Spring boot 3.0 - Secure your API with JWT Token [2023]
Vložit
- čas přidán 2. 06. 2024
- #spring #learning #springboot #springtutorial #springsecurity #developpement #java #arraylist #linkedlist #springdatajpa #querybuilder #aliboucoding #alibou #validation
Are you looking to secure your Spring Boot applications and keep them safe from unauthorized access? Look no further! this tutorial is the perfect solution for you.
In this course, you'll learn everything you need to know about using Spring Security and JSON Web Tokens (JWT) to secure your applications. We'll start by teaching you the basics of Spring Security and how it can be used to authenticate and authorize users in your application. From there, you'll learn how to implement JWT to provide a secure, stateless method of authentication.
👉🏻 Source code: github.com/ali-bouali/spring-...
Don't Forget to
===========================================
💯 Free courses here: aliboucoding.com
💯 Subscribe to the youtube channel
💯 Join our Discord Community - / discord
💯 Join our Facebook Group - / 589612651142975
💯 Join our Instagram: / alibou_coding
Table of content
00:00 Intro
01:55 How JWT security works
07:26Create a new spring boot 3.0 project
09:28 Add Data source
12:28 Connect to the database
17:12 Create user class
20:05 Transform the User to an entity
25:22 Extend the user to UserDeatils object
33:32 Create the user repository
35:50 Create the JWT authentication filter
40:58 Checking the JWT token
44:32 Create the JWT service
47:56 Add the JJWT dependencies
49:59 What is a JWT token
53:06 Extract claims from JWT
55:23 Implement the getSignInKey method
01:00:07 Extract a single claim from JWT
01:01:51 Extract the username from the token
01:02:52 Generate the JWT token
01:08:15 Check if the token is valid
01:11:22 Check the user existence in the database (JwtAuthFilter)
01:15:13 Implement the UserDetailsService
01:19:38 Update the SecurityContextHolder and finalise the filter
01:23:53 Add the security configuration
01:32:51 Create the authentication provider bean
01:36:41 Create the authentication manager bean
01:38:14 Create the authentication controller
01:40:55 Create the authentication response class
01:41:47 Create the register request object
01:42:50 Create the authentication request class
01:43:22 Create the authentication service
01:45:37 Implement the register method
01:49:28 Implement the authenticate method
01:52:17 Update the security configuration whitelist
01:53:35 Create a demo controller
01:54:55 Test the changes
Join the Micro Services course waiting list and get and get an exclusive *EARLY-BIRD discount*
aliboucoding.ck.page/d0f9317e13
You have no idea how much you have helped me. Due to other tutorials being backdated, I just couldn't find a proper step by step procedure on how to implement jwt in spring boot. You saved my university major project. I wish you lifetime of happiness and health.
Really happy you liked it
@@BoualiAli A small error check : the token will get expired in only 24 minutes not 24 hours. Apart from that everything is crystal clear.
Thank you so much, very well explained! Very useful!!
Very awesome tutorial, great explanations on the concepts, easy to follow along. I have really learned alot Ali. Looking forward to learn more courses on Springboot and Java.
Thank you so much for your feedback 🙏
Thank you Ali!
Many thanks! Your tutorials are absolutely fantastic. Pure gold! The content, your delivery and the speed - everything is just perfect. Sending loads of love your way!
Glad you like them!
I want to give you a huge thank you. I've been struggling with this for days due to other tutorials being outdated. You really saved the day.
Glad I could help!
Thank you so much for this fantastic Spring Security video!
Glad you enjoyed it!
جزاك الله خير
It's amazing content
Wonderful ! thanks for the effort and clear tutorial!
My pleasure
Great work and content! Thank you very much for this.
Happy you like it
Perfect! This is the most well explained tutorial I have seen and I have seen many regarding the discussed subject.
Happy you liked it
this is the video perfectly understand the spring security for me. Thank you so much @Bouali Ali
Happy you liked it
Thank you so much for this fantastic Spring Security video! It was incredibly helpful and provided me with valuable insights. I really appreciate the clear explanations and the practical examples demonstrated throughout the tutorial. Your expertise and teaching style made it easy for me to grasp the concepts.
Glad it was helpful!
Amazing content. Thank you for your good work to enable us acquire skills.
really happy I helped you learn
Great Video Bouali ! I have learned many things. Subscribed your channel also . Thanks a lot !
Great to have you
Very awesome tutorial, great explanations on the concepts, easy to follow along
Glad you liked it!
thank you for this video!
My pleasure
Loving this. Great start as I migrate to Spring Boot 3. Thanks man 🔥.
Happy to know 🔥
Great video man, I have recently started learning Springboot and there wasn't many content for 3.0 out there, was exactly looking for this, the way you explained everything was very well done and understable, Thanks and Keep it up!
