Spring Security explained with no code
Summary
TLDRIn this educational video, the host demystifies Spring Security by drawing a relatable analogy to organizing an exclusive party. The backend or REST API is likened to the party space, with endpoints as doors and entry points managed by controllers. Spring Boot Starter Security Dependency acts as the security company, while security filters are the bouncers at each door. The video explains the authentication process using JWT tokens and the role of the security configuration class. It guides viewers through the intricacies of Spring Security without coding, making it accessible to all.
Takeaways
- 🎉 The video aims to demystify Spring Security without coding, using a party analogy to explain the concept.
- 🏠 The 'party space' in the analogy represents the backend or REST API, which is the core area of the application.
- 🚪 'Doors and entry points' in the party are likened to endpoints in a Spring application, controlled by party controllers.
- 🛂 The 'security team' or 'bouncers' are equivalent to the security filters in Spring Security, ensuring only authorized access.
- 🎫 The 'party ticket' is analogous to a JWT token in Spring Security, used to authenticate and authorize users.
- 🔐 The 'security company' hired for the party represents the Spring Boot Starter Security dependency, providing a base for security setup.
- 🛠️ Custom security configurations are made by assigning 'security guys' to each door, similar to configuring security filters for each endpoint.
- 🔗 The 'authentication controller' is where users get their 'digital tickets', paralleling the process of obtaining JWT tokens.
- 🔑 The 'user details service' and 'password encoder' are crucial for verifying user credentials and are part of the Dow authentication provider.
- 🔄 The 'security context holder' updates with each request, maintaining stateless session management as per the security contract.
Q & A
What is the main focus of the video?
-The main focus of the video is to explain the architecture of Spring Security without writing any code, using a party analogy to make it more understandable.
What is the role of the 'party space' in the Spring Security analogy?
-In the analogy, the 'party space' represents the backend or REST API, which is the core area where all the application's functionalities are centralized.
What does the term 'end points' refer to in the context of the video?
-In the video, 'end points' are likened to the doors and entry points of a party space, which in the context of a Spring application, are the API endpoints controlled by the party controllers.
What is the function of the 'security team' in the video's analogy?
-The 'security team' in the analogy represents the bouncers at a party, which in Spring Security terms, are the security filters that check if guests (users) are authorized to enter the system.
What is the digital equivalent of a party ticket in the Spring Security context?
-In the Spring Security context, the digital equivalent of a party ticket is a JWT (JSON Web Token), which users present as proof of authentication.
What does the 'spring boot starter security' dependency represent in the analogy?
-The 'spring boot starter security' dependency is compared to hiring a security company for the party, which comes with its own standard procedures but can be customized to fit specific security needs.
How does the video explain the role of the 'security filters' in Spring Security?
-The video explains that security filters are like security guards at each door of a party, responsible for checking if the JWT token is valid, correctly formatted, and issued by the system.
What is the purpose of the 'authentication controller' in the Spring Security setup?
-The 'authentication controller' is where users receive their digital tickets (JWT tokens), serving as the registration method for guests to gain access to the party (Spring application).
What is the significance of the 'security configuration class' in the video?
-The 'security configuration class' is where the Spring application's security requirements are defined, similar to a meeting with a security company to outline how the party should be secured.
How does the video describe the process of authenticating a user in Spring Security?
-The video describes the authentication process as a series of checks starting from the user's request, through the filter chain, to the authentication manager, and finally updating the security context holder if the authentication is successful.
What are the three exceptions that the video mentions during the authentication process?
-The three exceptions mentioned during the authentication process are DisabledException, LockedException, and BadCredentialsException, which correspond to different authentication errors.
Outlines
🎉 Introduction to Spring Security
The speaker welcomes viewers to the channel and introduces the topic of the video, which is an exploration of Spring Security without any coding. They mention a new Spring Boot course and invite viewers to join their community on social media. The analogy of hosting an exclusive party is used to explain securing a Spring application, where the backend or REST API is likened to the party space, and entry points are the doors. The need for security measures, or 'bouncers', is emphasized to ensure only authorized guests enter, using JWT tokens as digital tickets.
