Spring Security explained with no code

00:00

hey what's up tiies welcome back to my

00:02

channel I'm thrilled to have you here

00:05

for today's video where we were going to

00:07

unravel the mysteries of Spring Security

00:10

the best part of it we're doing it

00:12

without writing a single line of code I

00:15

know security can sometimes feel like a

00:18

complex puzzle but fear not we're

00:21

breaking down the Spring Security

00:23

architecture step by step using a simple

00:26

analogy by the end of this video you'll

00:28

have a crystal clear understanding of

00:31

how security really works but before we

00:34

dive into the details I've got something

00:36

exciting to share check out my brand new

00:38

spring boot course it's your ticket to

00:41

mastering the framework deep intricacies

00:44

the link is in the description below of

00:46

this video also don't miss out on

00:48

joining our growing community on social

00:50

media all the links you need are right

00:53

down there so let's connect now if

00:56

you're new to my channel hit that

00:58

subscribe button give this video a

01:01

thumbs up and share it let's spread the

01:03

knowledge together and help this channel

01:06

grow imagine you're throwing the

01:08

ultimate party but you want to make sure

01:11

it's exclusive just like organizing a

01:14

party involves meticulous planning

01:16

securing a spring application involves

01:19

setting up the perfect entrance let's

01:22

break down the party analogy into the

01:24

word of Spring Security without diving

01:27

into the code first things first think

01:30

of your party space as your backend or

01:33

rest API it's the heart of the event

01:36

where everything comes together now this

01:39

fantastic party space has doors and

01:42

entry points in the take word we call

01:45

them end points these are controlled by

01:48

the party controllers each managing

01:51

specific aspects of the event to avoid

01:55

any Uninvited project egg scenarios we

01:58

need a system to check check if guests

02:00

are authorized enter the security team

02:04

the bouncers of our digital party just

02:07

like real world party needs tickets our

02:09

spring application has a registration

02:12

method in the authentication controller

02:15

this is where guests get their digital

02:18

tickets but having a ticket isn't enough

02:21

you need to show it at the door and

02:25

think of this as presenting a JWT token

02:28

which is a digital version of your party

02:31

ticket now to make sure only cool crowd

02:35

gets in we hire a security company this

02:38

is the spring boot starter security

02:41

dependency they come with their own way

02:44

of doing things but we want a more

02:46

advanced setup so imagine assigning a

02:50

security guy to each door or each entry

02:53

point of our party space these are like

02:56

the security filters in our Spring

02:58

Security setup so their job is to check

03:01

everything first does the person have a

03:04

ticket which is our JWT token is the

03:07

ticket correctly formatted for today's

03:09

party then check the username and code

03:12

on the ticket and finally ensure the

03:15

ticket is legit and issued by us with

03:19

the user registered in our internal

03:22

system so if everything checks out we

03:25

update our system let the person in and

03:28

even give a route Guide to the party

03:31

otherwise they just get rejection

03:34

treatment so now let's break down the

03:36

security diagram and see how it all

03:39

works then I'll guide you step by step

03:42

through each step and share the

03:45

corresponding code links after deciding

03:47

to organize the party this is the

03:49

equivalent of having our backend or IPI

03:53

ready and then calling a security

03:56

company is the equivalent of adding the

03:59

spring boot starter security dependency

04:01

then we need to have a meeting together

04:04

with the security company to explain the

04:06

way we want to secure our party and how

04:09

to get different information and

04:12

validate them so this is the equivalent

04:14

of the security configuration class

04:17

where we need to tell spring what are

04:20

the different components to use in order

04:23

to secure the API now let me explain to

04:27

you the configuration class so as you

04:29

can see here this is the spring or the

04:31

security configuration class from the

04:34

previous tutorial so I will leave you

04:36

also the link in the description of this

04:38

video so here let's go directly to the

04:40

security filter chain which is let's

04:43

imagine it as the contract between the

04:45

party organizers and security company so

04:48

here we tell them that we want to

04:51

disable the csrf and then we want to

04:55

authorize some people so here we said

04:58

that we have list of people that we want

05:01

to authorize by default no matter what

05:04

they don't require anything so this is

05:06

how we have here permit all and then as

05:09

you can see here for example in order to

05:12

access this space or this VIP space the

05:15

guy or like the the person presented in

05:18

front of you needs to have for example

05:21

let's say here or let's try to replace

05:23

this role with a special ticket all

05:26

right same here and then finally we say

05:29

that that any request needs to be

05:32

authenticated so this is the most

05:34

