Important note: In the video, I provide the JWT secret as a constant variable in the Java class. As you might imagine, please don't do that in a real application! It's not a good idea to check in passwords / secret keys in your code. You should get that from a setting / property file that's in a more secure location and not in your source code repository. (Thanks to Olivier for pointing this out in the comments)

I really want to meet and look at those people in their eyes who actually dislike this and other videos in this playlist. It is a real work that it teaches you for free and with a quality material. If you cannot like a video, the least you should do is to not dislike. It is basically you who might be missing the pre-requisites to understand the material used in these videos but nothing wrong with this quality playlist. I have learned a lot of stuff from these awesome examples. Excellent show Koushik (y)

The tutorial covers Spring Boot security pretty nicely, but I think there are some aspects to be pointed out here: - Some people wonder where the token itself is validated. This was not mentioned in the tutorial, but actually the *extractAllClaims* method is responsible for the validation. It throws exception while parsing claims if token signature is invalid (secret key mismatch) or token is expired. Thus *validate* method in JwtUtils has redundant check of expiration time. - The great advantage of JWT is that it is stateless, that means id doesn't have to be validated against queried data. This tutorial validates if data of user with provided userId matches the data of the same user fetched from somewhere else (usually from a database). This validation is redundant, since token has already been validated and we are ensured that provided userId is correct. There may be a need of fetching user while validating JWT token, but there is not in this scenario. - To sum up - *validate* method in JwtUtils can be securely removed

An Amazing video with 40 minutes of content. Best thing is how Koushik keeps the tempo throughout and keeps motivating. He holds on to the audience and such an amazing teacher and a humble human being. God bless

Who says Spring Security is complex to understand, we have such a great instructor like you Thank you so much

Note the changes in the HelloResource class at 8:10 . 1) "RestController" instead of "Controller" and 2) Remove the flowery braces from the "RequestMapping"

I love that guy saying that if he gets married, he will invite you. I've realised that you have helped millions, if not billions of devs out there! Keep going big bro

My man, you're like the Saint Nick of Java! Thank you so much for sharing such great content

the world needs more teachers like you. thank you!

I tried to learn SpringSecurity for at least five months, and finally I gave up and used JWT manually for my personal application. But you expained it perfectly and now I can implement both techs! Thank you, very much!

Your style and delivery is excellent, you are making a lot of java devs' lives better!

Omg Kaushik.. you are a saviour.. I have followed your microservices series when I was asked to make a poc on that.. where I learnt a lot of new concepts from you. And now again I am asked to make a poc on Jwt and again you have made it so simple to understand and implement as well. Thank you so much. You are a trusted resource for me.

If I get married , I will invite you because I feel you like a family after all these years.

I have seen many tutorial videos but this is the clearest, most useful and most educational I have seen, I thank you very much for your time.

Koushik, you are the best instructor! I've been postponed jwt auth implementation in our project waiting for your video about it before implementing. Thanks a lot!

I cant Thank You enough for what you have done in my career through your tutorials . You explain everything in simple terms and great enthusiasm. THANK YOU!. Its the best content I have seen in the internet. And some ungrateful idiots will just downvote the videos.

OMG, you're an OG for this. I've been waiting for someone to explain this for over a year!!!

Simply one of the best videos on Spring Security + JWT

i drop out from collage and when i watch tutorials like yours, i feel proud of what i did

Simple and clean explanation. The code just works fine. Thanks a lot @Java Brains. You are my goto person when i want to learn "how things work" not just "how to work". Thank you and Congratulations.

What a nice Diwali gift. So thoughtful of you man!! Happy Diwali y'all!

I haven't used Java in a while. Started a project to refresh Spring's Authenticatoin& Authorization. Then you post this video. Thank you for the great content! =)

19:05 I believe that in SpringBoot @RequestMapping can be replaced with @PostMapping so that we do need neither 'method' attribute nor to annotate the argument with @RequestBody

Great explanation! Clearly explained, no fast talking like others (Telusko) and no (Indian) accent!

Any tutorial with angular and spring boot

Holy heck that is a lot of work, but I suppose that's just what it takes to secure an application. I'm a junior developer with zero experience in security and authentication/authorization but this video is a great start to implement what seems to be some basic security measures. Thank you for posting!

Just before watching I clicked like button

Great tutorial Kaushik.. Perfect. Viewers, If you have basic knowledge of spring security, you will fully understand it.

Thank you so much! What about a JWT + OAUTH2 tutorial?

At first I watched this video and I hated it. After seeing the others, the video about concepts, JPA and etc... now it makes total sense to me. My advice to others is that you watch all the other related videos.

