Thanks for this lecture. With this lecture, I can understand how JWT and Spring Security combines together in order to build the security's structure in Spring Boot. Finally, you are the best teachers, you are a lifesaver with me
Great teacher with clear voice and content, making the life easier for the spring boot developers, great contribution and highly appreciated. Thank you so much 🥰
Thank you so much for these updated videos. You have no idea how frustrated I got due to the out dated ones when working with Spring boot 3. you're helping me in both my full time job and in my freelance projects especially when it came to security of APIs. Bundle of Thanks
Thank you so much for this and your other Spring Security videos! You break down overwhelming concepts into clear smaller pieces so easily. I learned so much from just going through a couple of your videos. Looking forward to watching more!
1) What is the use of revoking and expiring all tokens during JWT creation ( you have already done it in LogoutService class) Why doing twice ? 2)In this application user can not simultaneously login from two device ? (As soon as he login on another device, you are simply revoking all its previous tokens). Is above questions are valid or am I missing anything ? btw lecture is very helpful. Thank you.
Awesome tutorial. I have one big doubt, I've seen lots of peopke saying its not secure to store tokens in the database. I am wondering the reason why you are doing this?
As I mentioned, there is no implicit implementation for logout (jwt) and that is one simple solution. You can performa a daily cleanup for revoked / invalid tokens from the database
@@BoualiAli yes i understand that. But i do not want to store the valid tokens in database either for security reasons. Can you suggest me a way to revoke a token in the backend? Id there anyway we can remove the jwt from security context holder?
Good tutorial. I have a question. the way in which this is implemented does it mean a user cant log in many devices ? Because the way I see it every time you log into another device all the other devices are logged out automatically
Thanks for your effort in jwt. But i want to ask you a simple question Should we delete the previous tokens for specific user so we don't have alot of rows that we don't need in the database or not? Thanks in advance.
Applause to your effort. Need to say this video is really informative and helped me extremely for implementing logout with jwt tokens. It would be really helpful if you could start a youtube series on implementing the microservices with all the features provided by spring cloud.
Very cool explained everything thank you!!! One question. Isn't it more logical to just delete tokens so as not to store a bunch of invalid tokens in the database?
Thank you for the video! I have a question. When I log out, Are the tokens just left permanently in the database? I am curious about what processing is common in a practical environment.
Thanks for the informative video, the only thing I did not understand is why we do the same checks in LogoutHandler as in the filter, because if there is no Authorization header or it does not start with Bearer, then the filter will not skip this request, and if the filter missed us in EndPoint /logout, it means that the Authorization header is there and the token starts with Bearer and it is also not zero, am I right?
Such amazing and useful content and a better way to explain it in an easy way. We love your work and efforts. Thank you for such amazing content like this ❤.
Hello Bouali! Great tutorial as always, thank you! Quick question: doesn't revoking the user's token on every authentication forbids them to log in to the application in different devices at the same time?
Helpful and useful video , but it could be in easier way, you could create a new method called logout , then decode jwt , then change it date and it is all . Your explaining is very clear . Thank you
Thanks for the comment. Just one question regarding you way of doing it. How would you for the user to update the token? (Token is stored on client side)
These videos are amazing thanks a lot. I searched many videos about jwt security in java spring boot but they wasn't easy to understand but I can learn easily and clearly with your videos thanks. access and refresh token would be great
Thank you brother, this is inspiring and realy helped me a lot thank you. Can you pls help create a lecture for messaging queues like kafka or rabbitMQ? Stay blessed
Amazing work! Just a question, why we generate jwt token both in register and the authenticate methods? In my understanding, in register the token is generated and then in each coming request user must pass the jwt token. Also, I thought that one user has only one token associated with him, so the relationship between user-token should be one-to-one and not one-to-many? Thanks
Totally true what you said. Just as I mentioned in the video, it is just for the tutorial to have a token after registration. But in real life no need for it. Feel free to adjust ass you need
Thank you for your tutorial, I have a question that if every time the user authenticates and logs out, the token will be set revoked to false and expired is also false, but if that is the case, the database will contain corrupted fields. It's redundant and makes the database bigger when having to store the data. Can I clean up that extra data?
great video @Ali Bouali. I have a question. For you what is best for implementing jwt between custom jwt like you did or use Oath2 resource server which hold jwt implementation. In the last case how to implement logout? Thanks
Both of them are jwt based. You can use both of them I’m working on a new course that covers both, jwt and oauth 2 with a frontend built with angular. I will publish the a waiting list soon enough so you can register and get discount
I watched also the prev video about JWT. This videos are very straightforward and to the point. Just a little bit remark: why do you use var declaration instead of naming the proper type?
