure that the UserService is being injected into the class where you're using it. If the issue persists, feel free to provide more details for further assistance. Happy coding! 😊🚀

Thanks for the response after comment I'll go through the Google and then the error is gone thank

For this tutorial, we included the user's email in the JWT, but feel free to add more information based on your specific use case.

It seems unusual that the API is not working, and there are no error logs or responses in the console. I recommend revisiting the code, conducting a thorough dry run, and debugging to identify any potential issues. Sometimes, a fresh perspective can reveal overlooked details. Let me know if you find anything during your review, and we can continue troubleshooting from there.

Yes, that's correct! In JWT, a claim refers to the information embedded within the token's payload.

1) You can use the same key which I used in project. "413F4428472B4B6250655368566D5970337336763979244226452948404D6351"
2) You can generate this key from any online password generator website.
3) You can generate by below code.
public static void main(String[] args) {
SecureRandom random = new SecureRandom();
byte[] keyBytes = new byte[32]; // 256 bits (32 bytes) is a common choice for HMAC-SHA256
random.nextBytes(keyBytes);
String secretKey = Base64.getEncoder().encodeToString(keyBytes);
System.out.println("Generated SECRET_KEY : " + secretKey);
}
Also, keep watching our upcoming videos. Thanks.

I'm still getting the 403 error.And won't we get username and password incorrect as exception (as we have mentioned in orElseThrow()...) if the credentials are wrong.Please help.

I can't really determine the actual reason with just two words, '403 Forbidden.' However, here are the steps you can follow to resolve this issue:
403 Forbidden error usually indicates that the server has understood the request, but it refuses to fulfill it, often due to permissions or authentication issues.
Check URL and Path: Ensure that you are trying to access the correct URL and path. Sometimes, a small typo in the URL or path can lead to a 403 error.
Login Credentials: Double-check your login credentials (username and password). Ensure that you are entering the correct information.
Debugging: Enable debugging for Spring Security to get more information about why the request is being denied.
If you've reviewed all these aspects and the issue persists, consider sharing more specific details about your Spring Security configuration and Postman request for further assistance. Additionally, check the Spring Security logs for any specific error messages or clues about why the 403 error is occurring.

Try sending the debugging lines to chatgpt other than that my error was that I forgot to add autowired to password encoder.

The error you're encountering suggests that the JWT (JSON Web Token) you are working with has expired. JWTs contain an expiration time (exp claim) to enhance security. The current time is checked against this expiration time to ensure the token is still valid.
To solve this issue, you have a few options:
Regenerate Token: Regenerate a new token by logging in again.
Refresh Tokens: Call the refresh token API to get a new token.
Increase Validity Time: You can configure the expiration time to 1 week or 2 weeks.

@@code_with_projects but it is not giving permission me to log in and also for refres token..now what can i do?

Thank you for watching! It seems like you're facing an issue with ECDSA signing keys. To help you better, I'd need more details about your code. Feel free to share more information, and I'll do my best to assist you.

I followed the tutorial exactly why do i get a 404 forbidden for admin and user request????

1) You can use the same key which I used in project. "413F4428472B4B6250655368566D5970337336763979244226452948404D6351"
2) You can generate this key from any online password generator website.
3) You can generate by below code.
public static void main(String[] args) {
SecureRandom random = new SecureRandom();
byte[] keyBytes = new byte[32]; // 256 bits (32 bytes) is a common choice for HMAC-SHA256
random.nextBytes(keyBytes);
String secretKey = Base64.getEncoder().encodeToString(keyBytes);
System.out.println("Generated SECRET_KEY : " + secretKey);
}
Also, keep watching our upcoming videos. Thanks.

@@code_with_projectsSo basically, this can be any sequence of random characters as well...? Or does it need to be generated a specific way...?