Thank you for the great feedback.
I had the same issue and it turns out I had left User's isEnabled() to false, when it should be true.
Gold. 👍
Thank you.
Happy you liked it!
Thank you too!
Absolutely great tutorial!
Happy you liked it
Thank you from South Korea!
how is the job Market in Seoul for Java Devs, I am in China and looking for new opportunities in other countries
Good job ,and i realy appreciate you so much .
Thank youuuu
Thank you very much for this. this was great. you have gained a subscriber forever!
So happy and proud to have you here
Thanks a lot man, your explanations are the best! Subscribed! I will see the refresh token vid now :)
Thank you 🙏. Check the spring security playlist for more videos
Great Video, thanks a lot
Glad you liked it!
this tutorial is very helpful. thanks a million
My pleasure
This is just what I needed, great explanation and the most important, it works!!! , Thanks and greetings from Colombia.
Great to hear!
Greetings from 🇹🇳
This video made all my doubts clear. Thank you so much.
Really happy you liked it
baraka al Allahu fik. Keep up the good work!
my pleasure
Check the new one, it is more updated with no deprecations
@@BoualiAli Awesome! may you share the link for it?
@@mahmoudotri6103 check the videos and you will notice it. It is a recent upload
Great explanation !! Thank you very much, u're awesome
Glad you liked it!
awesome tutorial!
Glad you liked it!
What a great video! you have gained a subscriber forever!
You’re welcome forever
Great Job Ali,
thans is the best Tutorial I ever see.
I like and Subscribe right now.
More thank happy to have here
thank you very much for the information and excellent explanation
Glad it was helpful!
Amazing course, i get all workflow about jwt spring security, how to extractAllClaims, single claims, how to use JWTAuthenticationFilter and more. Thanks for this update spring security jwt and hope you take care of you!! Great time!!
Fantastic!
Intéressant ! mister bouali ...
Thank you
Thank you so much bro ! Best tutorial I've ever seen.
Glad you think so!
I just finished this tutorial and trust me, if you want to learn about Spring Security using JWT, this is the way. Thanks @Bouli Ali for such awesome content
I really appreciate your great and honest feedback.
This keeps me motivated to provide more and better content
thank you khouya, merci beaucoup pour ton effort.
My pleasure
Too good. Awesome.
🙏 thank you
Thank you very much. you save me and my university project. Subscribed
Glad I could help!
great content, I'll be finishing the one on amigos code cause I'm still using spring 2.7, I'll book this video once I upgrade!
That’s good
I just discovered your channel, what a great content, Allah y3tik lkhir
Thank you so much 😊
Great Video, you saved my life on a bug that I've been searching for so long since I migrated to spring 3.0, Keep it up! from Tunisia
My pleasure bro
I like Tunisian people 🇹🇳
thanks for your efforts
Welcome 🙏
muchas gracias por la explicación y por compartir el repositorio 🤓
My pleasure!
Excellent tutorial
Thank you
great!
Thanks
Amazing course, I learned so much! It is even more amazing the code you gave on github, however I wish I could have some explanations on all the additional stuff there is in the repo
Happy you liked it!
Just follow the playlist order and you will get each line of the code
Thank you 🎉
You’re welcome 😊
thank you so much for the course, it is very helpful. I hope you could make a continuation video implementing the APIs in Angular. I 'm really stuck right now
Happy you liked it
I'm already preparing a video for that
I was struggling to learn this, thank you so much for this video. It helped a lot
I’m happy to help
@@BoualiAli what changes to make in order to specifically allow USERS to one endpoint? .hasRole("USER") doesnt work SecurityConfiguration
@@muniapriyansu8805 you need to add the annotation @enableglobalsecuritymethod on the security config class and the @preuathorize will work like a charm
I have another spring security in the same playlist that explains authorization and how it works
OMG this is the most awesome tutorial I've ever watched
Thank youuuuuu. Happy to know that
Hello, it was a great step-by-step tutorial. The things that weren't clear to me became clear after I watched this video for the second time. The only moment (just statistical) - the token expiry date wasn't 24h from the moment of creation. 1000 ms -> 1s; 60 * 1000 -> 1m; 60 * 60 * 1000 -> 1h. So adjustment should be settled to 24 * 60 * 60 * 1000. Your token expiry date is 24 m.
True, but just for the sake of the tutorial I removed the *24 to have short living token.
Sorry for the confusion
Great video Bro keep going 😀😀😍
Thank you, I will
Thank you for your efforts, your brother from morocco..
Keep it up 🙂
My pleasure
Good job aloulou ;)
thank you 3chiri
It is astonishing with what fast pace spring boot is moving forwards. Alot of the methods shown here are already deprecated and marked for removal.
really great video!!!! thanks!!! I would adapt the title just put (registration & login) because CZcams does not show your video, when searching for spring boot registration & login
Thanks for the tip!
