#30 Spring Security | Custom Login
Summary
TLDRThis video script delves into customizing a default login form in a Spring Web application. It covers the basics of Spring Web, the role of filters in security, and the concept of sessions. The tutorial guides through changing default usernames and passwords, understanding how the server handles security, and exploring session IDs. It also demonstrates logging in through Postman, showcasing the practical application of Spring Security filters and session management.
Takeaways
- 🔒 The video discusses changing the default username and password in a Spring application for enhanced security.
- 🛡️ It explains how Spring Security handles the security aspect through a series of filters that form a filter chain.
- 🕵️♂️ The script clarifies that the front controller, also known as the dispatcher servlet, plays a crucial role in directing requests to the appropriate controllers.
- 📜 The video mentions that by default, Spring Security provides a login form and handles authentication, but custom filters can be added for further customization.
- 🔄 It demonstrates how session management works in Spring, ensuring that once a user is logged in, they can access the application without re-authenticating for each request.
- 🔎 The script shows how to view and verify the session ID through developer tools in a web browser, which is crucial for understanding session persistence.
- 🛑 The video covers the process of logging in through Postman, a REST client, by sending a GET request with the necessary authorization headers.
- 🔄 It explains that upon successful login, a new session ID is generated, which is different for each login instance.
- 📝 The script guides on how to change the default username and password by setting `spring.security.user.name` and `spring.security.user.password` in the application properties.
- 🔄 It shows that after changing the username and password, the application still maintains session continuity, allowing for multiple accesses without re-login.
- 🔒 The video concludes by emphasizing the importance of understanding how filters work in Spring Security for anyone looking to customize authentication mechanisms.
Q & A
What is the default username and password for the login form as mentioned in the script?
-The default username is 'user', and the password is displayed in the console.
Why does the script mention changing the default username and password?
-The speaker wants to have their own username and password for security reasons instead of using the default ones provided by the system.
Who is responsible for handling security in the context of the script?
-Spring Security is responsible for handling security, which includes adding its own filters to the filter chain.
What is the role of the 'dispatcher servlet' in the context of the script?
-The dispatcher servlet acts as a front controller that routes incoming requests to the appropriate controller after passing through the filter chain.
How does the session ID work in the application described in the script?
-The session ID is part of a cookie that is created when a user logs in and remains the same across different requests and URLs until the user logs out or the cookies are deleted.
Can the session ID be viewed by the user?
-Yes, the session ID can be viewed by the user through the developer tools in their browser, specifically in the cookies section of the network tab.
What is the purpose of the filter chain in the context of the script?
-The filter chain processes requests in a sequential manner, with each filter having the opportunity to modify the request or response, authenticate the user, or perform other security checks.
How can a user log in to the application using Postman?
-A user can log in using Postman by sending a GET request with the necessary authorization headers containing the username and password using the Basic Auth method.
What happens when a user logs in with the correct credentials through Postman?
-Upon logging in with the correct credentials, the user receives a 200 status code, and a new session ID is generated for the authenticated session.
How can the speaker customize the username and password for the login form?
-The speaker can customize the username and password by specifying 'spring.security.user.name' and 'spring.security.user.password' in the application properties file.
What is the significance of filters in Spring Security?
-Filters in Spring Security are crucial for security as they form a chain that checks for authentication, authorization, and other security measures before a request reaches the controller.
Outlines
🔒 Understanding Spring Security and Custom Login
The script discusses the process of customizing the default login form in a Spring application. It begins by explaining the default username and password setup and the desire to change these to a custom username and password. The video aims to clarify who handles security, the role of the login page, and the concept of sessions, which allow users to access the application without re-authenticating for each request. It also touches on the possibility of using tools like Postman to perform login operations outside of a traditional form. The explanation includes a basic overview of how Spring controllers work, the role of servlets, and the function of the front controller or dispatcher servlet in the request process. The importance of filters in the Spring Security framework is highlighted, showing how they form a chain that processes each request to enforce security measures.
🛠️ Exploring Filters and Session Management in Spring Security
This paragraph delves deeper into the filter chain mechanism of Spring Security, explaining how requests are processed through a series of filters that can alter or inspect the request and response. The script mentions specific filters like the UsernamePasswordAuthenticationFilter and how they contribute to the login process. It also demonstrates how to check the session ID through the browser's developer tools and how to print the session ID within the application using the HttpServletRequest object. The paragraph emphasizes the persistence of the session across multiple requests and the automatic logout that occurs when cookies are deleted.
