#30 Spring Security | Custom Login

00:00

so now we got a default form using which

00:02

you can log in right but then I want to

00:05

change one thing and then during that

00:07

process we'll understand different

00:08

concepts in between uh the thing which I

00:10

want to change is the username and

00:12

password because by default you are

00:14

getting a username as user and the

00:16

password you are getting in the console

00:19

I don't want it I want to have my own

00:21

password so that's one thing but then

00:24

there are certain things which you have

00:25

to understand in between first of all

00:27

who is handling the security part here

00:29

how exactly uh when we are defining the

00:32

controllers someone else I mean that

00:35

someone else is your page the login page

00:37

is coming in between how that is

00:39

possible next I want to talk about the

00:42

session so when you log in I can access

00:44

the same page multiple times I I mean

00:47

not just same page in the application if

00:49

you have multiple controllers in this

00:51

case we only have one but let's say if

00:53

you have multiple controllers do we have

00:55

to log in for each request uh not

00:57

exactly because we have something called

00:59

session behind the scene how that s is

01:01

getting created and if I want to see the

01:03

session ID can I can I do that so I want

01:05

to check that as well and then what if I

01:07

don't want to use a login form what if I

01:09

want to do that from a postman can I do

01:11

that so Postman basically any rest

01:13

client uh can I do that so let's try

01:15

that everything in this video so first

01:17

thing how that login form is coming

01:20

there when I'm requesting for the

01:21

homepage see to understand this let's go

01:23

back to the basics of spring web see

01:26

when you create controller so let's say

01:27

we have this box here this is your

01:29

server and the most important thing here

01:31

is the controllers right so these are

01:33

the controllers which you're calling now

01:35

let's say this is your uh home

01:37

controller this is your add controller

01:40

or this is your check balance controller

01:42

so let's say if you have a bank account

01:43

or you want to check your balance so we

01:44

got multiple controllers here right and

01:46

a client will send the request right so

01:50

that's how the flow goes right so client

01:52

send request response goes from the

01:53

server to the client right everything is

01:55

good of course the object here is the

01:57

HTTP request object this is http

01:59

response object uh which we get from the

02:02

server and this is your container now if

02:05

you talk about this controller here

02:07

behind the scene these things are

02:08

running on a surate container see as I

02:11

mentioned before spring web GS into two

02:14

parts one is a surate way which we are

02:17

doing now and then there's also reactive

02:19

way we are not focusing on reactive here

02:21

spring reactive we are only focusing on

02:22

the spring web now in this every

02:25

controller gets converted into selet

02:27

behind the scene so basically you are

02:29

are able to run this on Tomcat because

02:32

of that svets so all these things all

02:35

your controller gets converted into

02:37

svets okay so this is running on the

02:39

seret container now this is your Tomcat

02:42

which is a serlet container right but

02:44

then before the request goes to the

02:48

controller we got something here which

02:50

is called your front controller so this

02:52

is your front controller also called a

02:55

dispatcher svet so every request from

02:59

the client when is going goes to the

03:00

controler which you created it goes to

03:02

the disp salet but before it goes from

03:05

the disp salet there are more things

03:07

there by default we don't invoke them or

03:10

even if they are there they're just

03:11

passing it but we can customize it so

03:14

when you add Spring Security we are

03:17

calling those things those things are

03:18

responsible but what are those things so

03:20

those things are your filters so there's

03:23

a filter chain here so I don't have

03:25

horizontal space I will do that in

03:26

vertical so basically what you have is

03:28

you have something called a filter chain

03:30

here so request goes from the client to

03:35

the filter first this is your filter

03:37

chain and then from here it goes to the

03:39

front controller and then from front

03:41

controller it interacts with different

03:43

uh different controllers here now what

03:46

is this filter chain in the filter chain

03:48

you will be having multiple filters this

03:50

is filter one let's say F F1 this is

03:52

Filter 2 this is filter three and I'm

03:55

not saying that you'll be having all

03:56

this filter by default there might be

03:59

few filters there might be more filters

04:01

it depends upon how you configure your

04:02

application by default there are certain

04:04

filters but then when you talk about

04:05

Spring Security it adds its own filter

04:08

here okay so what it does is when the

04:11

request goes from the client to the

04:13

server the the Tomcat it looks for the

04:15

filter first do we have any filters now

04:18

Spring Security says yes there are

04:19

filters multiple filters not just one

04:21

let's check what are those filters are

04:23

in the earlier version we used to see

04:25

those filters here for some reason just

04:27

not coming in the console uh not sure

04:30

why so what I will do is I will ask my

04:32

co-pilot to give me these security

04:47

filters okay so you can see it is giving

04:49

you a list of filters 11 filters but I

04:51

think there are more filters which is

04:53

not showing uh so if you scroll down or

04:56

if you scroll up basically here uh we

04:58

got security context assistance filter

05:00