Bonjour Mr Bouali j'ai cru comprendre que stocker le JWT en Bdd pouvais être vu comme une mauvaise pratique pour des soucis de performance comment contré cette argument ? MERCI A VOUS
Thanks Bouali ! this Security vids have been a great help ❤. You are awsome!!! Just wondering if you're going to do a change password vid to? forgotten password and e mail verification ?
i think that in the LogoutService before clearing the SecurityContextHolder, in addition to checking for the existence of the token in our database, we should also check that it's not been revoked or expired.
16:50 The query will return the tokens for the user that are either not expired or not revoked which means that will include tokens that are expired but not revoked, as well as tokens that are revoked but not expired. Was that the intention or we should return tokens that are neither expired nor revoked? For example instead of: ``` where u.id =:userId and (t.expired = false or t.revoked = false) ``` We can return non-expired and non-revoked tokens: ``` where u.id = :userId and t.expired = false and t.revoked = false ```
Hi Bouali - Thanks for the amazing videos on Jwt. My question - in the first video, why are you only checking that token belongs to the user and does not expire during validation? Where does the secret key and the signature plays a role during validation? Can't i just create my own token and map to a valid and it will still be marked as valid?
Decoding the token uses the secret that you generated. And it should be a secret of course 😁 To have your answer, I would ask you to generate a random token with a different secret ( you can use jwt.io website for that) and pass it to the backend and then you will see if it passes or not. Reply to this comment with your feedback. Looking forward for the result 🤛
@@BoualiAli Tested an i got the error io.jsonwebtoken.security.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted. It seems like during decoding - it is not base64 decoding the payload - rather decrypting the signature and extracting the subject from their - Thanks, exactly as you said
Thanks for the video! Why do you have expired and revoked flags? From my point of view expired flag is useless and confuses, cause token might not be expired but only revoked. It's two independent states.
why did you use inner join when trying to fetch the tokens in 16.56 ? you can do it without making use of joins !! also you said you want the expired and revoked should equal to false and then using or how that?
Thanks for the video, a lot of useful info in it! One question though, is with JWT tokens since they are stateless logout part on backend really necessary? Can it present any security issue or is it just enough to stop user from accessing secured resources if it is handled on frontend, invalidated there or deleted from local storage?
It is also enough to delete it from local storage in the frontend. But this a double check and total logout and revoking the token. Many have request such functionality, so I answered the call 😁
Thanks for the tutorial. i have some question How allow access to another resource like /api/v1/course when we already been logged (api/v1/auth/) with token. so we will not provide a token any time to another resource ?
before watch this video ,after doing the login process and using in my react project and user registre and login ,i save the token in storage to use for others api ,this is good or no ? and when he choose to logout i distroy the token storage.clean()
Hello and thank you for your video. In terms of JWT logout, you are assuming we are doing authentication against a database where we record JWT and have a flag indicating if token is revoked meaning user has logged out. But more often than not do we use database to record that. Often we authenticate against LDAP, for example. There, we don't have such luxury. How do you logout if we don't have user in a database table or we don't have luxury to touch database and add these fields for tracking JWT revocation?
You can use a caching mechanism (redis maybe or even system cache) to store and invalidate tokens. But don’t forget to invalidate the token when the application stops (this is the down side of using cache). Otherwise you can have a case where a token is still valid for the user but not existing in your cache, you need also to take care of that use case. I hope I guided you through what you need
You can implement the security on the gatway level. I recommend using OAuth 2 provider like Keycloak (free, open source) Regarding event driven approach, it is coming (working on it)
Great great video. Quick Question: can't we delete the tokens instead of setting revoked and expired to true? i'm saying this because the table will grow tremendously and that's going to be so much unneeded data. any concern with doing this?
@@ngozikalu6938 you can do whatever you want, maybe it's good to clear that data immediately, but i think you can find other use for it , maybe use it for keeping trace of users ( when exactly they logged in )
This was a great add on to the Spring Security with JWT video! Thanks so much! This works great when testing in Postman, but when I test it from a browser (using axios in React) I cannot seem to avoid CORS violations. I can use @CrossOrigin on my REST controllers. Is there a proper way to configure the logout CORS policy?