🔐 Deep Dive into Spring Security Configuration
The speaker elaborates on the party analogy, explaining the role of the security company, which corresponds to the Spring Boot Starter Security dependency. They discuss the importance of configuring security filters for each entry point and the process of validating JWT tokens. The video then transitions into a detailed explanation of the security configuration class in Spring Security, which is akin to a meeting with the security company to set up specific security measures. The concept of a security filter chain is introduced as a contract between the party organizers and the security company, outlining the rules for access control.
🛠️ Understanding Authentication in Spring Security
This section delves into the internal workings of Spring Security's authentication process. The speaker uses a diagram to illustrate how an authentication request is handled, starting from the user's credentials to the backend, through the filter chain, and finally to the authentication controller. The role of the authentication manager and the provider manager is explained, along with the authentication provider's responsibility for verifying user details. The process of handling exceptions such as disabled, locked, or bad credentials is also discussed.
🔄 JWT Token Validation and Security Context Update
The final paragraph focuses on the process of JWT token validation within the Spring Security framework. The speaker describes how a request with a JWT token is processed, including the validation of the token and the subsequent user lookup using the user details service. The importance of updating the security context holder after successful authentication is highlighted. The speaker concludes by summarizing the key components of securing web applications and REST APIs with Spring Security, encouraging viewers to engage with them on social media and support the channel.
Mindmap
Keywords
💡Spring Security
💡Authentication
💡JWT Token
💡Security Filters
💡Spring Boot Starter Security
💡Security Configuration Class
💡Authentication Manager
💡UserDetailsService
💡SecurityContextHolder
💡Stateless Session Management
Highlights
Introduction to a video tutorial on Spring Security without coding
Announcement of a new Spring Boot course
Invitation to join the community on social media
Analogizing a Spring application to an exclusive party
Explanation of backend or REST API as the party space
Endpoints in a Spring application compared to party entry points
Party controllers managing specific aspects of the event
Need for a security system to check guest authorization
Authentication controller as the digital ticket registration method
JWT token as a digital party ticket
Spring Boot Starter Security as the security company
Security filters as security personnel at each door
Process of checking the JWT token for entry
Security configuration class as the meeting with the security company
Security filter chain as the contract between organizers and security
Stateless session management in Spring Security
Authentication provider and its role in the security setup
JWT authentication filter's role in the filter chain
Authentication process in Spring Security with user credentials
Exceptions handling in authentication process
Provider manager and its use of authentication provider
UserDetailsService for fetching user information
SecurityContextHolder for holding security context
JWT token validation process by the JWT authentication filter
Dispatcher servlet's role in handling requests
Summary of securing web applications with Spring Security
Call to action for subscribing, liking, and sharing the video
Transcripts
hey what's up tiies welcome back to my
channel I'm thrilled to have you here
for today's video where we were going to
unravel the mysteries of Spring Security
the best part of it we're doing it
without writing a single line of code I
know security can sometimes feel like a
complex puzzle but fear not we're
breaking down the Spring Security
architecture step by step using a simple
analogy by the end of this video you'll
have a crystal clear understanding of
how security really works but before we
dive into the details I've got something
exciting to share check out my brand new
spring boot course it's your ticket to
mastering the framework deep intricacies
the link is in the description below of
this video also don't miss out on
joining our growing community on social
media all the links you need are right
down there so let's connect now if
you're new to my channel hit that
subscribe button give this video a
thumbs up and share it let's spread the
knowledge together and help this channel
grow imagine you're throwing the
ultimate party but you want to make sure
it's exclusive just like organizing a
party involves meticulous planning
securing a spring application involves
setting up the perfect entrance let's
break down the party analogy into the
word of Spring Security without diving
into the code first things first think
of your party space as your backend or
rest API it's the heart of the event
where everything comes together now this
fantastic party space has doors and
entry points in the take word we call
them end points these are controlled by
the party controllers each managing
specific aspects of the event to avoid
any Uninvited project egg scenarios we
need a system to check check if guests
are authorized enter the security team
the bouncers of our digital party just
like real world party needs tickets our
spring application has a registration
method in the authentication controller
this is where guests get their digital
tickets but having a ticket isn't enough
you need to show it at the door and
think of this as presenting a JWT token
which is a digital version of your party
ticket now to make sure only cool crowd
gets in we hire a security company this