we got logout filter we got username

05:02

password authentication filter now this

05:04

is what was working when we got the

05:06

login form so even if you're ACC

05:08

accessing for the home controller it

05:09

says hold on uh you are not logged in so

05:12

let me take care of it so this filter

05:14

comes on picture then we got login

05:16

default page generator filter page

05:17

authentication filter request cashier

05:19

aware filter there are lot of filter

05:21

here as you can see uh but I think there

05:24

are more which is not showing so there

05:25

are a lot of filters of course you don't

05:27

have to remember all because Spring

05:29

Security take care of it but when you

05:31

want to customize it yes you can

05:32

customize those filters then you need to

05:34

know those filters and this filter so F1

05:36

F2 which I'm showing here these are

05:38

those filters uh by default that it it

05:42

applies some filters to you and that's

05:44

why it is giving you a login form now

05:47

behind the scene how this Filter Works

05:49

is it works in a chain format so when a

05:51

request goes to the server it says okay

05:53

let's execute F1 F1 can decide I I mean

05:57

F1 I can actually change data as well

05:59

let's say if you want to add two numbers

06:01

uh 2 + 5 it goes to the filter it checks

06:04

I mean using filter you can check uh are

06:06

those two numbers actually integers or

06:09

are there two numbers bigger than five

06:11

so whatever filter whatever condition

06:12

you want to add basically you can do

06:14

that in the filter you can change the

06:15

request you can change the response as

06:17

well because response goes in the same

06:19

format so if the request goes like this

06:23

the response goes like this right so it

06:25

goes to the filter so you can change the

06:27

request you can change the response and

06:29

whatever you can whatever you want to do

06:31

uh but here we are not changing data we

06:32

just checking if the user logged in or

06:34

not so one of the filter here acts like

06:36

a login filter it says Hey the user is

06:38

not authenticated let's send the login

06:40

form okay but let's say if the user is

06:43

logged in already and by sending the

06:45

session ID they can basically check if

06:47

the user logged in yes don't ask for the

06:49

login page let's send the request so

06:52

that's how this Filter Works and they it

06:54

uses something called chain as I

06:55

mentioned so this filter will send

06:57

request to F2 F2 will send it to F3

06:59

three so there's something called Next

07:01

filter or do filter chain so it goes for

07:03

the next filter I hope now things are

07:05

making sense how exactly uh when you

07:07

call a controller the security part is

07:09

getting activated is because of these

07:11

filters we have talked about a lot of

07:12

things now let's go for the second point

07:14

which is the session ID so when you say

07:17

this session is getting generated

07:18

because if I relaunch this and of course

07:20

it will give you a new password okay

07:22

this is a new password I will just copy

07:24

this because I want to re log in and

07:26

just refresh this just wanted to make

07:28

sure I'm not Lo logged in and now I'll

07:31

be saying user and this is a password

07:34

sign in now I'm logged in right and it

07:36

doesn't matter how many time I refresh I

07:37

can still see the same page it's not

07:39

like it is giving me the login page but

07:41

after log out it will give the login

07:43

page what if you are changing your

07:45

browser so when you change your browser

07:47

you got a new instance right a new

07:49

particular application even that will

07:51

ask you for the login uh just to show

07:53

you the proof I'm opening my Chrome

07:55

Local Host 880 it is sending a request

07:57

for the homepage now the inspect element

07:59

of chrome is better than Safari I've

08:01

never tried on Safari let's try on

08:02

Chrome so I will do the same thing again

08:05

same password enter I'm signed in how do

08:07

I check this session ID you can check it

08:10

from here right so you can just go back

08:12

here and say inspect more tools and

08:17

developer tools okay so here uh if I

08:21

refresh once again let's go back to the

08:23

con Network Tab and here if you can see

08:25

we got continue so basically that's a a

08:28

query parameter they're sending but

08:29

required this is request for the

08:30

homepage okay this is request for the

08:32

homepage I will click here and if you

08:35

see there are certain things here one of

08:37

the thing is the session ID if I click

08:39

on this uh you can see s session ID so

08:42

this is a part of a cookie and this is

08:46

your session ID so that number the alpha

08:50

numeric number which you can see here

08:52

it's it's actually heac code uh that's

08:54

your session ID and every time you log

08:56

in it will change let me show you so I

08:58

just refresh this and now send the

09:00

request for the log out yes I'm sure and

09:06

if I go to log out new session ID or is

09:09

it the same thing even I forgot what was

09:11

session ID before doesn't matter let's

09:14

create a new user and I mean new login

09:17

sign in and request for the Local Host

09:20

because you can see we don't have

09:21

question mark continue there so it says

09:23

Local Host and we got a new session ID

09:27

there if you can see the number has

09:28

changed if you remember the old number

09:30

but what if I want to print this here in

09:33

the response just to see if the session

09:35

is changing or not you can do that from

09:37

your code so just go back here now if I

09:39

want to print this session ID what I can

09:41

do is I can just go back here and get

09:44

the hold on the

09:46

HTTP serlet request so as I mentioned

09:50

before behind the scene everything is

09:51

serlet right even the controllers are

