#32 Spring Security | Custom Configuration

00:00

so till this point we were able to

00:01

configure the application right and we

00:04

are basically able to implement Spring

00:06

Security but then most of the settings

00:09

are default right so we implemented

00:11

Spring Security by saying hey I got the

00:13

dependency this project is secured by

00:15

Spring Security and Spring Security says

00:18

okay since you are using me let me give

00:20

you some default configuration and then

00:22

we have changed something okay so

00:24

basically we went to application

00:25

properties we we set the username

00:27

password we have done some changes but

00:30

then we want to do more we want to

00:32

connect with database we want to uh

00:34

disable let's say I don't want to go go

00:36

for a form login so there are a lot of

00:38

settings which you have to do and then

00:39

we'll do that step by step in this video

00:42

let's see how do we configure that how

00:44

do we create our own settings how do we

00:47

change the way the security filter chain

00:50

works so to do that of course we want to

00:53

change the way it works right by default

00:55

Spring Security provides you a filter

00:57

chain there are lot of filters which

00:59

comes into and then it will check for

01:01

the defaults but now I want to customize

01:03

it I want to have my own filter chain

01:06

and the way you can do that is by

01:08

creating a config class see when you

01:10

talk about spring framework and if you

01:12

want to customize something or when you

01:14

want to have your own configuration you

01:16

create a separate Class A config class

01:19

and then you define beans there which

01:21

will inject the object so now what I

01:23

will do is to achieve that I will create

01:26

a class but then I will create that

01:28

class in a package I will name this your

01:30

package as config and in this package I

01:33

want to have that class which is the

01:36

security config so this is the class we

01:38

have and in this class we have to do

01:41

that first of all I want to say that

01:43

this is a configuration file to Spring

01:46

and to do that you will say

01:47

configuration now your spring knows that

01:50

this is a configuration class and I have

01:51

to search for the configuration here

01:53

next I don't want to go for the default

01:55

Spring Security configuration I want to

01:57

implement it here so to do that you will

01:59

say enable web security Now by doing

02:03

this you are saying hey don't go for the

02:04

default flow go with the flow which I

02:06

mentioned here so by doing this we are

02:08

doing two things first we are saying

02:09

this is the configuration and we are

02:11

saying that go with this configuration

02:14

now what I want to change see by default

02:16

it will work for the security filter

02:17

chain I want to customize it so in order

02:19

to do that what you have to do is you

02:20

have to return a bean for security

02:23

filter chain so let's do that so I will

02:26

create a method which will return you

02:28

the object of

02:30

security filter chain which is coming

02:33

from uh springf framework. security.