is the spring boot starter security
dependency they come with their own way
of doing things but we want a more
advanced setup so imagine assigning a
security guy to each door or each entry
point of our party space these are like
the security filters in our Spring
Security setup so their job is to check
everything first does the person have a
ticket which is our JWT token is the
ticket correctly formatted for today's
party then check the username and code
on the ticket and finally ensure the
ticket is legit and issued by us with
the user registered in our internal
system so if everything checks out we
update our system let the person in and
even give a route Guide to the party
otherwise they just get rejection
treatment so now let's break down the
security diagram and see how it all
works then I'll guide you step by step
through each step and share the
corresponding code links after deciding
to organize the party this is the
equivalent of having our backend or IPI
ready and then calling a security
company is the equivalent of adding the
spring boot starter security dependency
then we need to have a meeting together
with the security company to explain the
way we want to secure our party and how
to get different information and
validate them so this is the equivalent
of the security configuration class
where we need to tell spring what are
the different components to use in order
to secure the API now let me explain to
you the configuration class so as you
can see here this is the spring or the
security configuration class from the
previous tutorial so I will leave you
also the link in the description of this
video so here let's go directly to the
security filter chain which is let's
imagine it as the contract between the
party organizers and security company so
here we tell them that we want to
disable the csrf and then we want to
authorize some people so here we said
that we have list of people that we want
to authorize by default no matter what
they don't require anything so this is
how we have here permit all and then as
you can see here for example in order to
access this space or this VIP space the
guy or like the the person presented in
front of you needs to have for example
let's say here or let's try to replace
this role with a special ticket all
right same here and then finally we say
that that any request needs to be
authenticated so this is the most
important part after that as part of our
contract with a with security company we
want to tell them that the session
management we want it to be stateless
this means that each time even if a
person was authenticated before and
leaves the party parameters and wants to
get back again so we need to recheck
everything from scratch all right so
each time we have have a person in and
then we forget about him so we don't
save any state so let saying okay I
remember this guy he was checked in
before no it's not the case every time
someone wants to get in even if he was
inside before we need to double check
again then we need to determine what is
the authentication provider so how to do
that how to check the system how to
check if the user has the correct ticket
if the information of this user are the
same as in the ticket or not and then
here adding a filter before means that
this is where we want to place our
security guys so for example saying I
want to have one or two people in the in
the front or in the main entrance and so
and so forth and the rest right here is
just for the lout so now this is how
this is how we can determine the
contract between us or between the party
organizers and the security company so
it's just it's it's all about telling
them how to do things because they H
they have their own way of doing things
but we want something specific for us
all right now you get the analogy but we
need to understand how things internally
work so let me dive you now through a
diagram that explains how the
authentication really works and how to
authenticate a user in Spring secret so
as you can see here we have this diagram
and and here we see that first of all we
start with an authentication request
where the user will send his credentials
the credentials are username and
password the request will reach our
backend and the first thing that will
get executed is our filter chain so we
have many filters in our spring
application even without declaring or
creating a specific filters spring has
its own filters and among these filters
we see here here that we have our once
per request filter which is the JWT
authentication filter that we created in
our tutorial and then the request will
be forwarded to authent to the
authentication controller since for the
authentication if you remember we have a
check to check if this request is coming
for the authentication and if the answer
is yes we don't execute the filter so we
just pass to the next filter chain and
execute the rest so here we come
directly to the authentication
controller which has a dependency which
is the authentication manager so we
inject our authentication manager inside
our authentication controller and then
it's directly in the service but I just
didn't want to make this diagram too
long so from the authentication
controller we are calling the
authentication Service and then we have
the authentication manager as a
dependency in the auth authentication
Service so the authentication manager it
attempts to authenticate the past
authentication object returning a fully
populated authentication object
including granted authorities if
successful and in case something is not
working or something wrong with
authentication we will get one of these
three exceptions first whether a
disabled exception a locked exception or
a bad credentials exceptions so in case
want to handle exceptions for the
authentications these are the three