Hi Ali, if possible, could you show the imports of the class briefly after you finish with a class, for comparison next time? Thank you!
Check the code on Github
Thank you so much, I followed this guide and everything works great. I have a question though. In the isTokenValid method of JwtService we check if the username(email) from the parameter userDetails is equal to the username found in the token. However the parameter userDetails is always aquired from the username found in the token (e.g. in AuthenticationService or in JwtAuthenticationFilter). So the way I see it we extract the username from the token and then check if the extracted username is equal to the username found in the token. Wont that always be true?
I am subscribed
Really happy you liked it
Great content, thank you. can you please provide a tutorial in Oauth2 implementation in spring boot 3 (Authorisation server + Resource server) using JWT?
Working on it
Thank you very much for explaining to us how jwt works under the springboot 3 to do whole authentication part , would you give a follow-up with the role based version in the next comming up videos?😁
Sure thing!
@@BoualiAli thank u so much, after watching your old 2.0 role based version and your comment down below I assume using EnableMethodSecurity as well as preAuthorize can do this . But for controlling the role to limit on CRUD or refresh token I have no clue
For the Spring Security package to be complete on your channel, could you please make a video explaining how to configure CORS using Spring Security? For example, as routes from other origins that need authentication with the head "Authorization" in the request, I would be very grateful
Coming soon 😁
thx
Thank you for your awesome tutorial! I learn a lot from your video. Let's say if we had multiple microservices and Spring Cloud Gateway routing to process requests to those (downstream) services. I was wondering if you could let me know how we can apply the jwt from your video (user microservice) to other microservices as a global one.
Thank you once again for your time and consideration!
It works the same way.
Just implement it on the api gateway level
Really happy to have you here
Hi! Great Tutorial! One of the best I ever seen. I have only one problem, I can still add more users with the same email. You don't check this in tutorial too.
Thanks for the comment.
Yes duplicated users are not prevented. Add @Column(unique=true) on the email field and it will fix it
Randomly found this channel. Wonderfully explained. Thanks a lot. Just a request, could you paste that key generator url in the description?
You can check the code in my github account (link in the description)
Hello sir i saw video tutorial n these are awesome like each n every topic will convered in videos. One request from my side for desktop native application using electron js with angular in details project like books library project i possible please consider it in your upcoming playlist because no one is on you tube who is doing electron js tutorial.
I will try my best
16:50 You don’t need to specify the driver-class-name since Spring Boot can deduce it for most databases from the url. See Spring Boot 3.0 Data docs.
True, but if I don’t specify it people will ask about and I forgot to mention that in the video.
Good comment 👍
Great work and content! Can yo tell me the theme/setting you have? At 1:08:08 (the green extraClaims for example)? In default New UI of Intellij 2023.3.2 there is no green color for me but in your video it is there. I like it better as you configure it. Thanks!
I have no extra config, it is the default theme.
I’m using a mac 💻 maybe this is what’s making the difference
I can't really express how you are amazing Mr. Bouali. The explanation is clear and straight to the point.
I wanted to ask you if there is a way to not to hit the database for each request as this will be overhead for it. can we make it in the register & authenticate part only?
You can implement caching
can you please recommend me a good way for In memory caching? or any other way that make me avoid using things like Redis aka other database with its own server?@@BoualiAli
Great! One question, you take the jwt of the authenticate(log-in) to send the Demo Controller request. If I use jwt I got from Register, it is the same ? In simple words, if I want log-in directly after the register (and not log in again), is there any extra step I need to do? (for example set SecurityContextHolder). I guess both in log-in and Register the SecurityContextHolder must be set ! Thanks !
Thanks for the video, it's so useful!
What setting you are using for your Intellij, looks good :)
Thanks for the feedback
It is the new ui from the latest version of intellij
Thank you very much for the quality content Ali. Just a small query, how can we make sure the /register endpoint isn't open to everyone. I mean there should be a mechanism to let only specific people register and access my api who know something (may be a secret key).
Thanks for the feedback.
In this case, you can restrict access to your app/api via the network (ingress) and you allow specific white list ip adresses (aws security groups with vpc / ec2 for example)
thank you for your tutorial i hope you do tutoril for spring boot microsrvice securty JWT
I’m preparing something already
Hey, @BoualiAli awesome tutorial and content on the channel at all :D
You are doing a great job. :)
I have one question. How can this code be improved, what can I do additionally to secure my app better?
User OAuth2
Awesome, I love your explanation. Can you make video on Spring boot 3.0 - Webflux with JWT Token
I will take note of that.