02:36

web. security filter chain and then we

02:38

can give any method name here so I will

02:40

say security filter chain and this will

02:42

basically give you the object of

02:43

security chain but how so of course you

02:46

have to return the object of security

02:47

filter chain now who will give you this

02:50

so there is a type called HTTP security

02:54

have to use this let's create reference

02:56

for it called HTTP you can also say HTP

02:58

security but HTTP is a small word so it

03:00

makes sense and I will be using that

03:03

because sttp has a method called build

03:06

so basically the build here Returns the

03:08

object of security filter chain now it

03:11

is giving you some error here is because

03:13

we have to add the exception throw

03:16

exception here a signature now this will

03:18

do so what we are doing is we are saying

03:20

hey Spring Security don't go for the

03:22

default this is a security chain you

03:24

have to go for so this is a filter chain

03:26

follow this and you're good to go now

03:28

since we have not specified find any

03:30

filter here by default no filter is

03:33

applied I will show you so what I will

03:34

do is I will just uh restart this in

03:37

fact you know let's comment the bean tag

03:39

and let's restart then or maybe we have

03:41

to also comment enable security so I've

03:44

commented both enable web security and

03:46

the bean here that means this is still

03:48

not applicable what we are doing and I

03:50

want to check without those things if I

03:53

hit the URL you can see it is still

03:55

enabling the login form so that means

03:57

spring secur is still implemented but if

03:59

I do this and if I UNC commmand this B

04:02

now and if I restart so let's see if

04:05

disables the default configuration so

04:07

let's go back here and instead of

04:09

hitting the login I will hit the URL and

04:11

it's working without login it is working

04:13

so if I refresh it is still there that

04:16

means security is not implemented now we

04:18

are bypassing all the security it's

04:21

something like you're buying a lock and

04:24

you have not closing it properly or

04:26

maybe you're not even locking it so we

04:29

don't want to do that right so let's

04:30

Implement so how do we secure it how do

04:32

we provide that uh layer the first thing

04:34

I want to do is I will Implement

04:36

different security I want to achieve

04:38

that login form I want to maybe uh send

04:40

the request through the post Postman uh

04:43

but the first thing I want to do is I

04:44

want to disable the csrf so let's do

04:46

that so I will go back to http because

04:48

that's the object which using which you

04:50

are creating this build right so we have

04:52

to make some changes in this object of

04:54

HTTP which is the object of HTTP

04:56

security and in this the first thing I

04:58

will do is I will say see

05:00

srf I want to disable this right in the

05:02

initial days it was very simple you can

05:04

simply say uh csrf do disable but it

05:07

will not work now in Spring six uh

05:09

things are bit different now I will show

05:11

you this in two steps one using the

05:14

Lambda syntax and one without it with

05:16

lambra it becomes very easy to read and

05:18

write but then if you want to understand

05:19

what is happening behind the scene we'll

05:20

go for imperative as well so here I'm

05:23

I'm saying hp. csrf and to disable it I

05:26

will use customizer again I'm not

05:28

explaining that now I will do that bit

05:30

after some time so I will say customizer

05:33

do disable so what we doing is we are

05:35

disabling the csrf the next thing I want

05:37

is even if you write this you're still

05:39

you will still not get the login form I

05:41

want it to be authorized so if I don't

05:44

authorize it anyone can go there and

05:46

they can log in so even if I open a new

05:48

incognitive mode here so if I go to

05:51

incognitive mode and if I say local SC

05:53

880 you can still open it so there's no

05:55

login restriction now and to achieve

05:56

that what I will do is I will say http

05:59

do

06:01

authorize HTTP request for every request

06:04

and people who are good with lamb

06:06

expression they know what I'm writing

06:07

but in case if you're not familiar I

06:09

will show you the imperative style so

06:11

request dot any request should be

06:13

authenticated so by doing this what we

06:15

are doing is no one should be able to

06:17

access any page without authentication

06:19

so now after making those changes if I

06:21

restart my uh ID or the application go

06:25

back to the browser Ander refresh and

06:27

now you can see it says access to local

06:29

host was denied that means

06:31

authentication is applied here so now

06:34

that means you have to enter username

06:35

password but then where you will do that

06:37

even if I do that in Postman and let's

06:39

try to fetch the homepage here and if I

06:42

say send you can see it says forbidden

06:44

even if I pass the values you can see

06:46

I'm passing the username password it

06:48

still says forbidden because you are

06:51

sending username password but no way we

06:54

are using it here so how do we do that

06:56

first of all I want to enable the form

06:58

login so yesterday P dot you can use

07:01

something called a form login using

07:04

customizer dot with default so it will

07:07

pick up the default properties and it

07:08

will Implement form login now just by

07:11

saying form login let's see what happens

07:13

so let's go back here and refresh and

07:15

you can see we got a form login now is

07:17

it working let's try so I will say naven

07:19

teliscope and it's working you can see

07:21

if I refresh it works so that means the

07:24

form login is been implemented so