exceptions that you need to take care of
so then this authentication manager is
an interface and spring has a default
implementation which is a class called
provider manager and this is the
commonly used in the spring applications
and then these provider managers needs
or uses an authentication provider and
the authentication provider is the
object of the Bean that we configured in
our Bean configuration or application
configuration class so I'm talking about
this one so if you go to the application
config here you have an implementation
or a bean of type authentication
provider and here we are providing an
implementation of this authentication
provider which is already an interface
all right and among the implementation
of this interface we have the Dow
authentic ation provider so now if we go
back here we have or we are providing
our Dow authentication provider and this
Dow authentication provider needs two
dependencies or two services at least
first we need the password encoder this
means how we encoded the password while
persisting it to our persistence system
so our persistence system it might be
different things and also we need an
object of type user detail service and
this user details service will try to
fetch the user and here we need to to
have our own implementation of the user
detailed service interface and its
implementation provided by us it will
try to connect to a storage system it
might be like a post degree SQL like the
case we had in our tutorial or or a
mongodb or any type of other storage and
this user detailed service will return
an object of type user details and this
user details will provide spring with
the following information username
password authorities is enabled is
account non-expired is account nonlocked
and is credentials non-expired and from
is account nonlocked and is enabled
properties you can see here that this is
why and how we are returning the
disabled exception and the locked
exception and then of course our
provider manager will pass an an object
of you of type username password
authentication and then it will be
passed to the Dow authentication in
order to perform the authentication
process once everything is okay and once
everything is fine we update the
security context holder so the security
context holder is a spring object that
holds some information it has a security
context and inside this security context
we have an object of type Authentication
which is the same object that will be
returned by our authentication manager
and this authentication object has the
principle credentials and authorities
which are returned from these user
details right here all right so this is
the process of authentication in Spring
Security Now if we send a request with a
JWT in the header with a token in the
header and we want to perform and see
how this token will will get verified
and checked by our filters so now let's
jump into it now I will show you a
different diagram showing how this
process or this flow works all right so
now in the next diagram we will see how
the filter really works so now we have a
user that will send a request to our
backend so it might be a get post past
uh patch delete and so and so forth any
type of http request or HTTP actions so
we said that the first thing that will
be hit in the application is the filter
or the filters that we have in our
application and among these filters we
have an object of type once per request
filter which is the JWT authentication
filter we spoke about it in just few
seconds ago and here we have something
so if the token exists then what we need
to do we need to go to the JWT service
and we need to validate the token here
we have two scenarios the first one if
the token is not valid so then an
exception of type token and valid
exception will be thrown and this will
be the response to our final user so as
you can see here it's already in Red so
this is an exception then if the token
is valid we will go or we will call the
user details service in order to find
the user from the database after
extracting the user email or the subject
from our token using this JWT service
then once the user details is called or
the user details service is called we
have two scenarios so let's start with
the exceptional one so if the user is
not found then we will throw a user not
found exception and again we will return
back an exception or an error to our
customer if not if the user is already
found what we need to do next is
updating the security context holder
once again so the filter as we showed in
the previous diagram that's why here
it's also linked to the on per request
filter or the JWT authentication filter
because any of them whether the provider
manager or the our authentication
manager object can update the security
context holder or as well as like this
the same thing for the JWT
authentication filter so then what we do
we update our security context holder
and we update the authentication and
then we pass the request to the
dispatcher serlet and then the
dispatcher serlet will take will take
care of dispatching the request to the
correct controller of our API and then
of course it will be treated it will go
to the service database and so on so
forth and then we will return back a
response to the final user otherwise you
see here that in which cases we have or
we might have a 403 all right now I
think springing security and securing
web applications and rest apis is much
much much easier with this breakdown of
the different components of security I
hope you like this video and don't
forget to join me and connect with me on
social media and of course don't forget
to like share and subscribe to my
YouTube channel in order to help me grow
this Channel and spread the knowledge to
more and more people thank you so much
and see you next
time
Weitere ähnliche Videos ansehen
5.0 / 5 (0 votes)