Important note: In the video, I provide the JWT secret as a constant variable in the Java class. As you might imagine, please don't do that in a real application! It's not a good idea to check in passwords / secret keys in your code. You should get that from a setting / property file that's in a more secure location and not in your source code repository. (Thanks to Olivier for pointing this out in the comments)
@sohel_naikawadi4 жыл бұрын
Thanks for the tutorial. You have some unnecessary lines in your code. in Jwtrequestfilter.class--->if "&& SecurityContextHolder.getContext().getAuthentication() == null" is useless as well as "usernamePasswordAuthenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));" has no use as we are not using session.
@abhishaysrivastava65184 жыл бұрын
AuthenticationManager bean already defined in config class. But still getting error
@satyajitm934 жыл бұрын
If spring security itself can do authorisation, then what JWT is doing ? Is JWT used to make application more secure ?
@satyajitm934 жыл бұрын
Priyak Dey Thank you so much .
@fazilkhan40854 жыл бұрын
Why are you requesting using header Authorization Bearer... As you are using shared secret key, should u use Authorization Basic
@igorzuber16044 жыл бұрын
The tutorial covers Spring Boot security pretty nicely, but I think there are some aspects to be pointed out here: - Some people wonder where the token itself is validated. This was not mentioned in the tutorial, but actually the *extractAllClaims* method is responsible for the validation. It throws exception while parsing claims if token signature is invalid (secret key mismatch) or token is expired. Thus *validate* method in JwtUtils has redundant check of expiration time. - The great advantage of JWT is that it is stateless, that means id doesn't have to be validated against queried data. This tutorial validates if data of user with provided userId matches the data of the same user fetched from somewhere else (usually from a database). This validation is redundant, since token has already been validated and we are ensured that provided userId is correct. There may be a need of fetching user while validating JWT token, but there is not in this scenario. - To sum up - *validate* method in JwtUtils can be securely removed
@tianyuli30154 жыл бұрын
omg thank you so much, sir. I have been scratching my hair off after watching the tutorial. I felt that the extract method already validate the signature, and that validateToken method will basically always return true, because the userDetail was fetched by the very same username extracted from the token, which means either no userDetail can be fetched or the username has to equal.
@amitsharma93774 жыл бұрын
One more thing is that the validation filter is always fetching the user details from database, which is not needed since that is the purpose of JWT payload. As of now there is a DB call to get user information for each incoming request which defeats the purpose of JWT tokens.
@harshaanirudh57873 жыл бұрын
Validation of jwt is required as jwt payload can be changed ,such as changing expiration and sending it. As it is simple base64 encoded . If any tampering of jwt occurs it will be verified with the signature. So the validation is required
@igorzuber16043 жыл бұрын
@@harshaanirudh5787 It is required, but extractAllClaims method already does that. So if payload is tampered, the signature won't match and extractAllClaims will throw expection.
@harshaanirudh57873 жыл бұрын
@@igorzuber1604 yeah, just realised it. Thank you. And if you are aware about refresh token implementation , could you please suggest any?
@Bluesmile842 жыл бұрын
I really want to meet and look at those people in their eyes who actually dislike this and other videos in this playlist. It is a real work that it teaches you for free and with a quality material. If you cannot like a video, the least you should do is to not dislike. It is basically you who might be missing the pre-requisites to understand the material used in these videos but nothing wrong with this quality playlist. I have learned a lot of stuff from these awesome examples. Excellent show Koushik (y)
@vikingofengland2 жыл бұрын
Totally agree, but that is the internet for you!
@harrywright7992 жыл бұрын
Much love and respect
@yousufbaig8212 жыл бұрын
Very well said !!
@akankshasinha33522 жыл бұрын
Till the addition of the jwt filter everything is fine and the JWT is also getting generated but after injecting the jwt filter in the securityconfigurer class I’m getting the exception “JWT string can’t be empty” . Unable to resolve this even after googling. If anyone can help then please .
@dineshchandgr4 жыл бұрын
An Amazing video with 40 minutes of content. Best thing is how Koushik keeps the tempo throughout and keeps motivating. He holds on to the audience and such an amazing teacher and a humble human being. God bless
@ManishChoudhary-nr2tf4 жыл бұрын
Who says Spring Security is complex to understand, we have such a great instructor like you Thank you so much
@haodeng96394 жыл бұрын
With a good tutor, I feel like Spring security is Hello world level framework.