The refresh token plays a crucial role in enhancing the security of the authentication process. While the access token is short-lived and used for authenticating API requests, the refresh token is a longer-lived token. Its primary purpose is to obtain a new access token when the current one expires.
Here's how it works:
1. The user logs in, and the server provides both an access token and a refresh token.
2. The access token is used to authenticate requests to protected resources.
3. When the access token expires, instead of forcing the user to log in again, the refresh token is sent to the server to obtain a new access token.
4. The refresh token itself is not used for authentication but is exchanged for a new access token.
This mechanism helps improve security because:
- Access tokens have a shorter lifespan, limiting the window of vulnerability if they are compromised.
- Even if an attacker gains access to an access token, they cannot use it indefinitely because they would also need the refresh token to obtain a new access token.
In summary, the refresh token enhances security by providing a way to obtain a new access token without requiring the user to log in again, while also mitigating the risks associated with long-lived access tokens.

@@code_with_projects understood, well explained... Thank you 😊

It looks like you've defined an AuthenticationManager bean in your WebSecurityConfiguration class. Make sure this class is being scanned by Spring and included in your application context. If the error persists, double-check your package structure and component scanning configuration to ensure everything is set up correctly.

@@code_with_projects I am not sure on this webSecurityConfiguration class. Since I am very new to Spring, I have strictly followed your code. if there is any refrence you can help me with, to understand this issue, pls let me know.

Make sure you are using auto wired. If you are still getting the error then please share the error logs.
@Autowired
private UserRepository userRepository;

@@code_with_projects yes I created private repository but it's saying userRepositoey cannot be injected as it's not static as main spring boot class is static

@@code_with_projects java.lang.IllegalStateException: Failed to execute CommandLineRunner
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:789) ~[spring-boot-3.2.0.jar:3.2.0]
at org.springframework.boot.SpringApplication.lambda$callRunners$3(SpringApplication.java:770) ~[spring-boot-3.2.0.jar:3.2.0]
at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:183) ~[na:na]
at java.base/java.util.stream.SortedOps$SizedRefSortingSink.end(SortedOps.java:357) ~[na:na]
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:510) ~[na:na]
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) ~[na:na]
at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150) ~[na:na]
at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173) ~[na:na]
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[na:na]
at java.base/java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:596) ~[na:na]
at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:765) ~[spring-boot-3.2.0.jar:3.2.0]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:330) ~[spring-boot-3.2.0.jar:3.2.0]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1342) ~[spring-boot-3.2.0.jar:3.2.0]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1331) ~[spring-boot-3.2.0.jar:3.2.0]
at com.codewithnarasimham.springsecurity.SpringsecurityApplication.main(SpringsecurityApplication.java:24) ~[classes/:na]
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104) ~[na:na]
at java.base/java.lang.reflect.Method.invoke(Method.java:577) ~[na:na]
at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:50) ~[spring-boot-devtools-3.2.0.jar:3.2.0]
Caused by: java.lang.NullPointerException: Cannot invoke "com.codewithnarasimham.repository.UserRepository.findByRole(com.codewithnarasimham.entities.Role)" because "com.codewithnarasimham.springsecurity.SpringsecurityApplication.userRepository" is null
at com.codewithnarasimham.springsecurity.SpringsecurityApplication.run(SpringsecurityApplication.java:30) ~[classes/:na]
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:786) ~[spring-boot-3.2.0.jar:3.2.0]
... 17 common frames omitted

​@@code_with_projects Required type:UserDetails
,Provided:Optional

Hey @kaankahraman61! I used the AuthenticationManager to validate the user's credentials and generate the JWT token in the backend. You can check the video for a step-by-step breakdown! 👍"
Let me know if you'd like any changes or additional details!

@@code_with_projects I am getting a 403 error in postman. I need to help

Hi there! The 'user is null' error in the security config class typically occurs when the authentication process doesn't successfully retrieve a user. Double-check your authentication logic, make sure your user details are being loaded correctly, and ensure your UserDetails service is implemented properly. If the issue persists, feel free to share relevant portions of your code, and I'll do my best to help you further. Happy coding! 😊🚀