09:53

serate so it will have two objects the

09:55

request object response object they're

09:57

called HTTP server request object and

09:59

HTTP seret response object I just want a

10:02

request now don't want to play with the

10:03

response one so this is the HTTP subet

10:07

request object which I got hold on now

10:09

this request object has multiple methods

10:12

and just wanted to confirm so this HTTP

10:15

seret request should be a part of jakara

10:17

ser. HTP package okay with this object I

10:20

can simply say request. get

10:24

session dot get ID so this is this will

10:28

basically return the ID let's relaunch

10:30

the application because we have changed

10:32

the code and we got a new password so

10:34

let's copy this as well go back to your

10:36

browser I will stick to whichever Safari

10:39

is there in fact let's hit back to

10:41

Chrome itself okay so first of all we'll

10:43

do the I mean it will log out by default

10:45

because we have restarted the

10:47

application no no

10:50

no session is still there okay so now

10:54

let me just log in once again

10:56

and sign in so we are logged in and you

10:59

can see we are printing the session ID

11:02

as well so if I go to Local Host you can

11:04

see this is the same value which you can

11:06

see there right I hope you can see this

11:08

font size but yeah this is this is the

11:10

same thing and every time you refresh

11:13

you will get the same session ID and not

11:14

just for this particular URL doesn't

11:16

matter which URL you go to you will get

11:18

the same session ID but yes if you

11:20

delete your cookies this will be gone so

11:23

you will be logged out automatically

11:24

it's as simple as that so that's the

11:26

session ID which we were trying to print

11:27

and of course we can have multiple

11:29

controllers you do that with let's say I

11:32

want to print the about content I want

11:33

to add two numbers whatever you want to

11:35

do just check if you're getting the same

11:37

session ID okay what next the next thing

11:40

I want to do is uh I want to change the

11:43

username password I'm not happy with the

11:45

password which is is generating here how

11:48

do I change it see one of the filter

11:50

which is the username authentication

11:51

filter if you remember one of the filter

11:53

we have here which is this uh this

11:57

checks if you have your username

11:59

password mentioned in the property files

12:01

if not it will simply create its own

12:04

password what we can do is we can add

12:07

the username password so for doing that

12:09

you can say spring. security. user.name

12:13

and you can mention the name here so I'm

12:15

going for name naen and spring.

12:19

security. user. password and I'm going

12:22

to set this as teliscope so the username

12:24

is naen the password is Tesco and this

12:27

is a property okay I know in the

12:28

community version it will not highlight

12:30

much if you're using ultimate version

12:32

this looks good but yeah let's use

12:34

community so now with this let's restart

12:36

the application and go back to the

12:37

browser so first let's hit the log out

12:41

and now we are logged out so let's try

12:43

with the user and in fact what about the

12:46

password is it is it generating the

12:47

password if you scroll nowhere it is

12:50

generating a password because it knows

12:51

now that you have your own password so

12:54

let's try with this password first which

12:56

is teliscope and I sign in no bad

13:00

currenti Sals so now I will try with

13:02

naen and Tesco sign in we are in okay it

13:07

says save the password no because I'm

13:09

going to change it okay so now if you

13:11

refresh you're still logged in and you

13:13

can access it multiple times is that

13:16

good so now you have your own username

13:18

password I know I know what you're

13:20

thinking uh what about different users

13:22

different username passwords we'll do

13:24

that in the upcoming videos but yeah at

13:26

least we can change the username

13:27

password I want to do one final thing

13:30

which is uh logging in through the

13:32

postman or maybe any UI tool or any rest

13:36

line tool so I do have Postman in this

13:37

machine so I will just uh fire it so

13:40

that's Postman used it for some other

13:42

URL this time I want to hit Local Host

13:46

colon 80 this is the

13:49

homepage

13:51

and send okay so you can see we got an

13:54

status code which is uh 4 41

13:57

unauthorized that means you are not

14:00

allowed here you know why you're not

14:01

allowed because you're not sending the

14:03

username password how do we send that so

14:05

if you can see we have a tab here which

14:07

is authorization and by default there is

14:10

no Au we have to say hey I have a

14:13

username password and to do that you

14:15

will click on basic o there are multiple

14:16

options here we got JWT barrier token

14:19

multiple options I will stick to basic o

14:21

now and let's explore others later basic

14:23

o so let's enter the username which is

14:25

naven and the password is teliscope in

14:29

fact let's give some wrong password TCO

14:31

one send still unauthorized th Isco and

14:36

we got the response it says 200 we are

14:38

happy and it generates a new session ID

14:40

because a new login so you can see this

14:41

session ID is not matching with this so

14:44

different users different S ID okay uh

14:47

looks good so that's how basically you

14:49

can change the username password you can

14:52

access it through the postman now we

14:54

understood also how Filter Works we have

14:56

seen that in the diagram here yeah

14:58

that's what I talk about in this

15:00

particular video and we'll talk about

15:02

some certain more things but if you want

15:04

to not just sending a get request post

15:07

request will it work let's try that in

15:09

the upcoming videos bye-bye