That was clear, understandable, and easy to follow. Thank you very much.

very nicely explained JWT and spring security which is not easy to understand by reading. Hats off to Kaushik for preparing such a great video

First time watched complete jwt configuration. Thanks. Make some videos on Spring batch

Thanks a lot sir, you benefit millions, even though there are only 4.7K views for this video, each one of them would have adopted this topic to write code for so many customers!!

Another amazing class from this channel! But I got deeply concerned about the future of Java going this way. I've just learned to do the same via Python, and it was far more simple.

Excellent video. Im working on LDAP integration along with JWT. This is the best tutorial that got my thing working. Thanks

Any Spring + React tutorial? Love your videos man. Extremely helpful!

Java brains simply rocks - thanks Koushik for this video. Been following Java brains for almost 5 years now and the way you explain is outstanding compared to most tutorials out there !!

In HelloResource controller , you have changed the controller type from Spring streotype controller to RestController all of a sudden, Which could leads to confusion for beginners, Since @Controller will try to return a view which doesn't exist, and you haven't used @ResponseBody along with Controller to support a simple text as response. Maintain same coding across the video, if you have made correction point it out.

This tutorial is the best I have come across on the internet on spring security. You did a fantastic explanation. Thanks man!

Please OAuth2 next. I love your teachings

Thanks for this tutorial without wasting a single second make this tutorial understandable.

It's really impressive. Could you please do videos on OAuth2 + JWT. So that it will be complete tutorial on security. Waiting for new videos on OAuth2 at least 3 videos.

Great fan of yours, when I get some work on technology which is new to me . I simply first check the tutorials on Java Brains .Thanks for your effort sir.

Thank you.. waited for last few weeks.

Compa no le entendí nada porque no se inglés, pero déjeme decirle que su video fue el mejor de todos, fue exactamente lo que necesitaba y gracias a usted pude terminar la aplicación que me encargaron. Felicidades por esos videos.

Thank you very much for your awersome videos, but I have something to say In previus videos you said JWT token is used so we do not need database to validate them, incase of microservices..etc also in JWT Filter in this step I think loading the user details from database is not neccesery.. UserDetails userDetails = authService.loadUserByUsername(email); if (jwtUtil.validateToken(jwt, userDetails)) { We can validate the JWT using the signature only, and thats enough right? also we can add other user details to the claims and retrive them, in case I do not want to use DB to validate JWT but I want more details about the user. Please correct me If I'm wrong Thank you

Perfect explanation like all previous videos in this topic. Appreciate a lot!

Hi Java Brain, 1)In real time project what kind of signature algorithm would be used. 2)In real time project generally how much time they will set for token expiry? 3)So all these JWT configuration and setting are likely one time activity? Also I would like receive reply on this from any helpers who is working in real time projects.

Very very very thank you, i'm trying do this for 2 days and now work. Now i will study about jwt methods on java because i'm coming from Javascript and some choices are different, but thank you man!

peculiar thing I noticed: if you create jwt with just the userName, it will introduce a vulnerability. When a single account has been logged into from two clients, if one of them changes his password, the other client's jwt will still be valid until he logs out. To invalidate the other client's jwt right away, create the jwt with both the userName and password, like: userName_password.

Thank you , the world needs more awesome people like you.

Please, for those who watch this, you must make sure to not hard code any sensitive information (like passwords, or private key) in your code. This is a very dangerous practice and a vulnerabilitym even more if you use Git and commit code (even if you erase hard coded infos, it is always possible to go back and find it with Git). The use of environment variables is one of the solution to solve the problem.

One of the best SPRING+JWT material on internet..

Hi) What about refresh token? Why no body explain this topic?

Your teaching style is outstanding sir ...Amazing. Thanks a lot.

Thanks for the video! Just FYI: Your LDAP Spring Security video is missing from your Spring Security Basics playlist. ;)

Thanks man ! Really good content here. I've been reading comments below and maybe there are important info missing, but trust me this is gold. So many videos out there which don't get to the point, are sooooo long, let you with not working code, or are just baits for going purshase a full tutorial on private websites... This topic is pretty hard (at least for me) and this short video leads you to a basic working jwt springboot app ! I Guess there is more to do for a professional app, but this is a good start. I definitely will go through you channel to see if there is more about it !

just wanted to say Thank you :) Great job! But, it's not clear about where SecurityContext appeared from at the end in the filter :)

Thank you, thank yo, thank you.... I wished I had a teacher like you for all my technical courses... You are so awesome in explaining the concepts and following up with an example....

Really nice video, I am just confused about something; what's the point of implementing the JWT since Spring Security already handles the authorization mechanism? Anybody have an idea here?