@@code_with_projects i have request you on insta too

🔗 Project Source Code: codemarketplace.github.io/

1) You can use the same key which I used in project. "413F4428472B4B6250655368566D5970337336763979244226452948404D6351"
2) You can generate this key from any online password generator website.
3) You can generate by below code.
public static void main(String[] args) {
SecureRandom random = new SecureRandom();
byte[] keyBytes = new byte[32]; // 256 bits (32 bytes) is a common choice for HMAC-SHA256
random.nextBytes(keyBytes);
String secretKey = Base64.getEncoder().encodeToString(keyBytes);
System.out.println("Generated SECRET_KEY : " + secretKey);
}

@@code_with_projects thank you 👑

codemarketplace.github.io/

Bhai, yeh issue kuch common reasons ke wajah se ho sakta hai. Kuch cheezein check karo:
Body: Ensure karo ke POST request ke body mein saare required parameters sahi se set kiye gaye hain.
Endpoint: Confirm karo ke tum sahi endpoint pe request bhej rahe ho.
Server Logs: Server logs check karo, wahaan kuch additional information mil sakta hai.

@@code_with_projects ho gaya resolve..thanks

I'm glad to hear that the video was helpful for you! Creating a two-way authentication system sounds like a great project. While I don't have a specific video on that topic at the moment, I appreciate your suggestion. I'll definitely consider it for future content.

I followed the tutorial exactly why do i get a 404 forbidden for admin and user request????

I'm sorry to hear that you encountered a 403 error during the sign-in API process. To better assist you, could you please share the error logs related to that particular step? This information will help me pinpoint the issue and provide you with a more accurate solution.

🔗 Project Source Code: codemarketplace.github.io/

It seems like you're facing some concerns with the DI injection and implementation of services. Installing the Lombok extension in your IDE can help resolve any issues related to the private final UserRepository userRepository; expression. As for the @Autowired annotation, its usage depends on your application's specific requirements; you can use it if needed. Additionally, ensure that your JwtServiceImpl service implements the required interface to avoid any errors.

I followed the tutorial exactly why do i get a 404 forbidden for admin and user request????

@@code_with_projects Thank you for the response, you got it, It worked.
+1 sub - excellent video, really appreciate it.

1) You can use the same key which I used in project. "413F4428472B4B6250655368566D5970337336763979244226452948404D6351"
2) You can generate this key from any online password generator website.
3) You can generate by below code.
public static void main(String[] args) {
SecureRandom random = new SecureRandom();
byte[] keyBytes = new byte[32]; // 256 bits (32 bytes) is a common choice for HMAC-SHA256
random.nextBytes(keyBytes);
String secretKey = Base64.getEncoder().encodeToString(keyBytes);
System.out.println("Generated SECRET_KEY : " + secretKey);
}

You can access the source code of the project from this website: codemarketplace.github.io/

@@code_with_projects i can't see the link of project github ? or do i need to pay $ for this ?

Kindly reach out to us on Instagram for access to the source code. Here's the link: instagram.com/code_with_projects

codemarketplace.github.io/

I can't really determine the actual reason with just two words, '403 Forbidden.' However, here are the steps you can follow to resolve this issue:
403 Forbidden error usually indicates that the server has understood the request, but it refuses to fulfill it, often due to permissions or authentication issues.
Check URL and Path: Ensure that you are trying to access the correct URL and path. Sometimes, a small typo in the URL or path can lead to a 403 error.
Login Credentials: Double-check your login credentials (username and password). Ensure that you are entering the correct information.
Debugging: Enable debugging for Spring Security to get more information about why the request is being denied.
If you've reviewed all these aspects and the issue persists, consider sharing more specific details about your Spring Security configuration and Postman request for further assistance. Additionally, check the Spring Security logs for any specific error messages or clues about why the 403 error is occurring.

@@code_with_projects in signin function of AuthenticationServiceImpl , the authenticationManager.authenticate( new UsernamePasswordAuthenticationToken(signinRequest.getEmail(), signinRequest.getPassword()));
Is having some issue , because code is not going to next line after executing this. .
I am trying to login through admin and admin ... ( same that you added in main class )

Please contact us on Instagram and share screen shot of your postman request.

@@code_with_projects I sent you msg, pls accept invite

Kindly reach out to us on Instagram for access to the source code.