@valkon_4 жыл бұрын
If I get married , I will invite you because I feel you like a family after all these years.
@_robyn_4 жыл бұрын
*When
@valkon_4 жыл бұрын
@@_robyn_ Yeah..I am not sure about that
@_robyn_4 жыл бұрын
@@valkon_ 😂😂 feels for u bro
@codingworld67624 жыл бұрын
you got married??
@jespercavaglialarsson25574 жыл бұрын
are you married bro??
@safiullahzuri76852 жыл бұрын
the world needs more teachers like you. thank you!
@AlmightyGauss4 жыл бұрын
My man, you're like the Saint Nick of Java! Thank you so much for sharing such great content
@SaratchandraKasivajjala4 жыл бұрын
Note the changes in the HelloResource class at 8:10 . 1) "RestController" instead of "Controller" and 2) Remove the flowery braces from the "RequestMapping"
@mahdyberriri57424 жыл бұрын
That's just Spring MVC stuff and has nothing to do with Spring Security. People coming here are mostly familiar with Spring MVC so that shouldn't be a big of a deal.
@SaratchandraKasivajjala4 жыл бұрын
@@mahdyberriri5742 I was helping out people who might be copying the code word for word.
@mahdyberriri57424 жыл бұрын
@@SaratchandraKasivajjala ah understood! that's kind of you man.
@winsongoh83004 жыл бұрын
Thanks! Help solved my problem where cannot access the /hello path
@sajiths86784 жыл бұрын
Thanks.. This resolves 'resource not found' error..
@robertinnoelson63784 жыл бұрын
I love that guy saying that if he gets married, he will invite you. I've realised that you have helped millions, if not billions of devs out there! Keep going big bro
@hyperborean723 жыл бұрын
Millions? Billions? you evidently like large numbers
@liammullan21973 жыл бұрын
Your style and delivery is excellent, you are making a lot of java devs' lives better!
@alejandrogandara334 жыл бұрын
I have seen many tutorial videos but this is the clearest, most useful and most educational I have seen, I thank you very much for your time.
@samir105yt4 жыл бұрын
Koushik, you are the best instructor! I've been postponed jwt auth implementation in our project waiting for your video about it before implementing. Thanks a lot!
@hyperborean723 жыл бұрын
19:05 I believe that in SpringBoot @RequestMapping can be replaced with @PostMapping so that we do need neither 'method' attribute nor to annotate the argument with @RequestBody
@tejeswarpala2841 Жыл бұрын
this video is about spring security and JWT authorization.
@Abhi_k0074 жыл бұрын
In HelloResource controller , you have changed the controller type from Spring streotype controller to RestController all of a sudden, Which could leads to confusion for beginners, Since @Controller will try to return a view which doesn't exist, and you haven't used @ResponseBody along with Controller to support a simple text as response. Maintain same coding across the video, if you have made correction point it out.
@Veronica-vq5iz3 жыл бұрын
Omg Kaushik.. you are a saviour.. I have followed your microservices series when I was asked to make a poc on that.. where I learnt a lot of new concepts from you. And now again I am asked to make a poc on Jwt and again you have made it so simple to understand and implement as well. Thank you so much. You are a trusted resource for me.
@cochi22214 жыл бұрын
Thank you so much! What about a JWT + OAUTH2 tutorial?
@williamardianto9434 жыл бұрын
JWT + OAUTH2 tutorial Please........
@Niceguy544444 жыл бұрын
You need new instance for oauth
@Limitx14 жыл бұрын
www.baeldung.com/spring-security-oauth-jwt
@georgekibira32313 жыл бұрын
I cant Thank You enough for what you have done in my career through your tutorials . You explain everything in simple terms and great enthusiasm. THANK YOU!. Its the best content I have seen in the internet. And some ungrateful idiots will just downvote the videos.
@isaacbarron57384 жыл бұрын
OMG, you're an OG for this. I've been waiting for someone to explain this for over a year!!!
@pabloleyes55742 жыл бұрын
I tried to learn SpringSecurity for at least five months, and finally I gave up and used JWT manually for my personal application. But you expained it perfectly and now I can implement both techs! Thank you, very much!