important part after that as part of our

05:37

contract with a with security company we

05:39

want to tell them that the session

05:42

management we want it to be stateless

05:44

this means that each time even if a

05:47

person was authenticated before and

05:50

leaves the party parameters and wants to

05:52

get back again so we need to recheck

05:56

everything from scratch all right so

05:58

each time we have have a person in and

06:01

then we forget about him so we don't

06:02

save any state so let saying okay I

06:05

remember this guy he was checked in

06:06

before no it's not the case every time

06:09

someone wants to get in even if he was

06:13

inside before we need to double check

06:15

again then we need to determine what is

06:18

the authentication provider so how to do

06:21

that how to check the system how to

06:23

check if the user has the correct ticket

06:27

if the information of this user are the

06:29

same as in the ticket or not and then

06:32

here adding a filter before means that

06:35

this is where we want to place our

06:37

security guys so for example saying I

06:40

want to have one or two people in the in

06:42

the front or in the main entrance and so

06:45

and so forth and the rest right here is

06:47

just for the lout so now this is how

06:50

this is how we can determine the

06:52

contract between us or between the party

06:55

organizers and the security company so

06:58

it's just it's it's all about telling

07:00

them how to do things because they H

07:03

they have their own way of doing things

07:06

but we want something specific for us

07:08

all right now you get the analogy but we

07:12

need to understand how things internally

07:15

work so let me dive you now through a

07:18

diagram that explains how the

07:20

authentication really works and how to

07:23

authenticate a user in Spring secret so

07:26

as you can see here we have this diagram

07:29

and and here we see that first of all we

07:31

start with an authentication request

07:33

where the user will send his credentials

07:36

the credentials are username and

07:38

password the request will reach our

07:41

backend and the first thing that will

07:43

get executed is our filter chain so we

07:47

have many filters in our spring

07:49

application even without declaring or

07:51

creating a specific filters spring has

07:54

its own filters and among these filters

07:58

we see here here that we have our once

08:01

per request filter which is the JWT

08:04

authentication filter that we created in

08:07

our tutorial and then the request will

08:10

be forwarded to authent to the

08:12

authentication controller since for the

08:16

authentication if you remember we have a

08:18

check to check if this request is coming

08:21

for the authentication and if the answer

08:24

is yes we don't execute the filter so we

08:27

just pass to the next filter chain and

08:29

execute the rest so here we come

08:32

directly to the authentication

08:33

controller which has a dependency which

08:36

is the authentication manager so we

08:39

inject our authentication manager inside

08:42

our authentication controller and then

08:44

it's directly in the service but I just

08:47

didn't want to make this diagram too

08:49

long so from the authentication

08:51

controller we are calling the

08:52

authentication Service and then we have

08:55

the authentication manager as a

08:57

dependency in the auth authentication

08:59

Service so the authentication manager it

09:03

attempts to authenticate the past

09:05

authentication object returning a fully

09:08

populated authentication object

09:10

including granted authorities if

09:13

successful and in case something is not

09:16

working or something wrong with

09:17

authentication we will get one of these

09:20

three exceptions first whether a

09:23

disabled exception a locked exception or

09:25

a bad credentials exceptions so in case

09:29

want to handle exceptions for the

09:31

authentications these are the three

09:33

exceptions that you need to take care of

09:36

so then this authentication manager is

09:39

an interface and spring has a default

09:42

implementation which is a class called

09:44

provider manager and this is the

09:46

commonly used in the spring applications

09:49

and then these provider managers needs

09:52

or uses an authentication provider and

09:55

the authentication provider is the

09:58

object of the Bean that we configured in

10:00

our Bean configuration or application

10:03

configuration class so I'm talking about

10:06

this one so if you go to the application

10:08

config here you have an implementation

10:11

or a bean of type authentication

10:13

provider and here we are providing an

10:16

implementation of this authentication

10:19

provider which is already an interface

10:22

all right and among the implementation

10:25

of this interface we have the Dow

10:28

authentic ation provider so now if we go

10:31

back here we have or we are providing

10:33

our Dow authentication provider and this

10:36

Dow authentication provider needs two

10:39

dependencies or two services at least

10:42

first we need the password encoder this

10:44

means how we encoded the password while

10:48

persisting it to our persistence system

10:51

so our persistence system it might be

10:54

different things and also we need an

10:57

object of type user detail service and

11:00