🔄 Customizing Username and Password in Spring Security Configuration
The script outlines how to change the default username and password used by Spring Security. It details the steps to set custom credentials through application properties and demonstrates testing the changes by attempting to log in with both the default and custom credentials. The video also discusses the implications of using multiple users with different credentials, which will be covered in future videos. The paragraph concludes with a successful login using the new credentials and the observation that the session remains active across multiple requests, indicating the session ID's role in maintaining user state.
📡 Logging In Through Postman and Future Exploration of Request Types
The final paragraph of the script discusses using Postman to send a GET request to the application's homepage, resulting in an unauthorized error due to the lack of authentication credentials. It demonstrates how to use the authorization tab in Postman to send the correct username and password to gain access. The video shows a successful login via Postman, resulting in a new session ID. The script ends with a teaser for future videos that will explore whether different types of requests, such as POST requests, can also be used for authentication.
Mindmap
Keywords
💡Spring Web
💡Controller
💡Servlet Container
💡Dispatcher Servlet
💡Filter Chain
💡Spring Security
💡Session
💡Session ID
💡Username and Password
💡Postman
Highlights
Introduction to changing the default username and password in a Spring application for enhanced security.
Understanding the role of controllers and the login process in Spring Web applications.
Exploring the concept of session management and its importance in maintaining user authentication state.
Demonstration of how to view and verify session IDs in a web application.
Explanation of the filter chain mechanism in Spring Security and its role in processing HTTP requests.
Discussion on customizing Spring Security filters for specific application needs.
Illustration of how to bypass the default login form using Postman or other REST clients.
Technical walkthrough of the servlet container's role in running Spring controllers.
Clarification on the front controller's function in the Spring MVC architecture.
Insight into the automatic generation of login forms by Spring Security filters.
Guide on modifying the application properties to set custom username and password for authentication.
Verification of the new username and password through the application's login process.
Explanation of how session IDs are generated and managed across different user sessions.
Practical example of printing session IDs within the application's response for debugging purposes.
Demonstration of logging into a Spring application using Postman with basic authentication.
Conclusion summarizing the key points covered in the video on Spring Security and session management.
Transcripts
so now we got a default form using which
you can log in right but then I want to
change one thing and then during that
process we'll understand different
concepts in between uh the thing which I
want to change is the username and
password because by default you are
getting a username as user and the
password you are getting in the console
I don't want it I want to have my own
password so that's one thing but then
there are certain things which you have
to understand in between first of all
who is handling the security part here
how exactly uh when we are defining the
controllers someone else I mean that
someone else is your page the login page
is coming in between how that is
possible next I want to talk about the
session so when you log in I can access
the same page multiple times I I mean
not just same page in the application if
you have multiple controllers in this
case we only have one but let's say if
you have multiple controllers do we have
to log in for each request uh not
exactly because we have something called
session behind the scene how that s is
getting created and if I want to see the
session ID can I can I do that so I want
to check that as well and then what if I
don't want to use a login form what if I
want to do that from a postman can I do
that so Postman basically any rest
client uh can I do that so let's try
that everything in this video so first
thing how that login form is coming
there when I'm requesting for the
homepage see to understand this let's go
back to the basics of spring web see
when you create controller so let's say
we have this box here this is your
server and the most important thing here
is the controllers right so these are
the controllers which you're calling now
let's say this is your uh home
controller this is your add controller
or this is your check balance controller
so let's say if you have a bank account
or you want to check your balance so we
got multiple controllers here right and
a client will send the request right so
that's how the flow goes right so client
send request response goes from the
server to the client right everything is
good of course the object here is the
HTTP request object this is http
response object uh which we get from the
server and this is your container now if
you talk about this controller here
behind the scene these things are
running on a surate container see as I
mentioned before spring web GS into two
parts one is a surate way which we are
doing now and then there's also reactive
way we are not focusing on reactive here
spring reactive we are only focusing on
the spring web now in this every
controller gets converted into selet
behind the scene so basically you are
are able to run this on Tomcat because
of that svets so all these things all
your controller gets converted into
svets okay so this is running on the
seret container now this is your Tomcat
which is a serlet container right but
then before the request goes to the
controller we got something here which
is called your front controller so this
is your front controller also called a
dispatcher svet so every request from