@ymfeijo4 жыл бұрын
Another amazing class from this channel! But I got deeply concerned about the future of Java going this way. I've just learned to do the same via Python, and it was far more simple.
@mahdyberriri57424 жыл бұрын
Java is still far more robust and faster than Python in general; and specifically for server-side web development, Java shines bright (especially with Spring). Python simplicity comes with the cost of bad performance unfortunately.
@anthonytumwesigye86522 жыл бұрын
You are definately right about that....java for hard boiled devs.
@akankshasinha33522 жыл бұрын
Till the addition of the jwt filter everything is fine and the JWT is also getting generated but after injecting the jwt filter in the securityconfigurer class I’m getting the exception “JWT string can’t be empty” . Unable to resolve this even after googling. If anyone can help then please .
@choudharysahabmusic35133 жыл бұрын
If I generate new token by sending request to "/authencticate" end point. Then still if I ssend request to "/hello" with old token it is validated and working fine. Why can you explain?
@shashanksharma154 жыл бұрын
Any tutorial with angular and spring boot
@thienquangphan71954 жыл бұрын
It's a very good sample for the beginner. It's not too much but can show a brief description of the way Spring Security and JWT work with each other. Viewers need to watch slowly and take note of important points: - Security configuration - Adding and registry new filter among Spring Security filters that are provided by Spring Security - SessionCreationPolicy - Implementing UserDetailsService service - SecurityContextHolder, this manages authentication object that operates throughout security validation process
@smaug98333 жыл бұрын
peculiar thing I noticed: if you create jwt with just the userName, it will introduce a vulnerability. When a single account has been logged into from two clients, if one of them changes his password, the other client's jwt will still be valid until he logs out. To invalidate the other client's jwt right away, create the jwt with both the userName and password, like: userName_password.
@adarshverma33723 жыл бұрын
First of all excellent explanation by Koushik but to those who didn't understand the concept of extractClaim() method extractCliam() methods takes a functional interface function as an argument which is of type (Represents a function that accepts one argument and produces a result.) so from the extractUsername() method we are calling the extractClaim(token, Claims::getSubject()); // done using tthe mehtod reference(Done as in calling the static methods) as the second argument can be wriiten as (Claims)-> Calims.getusername() as we are saying the claimsResolver that it goona recieves an object of type Claims and from that object it needs to get the string which is Claims.getUsername() same is done using extractExpiration()
@mohamedhakkeem54144 жыл бұрын
Hi Java Brain, 1)In real time project what kind of signature algorithm would be used. 2)In real time project generally how much time they will set for token expiry? 3)So all these JWT configuration and setting are likely one time activity? Also I would like receive reply on this from any helpers who is working in real time projects.
@KABABOS14 жыл бұрын
I haven't used Java in a while. Started a project to refresh Spring's Authenticatoin& Authorization. Then you post this video. Thank you for the great content! =)
@shashikanthc64004 жыл бұрын
What a nice Diwali gift. So thoughtful of you man!! Happy Diwali y'all!
@MarimuthuP3 жыл бұрын
Simple and clean explanation. The code just works fine. Thanks a lot @Java Brains. You are my goto person when i want to learn "how things work" not just "how to work". Thank you and Congratulations.
@wardg49164 жыл бұрын
Thank you very much for your awersome videos, but I have something to say In previus videos you said JWT token is used so we do not need database to validate them, incase of microservices..etc also in JWT Filter in this step I think loading the user details from database is not neccesery.. UserDetails userDetails = authService.loadUserByUsername(email); if (jwtUtil.validateToken(jwt, userDetails)) { We can validate the JWT using the signature only, and thats enough right? also we can add other user details to the claims and retrive them, in case I do not want to use DB to validate JWT but I want more details about the user. Please correct me If I'm wrong Thank you
@win.ngo.554 жыл бұрын
Yes, whenever "Jwts.parser().setSigningKey(jwtSecret).parseClaimsJws(authToken);" is called, the token is validated internally (you can see some exceptions are declared in the method signature). So I think this is enough to validate a token: public boolean validateToken(String token) { try { Jwts.parser().setSigningKey(secretKey).parseClaimsJws(token); return true; } catch (JwtException | IllegalArgumentException e) { // handle } } Moreover, UNLESS you want every request to have newest/realtime data from the DB (e.g: role change, active/inactive...), you can build the Authentication object based on the token itself and pass it to SecurityContextHolder.getContext().setAuthentication() so that you can avoid querying to DB (i.e calling loadUserByUsername()). Reference: stackoverflow.com/questions/50572339/jwt-authentication-without-fetching-user-details-on-each-request
@kilexdesh50513 жыл бұрын
This tutorial is the best I have come across on the internet on spring security. You did a fantastic explanation. Thanks man!