07:26

whatever customization want you want to

07:27

do you can do that in The Code by using

07:29

the this HTP object but what about if I

07:31

try to do that from Postman let's try

07:33

from Postman and if I say send okay we

07:35

got this status okay and we are happy

07:37

about it but look at the response

07:39

response is basically a login form why

07:42

we got login form here it's because we

07:45

are saying form login that's why we got

07:47

it so if you want to do that from the

07:50

postman in that case you have to add one

07:52

more uh thing here which is HTTP do HTTP

07:56

basic you have to implement this or you

07:57

have to enable this for the postman for

07:59

the rest access rest API access so let's

08:03

go back here and see if that Postman is

08:04

working now says send and you got it so

08:08

you can see we got the page cool so we

08:11

have used two things one is form login

08:13

for the browser and one is HTTP basic so

08:16

form login still works now log out will

08:17

not work since we're implementing our

08:19

own it is expecting you to have your own

08:21

login page so log out will not work or

08:23

it will it will sign out directly it

08:24

will not give you login form so now if I

08:27

do naven and the list

08:30

okay wrong

08:32

password so you can see it is working so

08:35

basically uh by doing this we are

08:37

enabling that that feature of course you

08:39

can disable your form login if you want

08:41

uh you can directly use your Postman to

08:43

access it uh next thing I want to do is

08:45

I want to make sure that you don't see

08:48

we are disabling this CSF right now why

08:50

we disabling it is because in one of the

08:52

video we have talked about different

08:55

ways of handling csrf one of them is

08:57

what if you make your HTTP stateless and

09:00

if you do that you don't have to worry

09:02

about the session ID so how do you make

09:04

it stateless is you have to say HTTP do

09:06

session management and you will take the

09:08

session object and you will say session

09:11

dot how do you specify that you want to

09:14

go for stateless or stateful in that

09:16

case you have to use something called a

09:18

session creation policy so there's

09:20

something called session creation policy

09:22

in this you have to say session creation

09:23

policy so you can see we have different

09:25

options we got never if required

09:27

stateless I want to go for stateless

09:30

and job done so by doing it stateless

09:33

what we are doing is see the problem

09:35

with this is you can't login from your

09:37

browser with the login form is because

09:39

for every request you have to pass the

09:41

credentials and when you have a form

09:43

login let me show you what on what I'm

09:45

talking about uh so if I refresh and if

09:48

I say naven and Tesco so it will give

09:52

you login form again because now you are

09:53

accessing a new resource a new resource

09:55

is a new session right new request so

09:57

you have to pass this detail every time

10:00

but with Postman this will work so if I

10:01

go to postman if I say send you can see

10:04

this is working and every time you send

10:06

a request you will get a new session ID

10:08

if you can see the number is changing

10:09

here so that's how you get the new

10:10

session ID right but if you want this to

10:13

work on a browser what you can do is you

10:15

can disable your form login because then

10:17

you have to maintain your own sessions

10:18

and now if I restart let's see what

10:20

happened with the browser enter okay so

10:22

you can see we got a popup not the login

10:24

for a popup and in this popup you can

10:26

say nin Tesco enter and now it will work

10:30

so not with the form login but HTTP

10:32

basic will give you this popup refresh

10:35

and I mean if you say enter you will get

10:37

new S ID every time cool right so that's

10:40

how basically you can uh do this but

10:42

again the problem is how all these

10:44

things are working so what I will do is

10:46

time being I will just comment this

10:49

everything and let's see what is

10:51

happening behind the scene so comment

10:54

why is not a commenting here

10:56

comment am I using a wrong uh I don't

10:59

know shortcut is that maybe they have

11:01

done some changes so now let's

11:03

understand what is happening behind the

11:05

scene see we understand what is this

11:07

object HTTP SEC HTTP object right which

11:09

is HTP security and we also know that

11:11

method object will have some methods

11:13

right so we got csrf and in this we are

11:15

passing this customizer and disabled so

11:17

what is this thing to understand this

11:19

thing let's do that in a imper

11:20

imperative way so I will say HTP Dot and

11:23

I will use this method which is csrf and

11:26

if You observe csrf you can see what it

11:28

takes it takes the object of customizer

11:30

in fact that's a big name can't even

11:32

copy this so yeah we have a big name

11:34

customizer uh in in the I mean the type

11:37

it takes is csrf configure the type and

11:40

again the type is HTTP security I hope I

11:42

will remember this U so I will say

11:45

customizer so that's a part of security

11:48

config package and this will take

11:51

csrf

11:53

configur and uh it was checking

11:55

something I forgot so let me just say

11:57

control space again I don't want to do

12:00

dictate uh HTTP security object so

12:02

inside this it should be HTTP security

12:05

so this is a type you have to work with

12:07

Okay and then let's create the object of

12:08

it because csrf method takes the object

12:12

of customizer of type csrf configure of

12:14

type HTP security and let's give a name

12:17

to it I will say cust or CSF cust cust

12:21