the client when is going goes to the
controler which you created it goes to
the disp salet but before it goes from
the disp salet there are more things
there by default we don't invoke them or
even if they are there they're just
passing it but we can customize it so
when you add Spring Security we are
calling those things those things are
responsible but what are those things so
those things are your filters so there's
a filter chain here so I don't have
horizontal space I will do that in
vertical so basically what you have is
you have something called a filter chain
here so request goes from the client to
the filter first this is your filter
chain and then from here it goes to the
front controller and then from front
controller it interacts with different
uh different controllers here now what
is this filter chain in the filter chain
you will be having multiple filters this
is filter one let's say F F1 this is
Filter 2 this is filter three and I'm
not saying that you'll be having all
this filter by default there might be
few filters there might be more filters
it depends upon how you configure your
application by default there are certain
filters but then when you talk about
Spring Security it adds its own filter
here okay so what it does is when the
request goes from the client to the
server the the Tomcat it looks for the
filter first do we have any filters now
Spring Security says yes there are
filters multiple filters not just one
let's check what are those filters are
in the earlier version we used to see
those filters here for some reason just
not coming in the console uh not sure
why so what I will do is I will ask my
co-pilot to give me these security
filters okay so you can see it is giving
you a list of filters 11 filters but I
think there are more filters which is
not showing uh so if you scroll down or
if you scroll up basically here uh we
got security context assistance filter
we got logout filter we got username
password authentication filter now this
is what was working when we got the
login form so even if you're ACC
accessing for the home controller it
says hold on uh you are not logged in so
let me take care of it so this filter
comes on picture then we got login
default page generator filter page
authentication filter request cashier
aware filter there are lot of filter
here as you can see uh but I think there
are more which is not showing so there
are a lot of filters of course you don't
have to remember all because Spring
Security take care of it but when you
want to customize it yes you can
customize those filters then you need to
know those filters and this filter so F1
F2 which I'm showing here these are
those filters uh by default that it it
applies some filters to you and that's
why it is giving you a login form now
behind the scene how this Filter Works
is it works in a chain format so when a
request goes to the server it says okay
let's execute F1 F1 can decide I I mean
F1 I can actually change data as well
let's say if you want to add two numbers
uh 2 + 5 it goes to the filter it checks
I mean using filter you can check uh are
those two numbers actually integers or
are there two numbers bigger than five
so whatever filter whatever condition
you want to add basically you can do
that in the filter you can change the
request you can change the response as
well because response goes in the same
format so if the request goes like this
the response goes like this right so it
goes to the filter so you can change the
request you can change the response and
whatever you can whatever you want to do
uh but here we are not changing data we
just checking if the user logged in or
not so one of the filter here acts like
a login filter it says Hey the user is
not authenticated let's send the login
form okay but let's say if the user is
logged in already and by sending the
session ID they can basically check if
the user logged in yes don't ask for the
login page let's send the request so
that's how this Filter Works and they it
uses something called chain as I
mentioned so this filter will send
request to F2 F2 will send it to F3
three so there's something called Next
filter or do filter chain so it goes for
the next filter I hope now things are
making sense how exactly uh when you
call a controller the security part is
getting activated is because of these
filters we have talked about a lot of
things now let's go for the second point
which is the session ID so when you say
this session is getting generated
because if I relaunch this and of course
it will give you a new password okay
this is a new password I will just copy
this because I want to re log in and
just refresh this just wanted to make
sure I'm not Lo logged in and now I'll
be saying user and this is a password
sign in now I'm logged in right and it
doesn't matter how many time I refresh I
can still see the same page it's not
like it is giving me the login page but
after log out it will give the login
page what if you are changing your
browser so when you change your browser
you got a new instance right a new
particular application even that will
ask you for the login uh just to show
you the proof I'm opening my Chrome
Local Host 880 it is sending a request
for the homepage now the inspect element
of chrome is better than Safari I've
never tried on Safari let's try on
Chrome so I will do the same thing again
same password enter I'm signed in how do
I check this session ID you can check it
from here right so you can just go back
here and say inspect more tools and
developer tools okay so here uh if I
refresh once again let's go back to the
con Network Tab and here if you can see
we got continue so basically that's a a
query parameter they're sending but
required this is request for the
homepage okay this is request for the
homepage I will click here and if you
see there are certain things here one of
the thing is the session ID if I click
on this uh you can see s session ID so
this is a part of a cookie and this is
your session ID so that number the alpha