@SouravendraKrishnaDeb4 жыл бұрын
Any Spring + React tutorial? Love your videos man. Extremely helpful!
@balajivaradharajan55733 жыл бұрын
Thank you, thank yo, thank you.... I wished I had a teacher like you for all my technical courses... You are so awesome in explaining the concepts and following up with an example....
@shamseertkgmailcom4 жыл бұрын
Thanks for your video, I just have a question. Sorry if I am missing something. But I couldn't get it from this video. In "authenticate" REST API, What would be the issue if I dont use AuthenticationManager's authenticate method? (I mean I dont need authenticationManager completely there) . I can just verify the username and password with DB and return jwt even without it. Since it is just authenticate, we dont need context as well. Can anyone please explain?
@joejones57463 жыл бұрын
Java brains simply rocks - thanks Koushik for this video. Been following Java brains for almost 5 years now and the way you explain is outstanding compared to most tutorials out there !!
@SurendraBabuK4 жыл бұрын
It's really impressive. Could you please do videos on OAuth2 + JWT. So that it will be complete tutorial on security. Waiting for new videos on OAuth2 at least 3 videos.
@martinezjosei4 жыл бұрын
Great explanation! Clearly explained, no fast talking like others (Telusko) and no (Indian) accent!
@zahidsayil90664 жыл бұрын
First time watched complete jwt configuration. Thanks. Make some videos on Spring batch
@chee_tash3 жыл бұрын
Can you use or should you us JWT with LDAP? I know Spring supports both but I am not sure if these two methods can be used interchangeably or if they should both be used or one over the other?
@bluesky_103 жыл бұрын
i drop out from collage and when i watch tutorials like yours, i feel proud of what i did
@abdulrahmanhashem62604 жыл бұрын
There is only one case that should be handled which is if someone misplayed with token and send it to the server, the server reports an exception. So only wrap doFilterInternal body with "try-catch" statement and continue the filter chain in catch clause. Thanks for this tutorial, amazing!
@omarbadr6214 жыл бұрын
That was clear, understandable, and easy to follow. Thank you very much.
@giteshgreat3 жыл бұрын
Excellent video. Im working on LDAP integration along with JWT. This is the best tutorial that got my thing working. Thanks
@aminembh60944 жыл бұрын
Really nice video, I am just confused about something; what's the point of implementing the JWT since Spring Security already handles the authorization mechanism? Anybody have an idea here?
@aminembh60944 жыл бұрын
Now I get it! it's a matter of stateless vs stateful mechanisms ;) It does make sense! Thanks for the explanations and for your time Sir!
@AwaraGhumakkad2 жыл бұрын
Thanks for a wonderul video. 34:38 I have a question - We are checking "SecurityContextHolder.getContext().getAuthentication() == null" but if we set for one user, and next request comes from another user how do we validate above statement? because it doesn't seem to be based on user?
@OLApplin4 жыл бұрын
Please, for those who watch this, you must make sure to not hard code any sensitive information (like passwords, or private key) in your code. This is a very dangerous practice and a vulnerabilitym even more if you use Git and commit code (even if you erase hard coded infos, it is always possible to go back and find it with Git). The use of environment variables is one of the solution to solve the problem.
@Java.Brains4 жыл бұрын
Thanks for the comment. I realize this might mislead someone who doesn't know. I'll add a pinned comment
@OLApplin4 жыл бұрын
@@Java.Brains Hi ! I forgot to mention "Great video as usual" in my previous comment ;) . Yeah, It's pretty obvious for someone who has a little bit of professional experience that it is not a good practice, but as this video is a tutorial, and is somewhat intended for a less experienced audience (I suppose) , I thought the security warning was important to make.