Thank you very much Bouali for your tutorials, I'm a big fan and they helped me a lot in the past. I have a question though, i've implemented the logout like you did in the tutorial and I'm using an angular client but I'm having trouble to make the post request to /api/auth/logout. Do I need to add thist in my controller? I can not invalidate the usertoken calling from the frontend. Does anyone else had this Problem and can help me out here?
Hello Bouali, Incredible explanation and as always very useful content. So, I have a question: this implementation is solving the Multiple concurrent sessions problem, isn´t it? because I had an ethical hack just a couple of weeks ago and that was one of the problems to solve.
COUPON Code: *EARLYBIRD20* => Spring Data J PA course: aliboucoding.com/p/the-full-guide-to-master-spring-boot-data-jpa
He is the best Teacher on spring security. i will recommend you anytime and anywhere
Thank you 🙏. Really appreciate that
Thanks for this lecture. With this lecture, I can understand how JWT and Spring Security combines together in order to build the security's structure in Spring Boot. Finally, you are the best teachers, you are a lifesaver with me
Great teacher with clear voice and content, making the life easier for the spring boot developers, great contribution and highly appreciated. Thank you so much
🥰
You saved me from my boss's anger.thankyou very much🙏
Most welcome 😊
Thank you so much for these updated videos. You have no idea how frustrated I got due to the out dated ones when working with Spring boot 3.
you're helping me in both my full time job and in my freelance projects especially when it came to security of APIs.
Bundle of Thanks
Glad I could help!
These are amazing! Refresh tokens would be very useful !
Thanks.
I will create a video about that fir sure
You are the best!
Thanks a lot!
Mentions every side of the JWT.
Basics, logout, refresh token, password change etc...
Happy you liked it!
Excellent videos and playlist! 👍👍👍👍
Thank you so much for this and your other Spring Security videos! You break down overwhelming concepts into clear smaller pieces so easily. I learned so much from just going through a couple of your videos. Looking forward to watching more!
Glad you like them!
This motivates me
This is the best video about Spring Security and JWT. Thanks a lot for this lesson, it helped me incredibly :)
tbarkallah 3la weld bledi
thank you so much Ali you're a lifesaver
Thank youu 🙏
My pleasure
Thank you for the amazing tutorial
Thankyou Sir for sharing your knowledge.
My pleasure
Thanks, your video goes at a very good pace with clear explanations. Apart from a couple of deprecated codes, it was great. Thanks for your help!
deprecations are inevitable. I always release new videos for the updates.
check the playlists or search in the channel
you have saved the IT Industry, Sir!!
Glad you liked it!
Thank you so much, very well explained!
Hi from Morocco, ur spring security tutorial are perfect, thank you for ur help.
Glad you like them!
It really cool and superb content.
Happy you liked it!
Mashallah, thank you my brother for the clear step-by-step tutorial. Keep it up!
My pleasure!
it was really a great tutorial. Thanks for sharing your knowledge with us
wonderfull !!! what a enrgy sir. Appriciated....
So nice of you
1) What is the use of revoking and expiring all tokens during JWT creation ( you have already done it in LogoutService class) Why doing twice ?
2)In this application user can not simultaneously login from two device ? (As soon as he login on another device, you are simply revoking all its previous tokens).
Is above questions are valid or am I missing anything ?
btw lecture is very helpful. Thank you.
Thaks for your job. These guides save a lot of time for beginners
Happy you liked it
the best one teaching spring 🔥🔥
Wow, thanks!
That's soo coool, that you provide such really helpful videos and contents
Thank you so much Sir
Glad you like them!
Awesome tutorial. I have one big doubt, I've seen lots of peopke saying its not secure to store tokens in the database. I am wondering the reason why you are doing this?
As I mentioned, there is no implicit implementation for logout (jwt) and that is one simple solution.
You can performa a daily cleanup for revoked / invalid tokens from the database
@@BoualiAli yes i understand that. But i do not want to store the valid tokens in database either for security reasons. Can you suggest me a way to revoke a token in the backend? Id there anyway we can remove the jwt from security context holder?
You are so wonderful! you teaching is very easy to understand. I watched your video 4 about spring security and i added more to watch them later!