I’m preparing a new video that you’re gonna love absolutely
@@BoualiAli I’m waiting
Thank you for your great explanation. I watched this video many times, it 's very clear. Can we have the sources of your project ?
Hello,
The repo is in the description of the video
Can you please make a tutorial about authentication and authorization exception handling. Like where to throw exceptions if invalid credentials were prompted or JWT related exception 🙏
Check the exception handling video. You have the answer there
Nice content boss, it was really helpful.
I've fallen in love with your IDE, is it an intelliJ theme or a newer version of intelliJ.
I really do need it
Thank you for the feedback.
It’s the new Intellij design from the latest version
@@BoualiAli Yes, i use the new version. But which theme is it? 🙂
Great video, great work and great content! I would like to ask you how should I configure Spring Security to have persistent authentication. With Postman everything works, but what if I want to do fornt-end side authentication?
I’m creating a special video for that. Coming soon
Hi Ali . I just wonder what site did you use for entire architecture picture ? Look so great!
I use drawio for that
Firstly thanks for this video. Could you explain how to set token expiration time and refresh token expiration time. Thanks again. Greetings from Turkey 🇹🇷
I will create a new video about refresh token asap.
Greetings
Hi Ali, thanks for these awesome tutorials! I have a question, how I can exclude some packages o urls from the authentication, something like /health, /docs, etc. I have trying to override the method shouldNotFilter but not work for me
Add these urls to the .permitAll()
Check the openapi video (same playlist) and you will see the exact code you’re looking for
This is soooooo long ! Thank you for doing everything step by step but its my request please bring a Course on Spring Security where you can explain things on a slow pace. That would help us get more clarity.
Sure
Awesome video. Just spent the entire day yesterday coding it by hand and following the video. I do have one question. I've done JWT authentication in other languages, and we always validate the token by using its signature, instead of just comparing the claims to expected values. Is this something that is handled internally by Spring Boot?
When you call the decode method, it is validating the token using the signature
❤️👏👏
Hello, Thank you this helped a lot. But can you tell me why register api works in postman by returning a token but authenticate api gives cache miss for REQUEST dispatch to '/api/v1/auth/authenticate' (previous null).
Thank you very much for the tutorial , could you provide us how implement login with social media and jwt
I’m worrking on such tutorial
It was really a great and helpful video, thank you so much and please keep providing with such quality content like this. I have a question if you could answer me I will be grateful for you, just I wanna know how we can implement a logout method ?
Hi
For the logout, you should implement a logic for that.
I will create a video for it in the coming days
@@BoualiAli I managed to clear the storage on the client side and delete the token Is this enough ? Or I must add a method on the server side for more Security purposes ?
Thank you again
@@mouradeljayi584 this can be enough.
Hi. Thanks for the course. I have a question. If we use logic on adding authentication token to SecurityContextHolder after checking whether it is empty or not, won't there be a problem when one client makes authentication, its authToken is stored in SecurityContextHolder, and after second user is authenticated, authentication token of second user will not be added to the store because authToken of first user already lies there. How can I get around this problem or what can you advise to use. Thank you for your feedback
Updated: Do I need to use the SecurityContextHolder to store authentication? Wouldn't it be enough to check if the token is in the Authorization header and, conventionally, do some more verification like checking if the email that was in the token is in the database without using SecurityContextHolder to store the authentication. Would it be a solution to use some NoSQL databases to store just these authentication tokens (Redis, etc.)?
Yes you need to use the security context holder.
Also, remember the session creation policy => stateless so for each request the token will not be stored and it will be removed after each request.
Review that part and you will get it
Hi and thank you for the amazing content. I was wondering, if you need to initialize your admin with first name, last name, email and password in the project settings, how would you do it in this case? It looks like that you can only register it through the registration form, but I need to set one and the only admin in the project configuration settings. Thanks!
You can use a database migration like Flyway
I already posted a video how to do so.
@@BoualiAli, Thanks!
thank you for the video. Do you have a video about CSRF ?
I will take note of that and make one soon enough
Hello what ist the next video it's very interesting
that is the best vedio about jwt implementation so far, thank you for your simple explanation that even a new user of the spring framework could understand clearly.
i have a question please if you don t mind, I'm using spring mvc with thymeleaf, i don t know how to send the jwt token in the header with thymeleaf like in your case with postman you sent it in the authorization type bearer token, and there is no one talking about it
thank you
I am also trying to figure this out
@@adrianfee9131 i manage to do it using session like instead of retrunin the jwt token to the user and send it from the header you can just save it into the session than in the dofliter function you take the jwt token and validate it from the session i ll join the code below i hope this helps
i don t know if it s the right way to do it but it is working
Great content and i want to know how you customised side bar icons instead of text in your intellij
It is the new UI from intellij.
Download the latest version and you will get it