@alvaroenriquerinconesalfar41023 жыл бұрын
Compa no le entendí nada porque no se inglés, pero déjeme decirle que su video fue el mejor de todos, fue exactamente lo que necesitaba y gracias a usted pude terminar la aplicación que me encargaron. Felicidades por esos videos.
@tobioye884 жыл бұрын
Please OAuth2 next. I love your teachings
@alokmaheshwari87553 жыл бұрын
very nicely explained JWT and spring security which is not easy to understand by reading. Hats off to Kaushik for preparing such a great video
@utkarshgupta80614 жыл бұрын
Hello, thanks for such a wonderful tutorial! Facing an doubt though. When I'm trying to generate a JWT token by POST request to /authenticate, keeping the password correct and fiddling with the username, I'm still able to generate a JWT token. It's not authenticating in the correct manner against the user in MyUserDetailsService. Any idea where it might be wrong?
@Java.Brains4 жыл бұрын
Try setting a breakpoint in your API method and see if you have incorrect logic. It's hard to tell without looking at the code
@rikijha6384 жыл бұрын
@@Java.Brains It's happening in your code too that is uploaded on git maybe the cause is you have created a static user which get created irrespective of username provided in loadUserByUsername(String username). It should be something like this public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { if(username.equals("foo")) return new User("foo","foo",new ArrayList()); return null; }
@himanshitaneja12544 жыл бұрын
I am also having the same issue. Could you please help me
@quickbitesitsme4 жыл бұрын
@@rikijha638 or for better clarity, let us have a map 1) foouser -> foouser'spassword 2) baruser -> baruser'spassword and get the password from the map for the username and return an "User" object.
@hamzabouzidi4703 жыл бұрын
thank you sir i have a question can I use basic auth and jwt auth in the same project ? i mean filter the requests
@Constantine..4 жыл бұрын
Hi) What about refresh token? Why no body explain this topic?
@robertinnoelson63784 жыл бұрын
Isn't that more easier than anything in this world now? ;)
@lowtech14794 жыл бұрын
The refresh token is the same. You have to create a new endpoint with GET method to handle that task. But we need to validate the current token, before process the refreshing request. And the most important thing to be noticed in case of when user changes his/her password before the refreshing request is sent to server.
@GurpreetSingh-mb1ft2 жыл бұрын
Great fan of yours, when I get some work on technology which is new to me . I simply first check the tutorials on Java Brains .Thanks for your effort sir.
@dvt324 жыл бұрын
Thanks for the video! Just FYI: Your LDAP Spring Security video is missing from your Spring Security Basics playlist. ;)
@Java.Brains4 жыл бұрын
Thanks for the call out. Added.
@4medonly6882 ай бұрын
Perfect explanation like all previous videos in this topic. Appreciate a lot!
@AdrianVrabie4 жыл бұрын
just wanted to say Thank you :) Great job! But, it's not clear about where SecurityContext appeared from at the end in the filter :)
@AkashMulik74 жыл бұрын
Great tutorial Kaushik.. Perfect. Viewers, If you have basic knowledge of spring security, you will fully understand it.
@baidyanathpanda19644 жыл бұрын
Just before watching I clicked like button
@sreesri84924 жыл бұрын
Me too
@NikhilLimaye104 жыл бұрын
I'm waiting for it too!
@alanhunt37724 жыл бұрын
Holy heck that is a lot of work, but I suppose that's just what it takes to secure an application. I'm a junior developer with zero experience in security and authentication/authorization but this video is a great start to implement what seems to be some basic security measures. Thank you for posting!
@nicoapinedo4 жыл бұрын
Awesome, this tutorial was super helpful, could you please create a new one with JWT + LDAP? I've been trying to find good resources about that combination but there isn't anything with the quality your videos have. Thanks!
@rajeshhazari2 жыл бұрын
Aren't JWT and LDAP will be sperate realm/filter in spring security? Was looking into this , and also will have basic auth as default.
@catchsaurabhonline Жыл бұрын
Simply one of the best videos on Spring Security + JWT
@d34l_breaker4 жыл бұрын
Hello ! Good video. Can you show some code in the next videos for refresh access token flow and returning status code 401 if token is expired (i need it for an android client with retrofit authenticator) Thank you.