Thank you for your suggestion! The logout feature is indeed on our radar, and it's currently under planning for an upcoming part of the series. Your input is valuable, and I appreciate your patience. Stay tuned for the logout implementation in the future videos. Happy coding!

No worries, JWT Service implementation can be complex. If you have specific questions or need clarification on that part, feel free to ask. We are here to help you navigate it!

I appreciate your feedback and understand your concern. I'll make sure to include a quick overview of the code in future videos to provide a better understanding of the concepts and techniques involved.

1) You can use the same key which I used in project. "413F4428472B4B6250655368566D5970337336763979244226452948404D6351"
2) You can generate this key from any online password generator website.
3) You can generate by below code.
public static void main(String[] args) {
SecureRandom random = new SecureRandom();
byte[] keyBytes = new byte[32]; // 256 bits (32 bytes) is a common choice for HMAC-SHA256
random.nextBytes(keyBytes);
String secretKey = Base64.getEncoder().encodeToString(keyBytes);
System.out.println("Generated SECRET_KEY : " + secretKey);
}

Thank you for reaching out, and I appreciate your kind words about the tutorial. It seems like you're encountering an issue with the JWT authentication in your UserController.
The error message you provided, "Cannot invoke 'app_name.services.JWTServiceImpl.extractUserName(String)' because 'this.jwtService' is null," suggests that the jwtService instance is not being properly initialized before use. Here are a few things you might want to check:
Service Initialization: Ensure that the jwtService is properly initialized in your JwtAuthenticationFilter. It seems like it might not be instantiated before the doFilterInternal method is called.
public JwtAuthenticationFilter(JwtService jwtService) {
this.jwtService = jwtService;
}
Dependency Injection: Check if the JwtService is being injected correctly into your UserController. Make sure that the instance of JwtService is not null when you use it in the extractUserName method.
@Autowired
private JwtService jwtService;

The method you are using is correct for setting the expiration time and other details of a JWT. Please ensure that your project's POM file is correctly configured and that the dependencies' versions match the versions mentioned in the video tutorial. Additionally, to assist you more effectively, please consider sharing your POM file with us. This will enable us to review your project's configuration and dependencies to provide more specific guidance and help.

17

org.springframework.boot
spring-boot-starter-data-jpa

org.springframework.boot
spring-boot-starter-web
com.mysql
mysql-connector-j
runtime

org.projectlombok
lombok
true

org.springframework.boot
spring-boot-starter-test
test
org.springframework.boot
spring-boot-starter-security
io.jsonwebtoken
jjwt-api
0.12.3
io.jsonwebtoken
jjwt-impl
0.12.3
runtime
io.jsonwebtoken
jjwt-jackson
0.12.3
runtime
@@code_with_projects

@@sabujkumartarfodar8122
Hey this will help you ? tell if any wrong happens?
public static final String SECRET = "5367566B59703373367639792F423F4528482B4D6251655468576D5A71347437";
public String generateToken(UserDetails userDetails) {

return Jwts.builder()
.setSubject(userDetails.getUsername())
.setIssuedAt(new Date(System.currentTimeMillis()))
.setExpiration(new Date(System.currentTimeMillis()+1000*60*24))
.signWith(getSignKey(), SignatureAlgorithm.HS256)
.compact();
}

public String generateRefreshToken(Map extraClaims,UserDetails userDetails) {

return Jwts.builder().setClaims(extraClaims)
.setSubject(userDetails.getUsername())
.setIssuedAt(new Date(System.currentTimeMillis()))
.setExpiration(new Date(System.currentTimeMillis()+684800000))
.signWith(getSignKey(), SignatureAlgorithm.HS256)
.compact();
}
private SecretKey getSignKey() {
byte[] keyBytes= Decoders.BASE64.decode(SECRET);
return Keys.hmacShaKeyFor(keyBytes);
}

@@code_with_projects bhai... .signWith method is not showing means showing no suggestions... please give me any solution for this...

I did comment the previous code and again wrote the same code it worked...🤣 miracle miracle