numeric number which you can see here
it's it's actually heac code uh that's
your session ID and every time you log
in it will change let me show you so I
just refresh this and now send the
request for the log out yes I'm sure and
if I go to log out new session ID or is
it the same thing even I forgot what was
session ID before doesn't matter let's
create a new user and I mean new login
sign in and request for the Local Host
because you can see we don't have
question mark continue there so it says
Local Host and we got a new session ID
there if you can see the number has
changed if you remember the old number
but what if I want to print this here in
the response just to see if the session
is changing or not you can do that from
your code so just go back here now if I
want to print this session ID what I can
do is I can just go back here and get
the hold on the
HTTP serlet request so as I mentioned
before behind the scene everything is
serlet right even the controllers are
serate so it will have two objects the
request object response object they're
called HTTP server request object and
HTTP seret response object I just want a
request now don't want to play with the
response one so this is the HTTP subet
request object which I got hold on now
this request object has multiple methods
and just wanted to confirm so this HTTP
seret request should be a part of jakara
ser. HTP package okay with this object I
can simply say request. get
session dot get ID so this is this will
basically return the ID let's relaunch
the application because we have changed
the code and we got a new password so
let's copy this as well go back to your
browser I will stick to whichever Safari
is there in fact let's hit back to
Chrome itself okay so first of all we'll
do the I mean it will log out by default
because we have restarted the
application no no
no session is still there okay so now
let me just log in once again
and sign in so we are logged in and you
can see we are printing the session ID
as well so if I go to Local Host you can
see this is the same value which you can
see there right I hope you can see this
font size but yeah this is this is the
same thing and every time you refresh
you will get the same session ID and not
just for this particular URL doesn't
matter which URL you go to you will get
the same session ID but yes if you
delete your cookies this will be gone so
you will be logged out automatically
it's as simple as that so that's the
session ID which we were trying to print
and of course we can have multiple
controllers you do that with let's say I
want to print the about content I want
to add two numbers whatever you want to
do just check if you're getting the same
session ID okay what next the next thing
I want to do is uh I want to change the
username password I'm not happy with the
password which is is generating here how
do I change it see one of the filter
which is the username authentication
filter if you remember one of the filter
we have here which is this uh this
checks if you have your username
password mentioned in the property files
if not it will simply create its own
password what we can do is we can add
the username password so for doing that
you can say spring. security. user.name
and you can mention the name here so I'm
going for name naen and spring.
security. user. password and I'm going
to set this as teliscope so the username
is naen the password is Tesco and this
is a property okay I know in the
community version it will not highlight
much if you're using ultimate version
this looks good but yeah let's use
community so now with this let's restart
the application and go back to the
browser so first let's hit the log out
and now we are logged out so let's try
with the user and in fact what about the
password is it is it generating the
password if you scroll nowhere it is
generating a password because it knows
now that you have your own password so
let's try with this password first which
is teliscope and I sign in no bad
currenti Sals so now I will try with
naen and Tesco sign in we are in okay it
says save the password no because I'm
going to change it okay so now if you
refresh you're still logged in and you
can access it multiple times is that
good so now you have your own username
password I know I know what you're
thinking uh what about different users
different username passwords we'll do
that in the upcoming videos but yeah at
least we can change the username
password I want to do one final thing
which is uh logging in through the
postman or maybe any UI tool or any rest
line tool so I do have Postman in this
machine so I will just uh fire it so
that's Postman used it for some other
URL this time I want to hit Local Host
colon 80 this is the
homepage
and send okay so you can see we got an
status code which is uh 4 41
unauthorized that means you are not
allowed here you know why you're not
allowed because you're not sending the
username password how do we send that so
if you can see we have a tab here which
is authorization and by default there is
no Au we have to say hey I have a
username password and to do that you
will click on basic o there are multiple
options here we got JWT barrier token
multiple options I will stick to basic o
now and let's explore others later basic
o so let's enter the username which is
naven and the password is teliscope in
fact let's give some wrong password TCO
one send still unauthorized th Isco and
we got the response it says 200 we are
happy and it generates a new session ID
because a new login so you can see this
session ID is not matching with this so
different users different S ID okay uh
looks good so that's how basically you
can change the username password you can
access it through the postman now we
understood also how Filter Works we have
seen that in the diagram here yeah
that's what I talk about in this
particular video and we'll talk about
some certain more things but if you want
to not just sending a get request post
request will it work let's try that in
the upcoming videos bye-bye
5.0 / 5 (0 votes)