Thank you. It was a little hassle since a couple of libraries are updated. But anyway, I managed to make it work. Thanks to you! It brings joy to complete tasks.

Hello, thanks for such a wonderful tutorial! Facing an doubt though. When I'm trying to generate a JWT token by POST request to /authenticate, keeping the password correct and fiddling with the username, I'm still able to generate a JWT token. It's not authenticating in the correct manner against the user in MyUserDetailsService. Any idea where it might be wrong?

Best explanation. Shortest code. Great! Thanks a lot!

Awesome, this tutorial was super helpful, could you please create a new one with JWT + LDAP? I've been trying to find good resources about that combination but there isn't anything with the quality your videos have. Thanks!

Once again thanks Kaushik for yet another AWESOME video.

Hello ! Good video. Can you show some code in the next videos for refresh access token flow and returning status code 401 if token is expired (i need it for an android client with retrofit authenticator) Thank you.

Kaushik, Is always gem and proved that he is the best one to help both freshers and experienced ppl to understand the concepts. Your videos saves more time and easy to remember , you are a nice person GOD bless you

Nice work ... but, ew. I would have expected Spring Boot's implementation to be a whole lot cleaner than that

I'm struggling with this authentication about 2 weeks and this video is really helpful thanks a lot

WoooW. Man, I neve understand Spring Security Framework, but with your explanation I finally got it!. I'm really thanked with you! :D.

It's a very good sample for the beginner. It's not too much but can show a brief description of the way Spring Security and JWT work with each other. Viewers need to watch slowly and take note of important points: - Security configuration - Adding and registry new filter among Spring Security filters that are provided by Spring Security - SessionCreationPolicy - Implementing UserDetailsService service - SecurityContextHolder, this manages authentication object that operates throughout security validation process

Thanks sir, It's really very worth to watch complete video. Thanks for helping us over the years & years. Please keep posting such an outstanding videos for us.

Hello Java Brains, Nice Tutorial, I already implemented one real application with spring security and jwt but with this video I finally understand the background of it.

Perfect video on JWT token with spring security 👍👍👍👍👍👍

You rock. Thanks a ton for making these videos available. Honestly the instruction is better than some of the Udemy courses that I've purchased in the past.

you are a gift from god, you make spring security soooo pretty, thank you 🙏

There is only one case that should be handled which is if someone misplayed with token and send it to the server, the server reports an exception. So only wrap doFilterInternal body with "try-catch" statement and continue the filter chain in catch clause. Thanks for this tutorial, amazing!

First of all excellent explanation by Koushik but to those who didn't understand the concept of extractClaim() method extractCliam() methods takes a functional interface function as an argument which is of type (Represents a function that accepts one argument and produces a result.) so from the extractUsername() method we are calling the extractClaim(token, Claims::getSubject()); // done using tthe mehtod reference(Done as in calling the static methods) as the second argument can be wriiten as (Claims)-> Calims.getusername() as we are saying the claimsResolver that it goona recieves an object of type Claims and from that object it needs to get the string which is Claims.getUsername() same is done using extractExpiration()

For some videos YT must introduce a Love button. This video would get the most 'Love' when that happens.

I really thank you ! previously I have no idea about Spring Security now, I got what I need. I will advance it from now

Best Spring Security teacher ever!!!!!

It was very helpful to understand the authentication/filters part in spring boot. Thank you so much for sharing this! 👍

This is awosome ..... clear explanation and demonstration Thank you so much

Masha Allah nice voice and awesome gift in explaining stuff in simple words. Thanks a lot

Finished the Tutorial! Great job man

Great koushik. Really great. Awesome teaching. Thx From deepest of my heart.

Thank you so much!!! It is a great tutorial for the one who want to understand how jwt works with Spring Security.

Awesome explanation of SpringBoot security, Thank you sir 🙇

When disliking such video, please explain why. Coz I don't see a point in disliking such video. Thanks Kaushik for these. Appreciate it.!

Whaooo. This is very helpful. Thank you Sir !! Very well explained !

Thanks Kaushik ! Thanks a lot for making jwt simple for us .Happy Deepawali :)

You are a great tutor. Thank you so much for the nice content!!

Great tutorial, simple, in details, I really love your way of explanation and without any error. Thank you so much

What a great tutorial, easy to follow but, what is more important, really clear, and clarifying. It would be great to see an example with at least 1 role, but anyway it was really helpful. Thanks!

You made my life easy with this explanation.

Just exactly what I was waiting for, thanks for sharing.

Great video as always. Looking forward to OAuth. Your efforts are highly appreciated,

best Java teacher EVER !!!!!!

Finally one that's very clear. Thank you.