@daniel201178124 жыл бұрын
when I implement the "/authenticate") endpoint I don't have any error on the application, but I'm receiving an This application has no explicit mapping for /error, so you are seeing this as a fallback. There was an unexpected error (type=Forbidden, status=403). any idea?
@stephyjacob12564 жыл бұрын
Thank you.. waited for last few weeks.
@liferayasif93824 жыл бұрын
Great tutorial, simple, in details, I really love your way of explanation and without any error. Thank you so much
@Shl0kk4 жыл бұрын
Nice work ... but, ew. I would have expected Spring Boot's implementation to be a whole lot cleaner than that
@UdayKumar-xq1ve3 жыл бұрын
Boot implementation is 1000 times cleaner and clearer than normal JWT with Spring Framework
@BudMan824 жыл бұрын
You rock. Thanks a ton for making these videos available. Honestly the instruction is better than some of the Udemy courses that I've purchased in the past.
@akankshasinha33522 жыл бұрын
Till the addition of the jwt filter everything is fine and the JWT is also getting generated but after injecting the jwt filter in the securityconfigurer class I’m getting the exception “JWT string can’t be empty” . Unable to resolve this even after googling. If anyone can help then please .
@go_better2 жыл бұрын
Thank you. It was a little hassle since a couple of libraries are updated. But anyway, I managed to make it work. Thanks to you! It brings joy to complete tasks.
@sagar16894 жыл бұрын
Nice explanation on jwt tokens. Thanks koushik. One question here if I'm using angularjs and spring mvc does the jwt token once created while authenticating need to be passed in every API manually or does angularjs takes care of it passing it in each request header?
@Richard-sp4pl4 жыл бұрын
Just a heads up, if you put chain.doFilter inside the IF() like I did (by accident) the filters will not chain and you'll be left with blank pages because the filter only chains IF(you have JWT). Took me ages to figure out, facepalm**.
@anshulagrawal133 жыл бұрын
Thank you :)
@HarishKumar-vz4if4 жыл бұрын
Thanks sir, It's really very worth to watch complete video. Thanks for helping us over the years & years. Please keep posting such an outstanding videos for us.
@balanepalaiyathane97144 жыл бұрын
Kaushik, Is always gem and proved that he is the best one to help both freshers and experienced ppl to understand the concepts. Your videos saves more time and easy to remember , you are a nice person GOD bless you
@sunillearning55554 жыл бұрын
Thanks Kaushik for the excellent explanations!. I had one question. In this JwtRequestFilter doFilterInternal method, we are using the userDetails object fetched from the UserDetailsService and passing that information to the UsernamePasswordAuthenticationToken object. So basically, whatever information was present in the token is of no importance since we are using only the userDetails that the server is pulling from the database. All that we are using from the token is only the name to validate the token. Shouldn't we use the claims/authorities present in token to validate for authorizations? Please let me know if I am missing something. Thank you.
@francisojunior26714 жыл бұрын
At first I watched this video and I hated it. After seeing the others, the video about concepts, JPA and etc... now it makes total sense to me. My advice to others is that you watch all the other related videos.
@rudrakshya12 жыл бұрын
I am not getting any json response when it return 403 in postman. What I am missing here?
@dhirajparakh87424 жыл бұрын
Thanks for this tutorial without wasting a single second make this tutorial understandable.
@shaunchennai4 жыл бұрын
When disliking such video, please explain why. Coz I don't see a point in disliking such video. Thanks Kaushik for these. Appreciate it.!
@PhucTran-hx6dk4 жыл бұрын
i think you should show a sequence diagram in this video, It will be easier to understand for newbies
@deepaknarayanan70452 жыл бұрын
@Java Brains video time 36:15 - Getting this error "The method addFilterBefore(Filter, Class
@danielgalvis85684 жыл бұрын
What a great tutorial, easy to follow but, what is more important, really clear, and clarifying. It would be great to see an example with at least 1 role, but anyway it was really helpful. Thanks!