this user details service will try to

11:03

fetch the user and here we need to to

11:06

have our own implementation of the user

11:09

detailed service interface and its

11:11

implementation provided by us it will

11:14

try to connect to a storage system it

11:16

might be like a post degree SQL like the

11:18

case we had in our tutorial or or a

11:21

mongodb or any type of other storage and

11:24

this user detailed service will return

11:27

an object of type user details and this

11:30

user details will provide spring with

11:33

the following information username

11:35

password authorities is enabled is

11:38

account non-expired is account nonlocked

11:41

and is credentials non-expired and from

11:44

is account nonlocked and is enabled

11:47

properties you can see here that this is

11:49

why and how we are returning the

11:51

disabled exception and the locked

11:53

exception and then of course our

11:56

provider manager will pass an an object

11:59

of you of type username password

12:02

authentication and then it will be

12:04

passed to the Dow authentication in

12:06

order to perform the authentication

12:08

process once everything is okay and once

12:11

everything is fine we update the

12:14

security context holder so the security

12:17

context holder is a spring object that

12:20

holds some information it has a security

12:23

context and inside this security context

12:26

we have an object of type Authentication

12:29

which is the same object that will be

12:31

returned by our authentication manager

12:34

and this authentication object has the

12:36

principle credentials and authorities

12:39

which are returned from these user

12:42

details right here all right so this is

12:44

the process of authentication in Spring

12:48

Security Now if we send a request with a

12:51

JWT in the header with a token in the

12:54

header and we want to perform and see

12:57

how this token will will get verified

13:00

and checked by our filters so now let's

13:03

jump into it now I will show you a

13:05

different diagram showing how this

13:08

process or this flow works all right so

13:11

now in the next diagram we will see how

13:15

the filter really works so now we have a

13:18

user that will send a request to our

13:21

backend so it might be a get post past

13:24

uh patch delete and so and so forth any

13:27

type of http request or HTTP actions so

13:31

we said that the first thing that will

13:34

be hit in the application is the filter

13:37

or the filters that we have in our

13:39

application and among these filters we

13:42

have an object of type once per request

13:45

filter which is the JWT authentication

13:47

filter we spoke about it in just few

13:50

seconds ago and here we have something

13:53

so if the token exists then what we need

13:57

to do we need to go to the JWT service

14:01

and we need to validate the token here

14:03

we have two scenarios the first one if

14:06

the token is not valid so then an

14:10

exception of type token and valid

14:12

exception will be thrown and this will

14:14

be the response to our final user so as

14:17

you can see here it's already in Red so

14:20

this is an exception then if the token

14:23

is valid we will go or we will call the

14:25

user details service in order to find

14:28

the user from the database after

14:31

extracting the user email or the subject

14:34

from our token using this JWT service

14:38

then once the user details is called or

14:42

the user details service is called we

14:44

have two scenarios so let's start with

14:47

the exceptional one so if the user is

14:49

not found then we will throw a user not

14:52

found exception and again we will return

14:55

back an exception or an error to our

14:58

customer if not if the user is already

15:01

found what we need to do next is

15:04

updating the security context holder

15:07

once again so the filter as we showed in

15:10

the previous diagram that's why here

15:13

it's also linked to the on per request

15:15

filter or the JWT authentication filter

15:18

because any of them whether the provider

15:21

manager or the our authentication

15:23

manager object can update the security

15:25

context holder or as well as like this

15:28

the same thing for the JWT

15:30

authentication filter so then what we do

15:34

we update our security context holder

15:37

and we update the authentication and

15:39

then we pass the request to the

15:41

dispatcher serlet and then the

15:43

dispatcher serlet will take will take

15:46

care of dispatching the request to the

15:49

correct controller of our API and then

15:53

of course it will be treated it will go

15:55

to the service database and so on so

15:57

forth and then we will return back a

16:00

response to the final user otherwise you

16:03

see here that in which cases we have or

16:06

we might have a 403 all right now I

16:10

think springing security and securing

16:13

web applications and rest apis is much

16:16

much much easier with this breakdown of

16:20

the different components of security I

16:22

hope you like this video and don't

16:25

forget to join me and connect with me on

16:27

social media and of course don't forget

16:30

to like share and subscribe to my

16:32

YouTube channel in order to help me grow

16:35

this Channel and spread the knowledge to

16:37

more and more people thank you so much

16:40

and see you next

16:49

time