Really happy you liked it
A lot of videos out there which rarely explain about logout! thanks a lot for this amazing video 🙏
Happy you loved it 😊
Thanks for the video!
I just didn't understand why we need to create a token during registration. and what about the refresh token?
The token in the registration is just to avoid re logging
Refresh token will come soon
Just finished watching the previous video implementing JWT, and adding this on top of that I've learnt a lot. Super thanks man 🔥.
Happy to know that.
Happy you liked it
Good tutorial. I have a question. the way in which this is implemented does it mean a user cant log in many devices ? Because the way I see it every time you log into another device all the other devices are logged out automatically
Very useful and clear explanation. Thanks Ali
Glad it was helpful!
so much thankful to you sir giving this videos very useful for me. Sir pls do video on forgot reset password
Already done.
Subscribe and enable the notifications and you won't miss any of my new videos
Thanks for your effort in jwt.
But i want to ask you a simple question
Should we delete the previous tokens for specific user so we don't have alot of rows that we don't need in the database or not?
Thanks in advance.
This also can be an option if you don’t need the already revoked token
@@BoualiAli ok thanks
Applause to your effort. Need to say this video is really informative and helped me extremely for implementing logout with jwt tokens. It would be really helpful if you could start a youtube series on implementing the microservices with all the features provided by spring cloud.
I already started preparing for such course.
Preparation take really long time
Amazing please keep going this topic of security is very rare, specially with this updates of spring security 6
Thank you, I will
@@BoualiAli Thank you so much Mr
Hello from Russia, man. Thanks for your very helpful videos.
Greetings from Tunisia 🇹🇳
Happy you like my content
Very cool explained everything thank you!!!
One question. Isn't it more logical to just delete tokens so as not to store a bunch of invalid tokens in the database?
i guess you can do it. it just a matter of history
Thank you for the video!
I have a question. When I log out, Are the tokens just left permanently in the database?
I am curious about what processing is common in a practical environment.
you can create a script to clean the DB.
By the way, Better use keycloak
I will release a new video next week
Thanks for the informative video, the only thing I did not understand is why we do the same checks in LogoutHandler as in the filter, because if there is no Authorization header or it does not start with Bearer, then the filter will not skip this request, and if the filter missed us in EndPoint /logout, it means that the Authorization header is there and the token starts with Bearer and it is also not zero, am I right?
Such amazing and useful content and a better way to explain it in an easy way. We love your work and efforts.
Thank you for such amazing content like this ❤.
Happy you liked it
Excellent, a video on refresh token would help
Thanks, I will create one
Hello Bouali! Great tutorial as always, thank you!
Quick question: doesn't revoking the user's token on every authentication forbids them to log in to the application in different devices at the same time?
Yes, true
Thank you so much loved the video. I was stuck and looking for a resource. It helped me alot. Love from India
Happy to have you here.
Happy you like my content
Wow broooo u r amazing. This tutorial helped me to solve my problem in my project))
Happy to know that bro.
Helpful and useful video , but it could be in easier way, you could create a new method called logout , then decode jwt , then change it date and it is all . Your explaining is very clear . Thank you
Thanks for the comment.
Just one question regarding you way of doing it. How would you for the user to update the token? (Token is stored on client side)
Great tutorial! Will you create video about refresh token?
Happy you like it.
I will soon
Very helpful video. I have only one question, maybe I don’t understand something, but why store expired tokens.
You remove expired token.
In a different context. You might use them for auditing and tracing (maybe)
These videos are amazing thanks a lot. I searched many videos about jwt security in java spring boot but they wasn't easy to understand but I can learn easily and clearly with your videos thanks. access and refresh token would be great
Thank you for the good feedback.
I will make a video about refresh token
Thank you brother, this is inspiring and realy helped me a lot thank you. Can you pls help create a lecture for messaging queues like kafka or rabbitMQ? Stay blessed
Thank you for the feedback.
MQ is coming soon
Amazing work! Just a question, why we generate jwt token both in register and the authenticate methods? In my understanding, in register the token is generated and then in each coming request user must pass the jwt token. Also, I thought that one user has only one token associated with him, so the relationship between user-token should be one-to-one and not one-to-many? Thanks
Totally true what you said.
Just as I mentioned in the video, it is just for the tutorial to have a token after registration.
But in real life no need for it.
Feel free to adjust ass you need
Amazing, Thank you and please keep uploading videos like this cause we really learn a lot from you .