@tortue341702 жыл бұрын
Thanks man ! Really good content here. I've been reading comments below and maybe there are important info missing, but trust me this is gold. So many videos out there which don't get to the point, are sooooo long, let you with not working code, or are just baits for going purshase a full tutorial on private websites... This topic is pretty hard (at least for me) and this short video leads you to a basic working jwt springboot app ! I Guess there is more to do for a professional app, but this is a good start. I definitely will go through you channel to see if there is more about it !
@maxfeldman66544 жыл бұрын
Thank you , the world needs more awesome people like you.
@venkatkrishnan183 жыл бұрын
Hi Koushik, I have a doubt we are calling loadByUserName in the Filter, so all the subsequent requests will call the database to get the UserDetails and authenticate?
@VLADICA94KG4 жыл бұрын
Hi JavaBrains, thanks for such a great content. I was wondering if it's needed to perform one additional call to fetch userdetails in authenticate method (line 44) or it will be already populated in SecurityContext by authenticationManager? We could skip to call DB twice and pull user information directly from SecurityContext. Am I wrong? Thanks!!!
@indranilgoswami15003 жыл бұрын
Your teaching style is outstanding sir ...Amazing. Thanks a lot.
@thiagofelippi59694 жыл бұрын
Very very very thank you, i'm trying do this for 2 days and now work. Now i will study about jwt methods on java because i'm coming from Javascript and some choices are different, but thank you man!
@philipalexakis11904 жыл бұрын
I've got a question, i would like to handle Spring Roles as well as JWT, i can not add form the controller a request header, in order for the principal to be revealed. Can i split authentication like so: REST controller -> JWT , VIEW controller -> Spring Roles ?
@diego_sabbagh4 жыл бұрын
Thanks for the tutorial dude! One thing, though. Your jwt validation actually only checks username and expiration... if I tamper the token it will still get validated, right? I thought you needed to generate a new token with the payload extracted from the input jwt, and then compare the two jwt. This will assure you nobody touched the token. What am I missing?
@alihatami33034 жыл бұрын
have a question : how could we customize response to client in filters ? like a customized Access Denied 403 with message : "Invalid Token" ?
@gopinatha42024 жыл бұрын
Hi Kaushik, Permitted authorised URL which we are mentioned in http configure method (extend WebSecurityConfigAdapter class), is not skipping in the OncePerRequesrFilter -JWT verifier implementation ?
@rajaramsavant43842 жыл бұрын
It was very helpful to understand the authentication/filters part in spring boot. Thank you so much for sharing this! 👍
@tarangthakkar7762 Жыл бұрын
Great topics and well presented. However, I am visually impaired and when you bring up your IDE or any screen in a mode that is not pure black or white in background, I can't see the screen in high contrast mode. Would appreciate it if you set your background/foreground to pure black/white.
@weraponpat19134 жыл бұрын
I'm struggling with this authentication about 2 weeks and this video is really helpful thanks a lot
@mdk19834 жыл бұрын
Thanks a lot sir, you benefit millions, even though there are only 4.7K views for this video, each one of them would have adopted this topic to write code for so many customers!!
@prasunprabhakar7082 Жыл бұрын
Kaushik, your tutorials are well structured and explains the concept very clearly. Thank you and appreciate your effort. With Spring 3.0.x Spring security has changed with many methods getting deprecated. I request you to kindly explain the correct way to do LDAP authentication and return JWT using spring security 3.0 Thank you.
@mjpannu52104 жыл бұрын
How to use a custom form page for login and pass credentials to SecurityConfigurer class ?
@sharathkumarIndian4 жыл бұрын
Thank you so much!!! It is a great tutorial for the one who want to understand how jwt works with Spring Security.
@JohnSmith-ur5cy4 жыл бұрын
Great video but had some questions. Why are you disabling csrf? Won’t that making your applications less secure for website forgery?
@ekaterinagalkina73033 жыл бұрын
I'm not sure, but when we set context in JwtRequestFilter shouldn't we create an empty one? Reference says: It is important to create a new SecurityContext instance instead of using SecurityContextHolder.getContext().setAuthentication(authentication) to avoid race conditions across multiple threads. Example: SecurityContext context = SecurityContextHolder.createEmptyContext(); UsernamePasswordAuthenticationToken authentication= new UsernamePasswordAuthenticationToken( userDetails, null, userDetails.getAuthorities()); context.setAuthentication(authentication); SecurityContextHolder.setContext(context);