CSF equal to and then you have to say

12:23

new and the object for this now the

12:27

customizer itself is interace you can

12:29

see we have the interface and the method

12:31

name is customize that means if you are

12:33

using this if you want to create the

12:35

object of it we have to create a method

12:38

you have to define the method of it

12:39

using Anonymous in a class okay and in

12:41

this particular method you you using

12:43

this object I will name I will not use

12:45

the name as HTTP configurer uh csrf

12:48

configurer I can use any other name I

12:50

will say customizer I mean you can use

12:53

usern name name right so the name I'm

12:55

using here is customizer and using this

12:58

object I can do whatever I want now so

13:00

using customizer you can you can use

13:02

different methods what we are using it

13:04

for is disable right now this is the way

13:08

you create the object of customizer csrf

13:10

configure HTTP security because this

13:12

object you to pass inside HTTP do csrf

13:16

I'll pass this object and your job is

13:18

done so by doing all these things you

13:21

are disabling your csrf oh let the task

13:23

right now since this is an interface and

13:25

this is a functional interface if I show

13:28

you configure this is a function

13:29

interface which means you can use lambra

13:32

here and people who are familiar with

13:33

lambra they know how to create lambra

13:35

it's very simple you create uh you

13:37

remove the extra stuff and I mean if you

13:39

don't know lambra just search for lambra

13:40

expression on YouTube or telis lambra

13:44

Java lambra that should make sense so

13:46

you can replace the entire code this

13:48

this entire code with one line so this

13:50

line here which I'm which I've written

13:52

is equal to this number of

13:55

lines oh we can do the same thing for

13:58

authorized request let's let's try that

14:00

uh HTTP do

14:02

authorize HTTP request and look what it

14:05

is asking you for look at the name

14:07

customizer authorization manager request

14:10

matcher registry and then you have to

14:12

create object for this and then you have

14:14

to pass it in the method like authorized

14:16

HTTP request same goes for HTTP basic

14:19

let's try for that HTTP basic it is

14:22

asking you for the object of again

14:24

customizer but since we want to go for

14:26

default configuration we are not

14:28

changing anything we are saying

14:29

customizer do with defaults so it will

14:31

pick up the default settings and that's

14:32

how it is working behind the scene and

14:35

now you know what is happening behind so

14:37

for all the methods here same thing you

14:39

have to implement certain uh interface

14:41

and Define the method and pass the

14:43

object here uh another thing which you

14:45

can do here is uh instead of doing all

14:48

these things one by one you can use a

14:50

builder pattern what I'm saying is

14:53

remove this semicolon and remove this

14:55

HTTP so you can just add at the end

14:58

something like this so HTTP dot

15:02

csrf that particular setting then

15:05

authorize request and then I will just

15:09

put that below somewhere okay what's

15:11

wrong with my uh ID settings all the

15:15

settings have been

15:16

changed this is weird Okay I'll just say

15:20

enter here remove the semicolon and now

15:23

you can put this after this so you can

15:26

see for one object you are applying

15:29

different settings I can remove this and

15:31

the same thing goes for this part cut

15:35

and paste it here just that you don't

15:37

have to put semicolon at the end and put

15:39

it together if it is Big you can just

15:42

Center here to make it more readable and

15:44

remove this so by doing this you are

15:46

making it more readable and in proper

15:50

sequence so this is this is called build

15:52

a pattern so for this object you are

15:54

doing this then you are doing this you

15:56

know we when you have a belt in the

15:57

factory where the object passes from one

16:00

machine to other machine same thing is

16:02

happening here one object is passing to

16:04

different methods and customizing it in

16:07

fact what you can also do is you can

16:08

directly say return here then you don't

16:10

have to write return again it's just

16:12

that at the end have to say

16:15

dot build even this looks cool so that's

16:19

it uh let me just run this after making

16:21

all those changes I hope this will work

16:23

if you see a Waring here just that it is

16:25

saying you to use method reference in of

16:26

lambra uh you can replace this uh method

16:29

reference of Lambda to Method reference

16:31

even that works okay this start done

16:33

let's verify from the postman H this

16:37

you're getting the response maybe also

16:39

try to work with students if you're

16:41

getting all the students and you got it

16:43

okay let's also see if the post request

16:46

is working so I will say post you can

16:47

see we have a post request here uh I'm

16:50

sending the headers okay we are sending

16:53

CSF token let's let's let's not send it

16:56

and done you can see it is working so

16:58

even without the token it is working

17:00

because we are disabling the csrf

17:03

request or csrf setting so yeah that's

17:05

it from this where we talked about

17:07

different settings or different things

17:08

you can do the reason we are doing this

17:10

is because in the upcoming videos we

17:11

have to do a lot of changes right

17:13

working with the uh user username

17:15

password coming from database working

17:17

with uh JWT and different stuff so I

17:21

hope you're excited for the entire

17:22

series I'm enjoying it I hope you are if

17:25

you are let me know in the comments and

17:27

see you in the next video bye-bye right