Thanks 🙏
I will absolutely continue uploading.
You’re my source of motivation
Thank you for your tutorial, I have a question that if every time the user authenticates and logs out, the token will be set revoked to false and expired is also false, but if that is the case, the database will contain corrupted fields. It's redundant and makes the database bigger when having to store the data. Can I clean up that extra data?
great video @Ali Bouali. I have a question. For you what is best for implementing jwt between custom jwt like you did or use Oath2 resource server which hold jwt implementation. In the last case how to implement logout?
Thanks
Both of them are jwt based.
You can use both of them
I’m working on a new course that covers both, jwt and oauth 2 with a frontend built with angular.
I will publish the a waiting list soon enough so you can register and get discount
@@BoualiAli thanks
Thank you so much for this and your other Spring Security videos! Your work is truly wonderful; please keep it up!
Thank you! Will do!
I watched also the prev video about JWT. This videos are very straightforward and to the point. Just a little bit remark: why do you use var declaration instead of naming the proper type?
It is just shorter to write 😅
Bonjour Mr Bouali j'ai cru comprendre que stocker le JWT en Bdd pouvais être vu comme une mauvaise pratique pour des soucis de performance comment contré cette argument ? MERCI A VOUS
Excellence video.
Would you create a video using Angular to logout?
Great suggestion!
nice content.thank you
Glad you liked it!
Can you also make videos for Authorization using database roles instead of enum
@@ramakrishnamogilipuri1647 will do that
Thanks Bouali ! this Security vids have been a great help ❤. You are awsome!!! Just wondering if you're going to do a change password vid to? forgotten password and e mail verification ?
Yes I will
Thanks for this video Ali !
My pleasure
i think that in the LogoutService before clearing the SecurityContextHolder, in addition to checking for the existence of the token in our database, we should also check that it's not been revoked or expired.
Awesome tutorial man! 48:20 was spot on, you got me right there.
Awesome, thank you!
16:50 The query will return the tokens for the user that are either not expired or not revoked which means that will include tokens that are expired but not revoked, as well as tokens that are revoked but not expired. Was that the intention or we should return tokens that are neither expired nor revoked?
For example instead of:
```
where u.id =:userId and (t.expired = false or t.revoked = false)
```
We can return non-expired and non-revoked tokens:
```
where u.id = :userId and t.expired = false and t.revoked = false
```
Thank you so much AliBou !! This is very helpful. can you make video of logout from Keycloak auth server generating jwt token ?
Yes, soon
really useful videos, keep going! I appreciate your course videos
I’m really happy that you like my content. This motivates me to create more
Amazing video ,it was so helpful,
My question is why we don't delete the old token instead of setting it expired
Thank you.
You can set a bash script to cleanup the database every period of time.
excellent Ali, I don't miss any video I learn a lot from you 😎
Happy to know that.
This motivates me
Thanks a lot Bouali. It was very beneficial as always. I really admire your high quality work and please continue creating more content.
Happy you liked it
@@BoualiAli Thank you Ali
Hi Bouali - Thanks for the amazing videos on Jwt.
My question - in the first video, why are you only checking that token belongs to the user and does not expire during validation? Where does the secret key and the signature plays a role during validation?
Can't i just create my own token and map to a valid and it will still be marked as valid?
Decoding the token uses the secret that you generated. And it should be a secret of course 😁
To have your answer, I would ask you to generate a random token with a different secret ( you can use jwt.io website for that) and pass it to the backend and then you will see if it passes or not.
Reply to this comment with your feedback.
Looking forward for the result 🤛
@@BoualiAli
Tested an i got the error io.jsonwebtoken.security.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.
It seems like during decoding - it is not base64 decoding the payload - rather decrypting the signature and extracting the subject from their - Thanks, exactly as you said
Thanks for the video!
Why do you have expired and revoked flags? From my point of view expired flag is useless and confuses, cause token might not be expired but only revoked. It's two independent states.
I mentioned in the video that these flags might be helpful in the future. Maybe not in this tutorial
Please create a video of how to implement the refresh token, thanks for your work.
Working on it
why did you use inner join when trying to fetch the tokens in 16.56 ? you can do it without making use of joins !!
also you said you want the expired and revoked should equal to false and then using or how that?
great tutorial, and code works fine
Happy to know that
Well done, keep up the amazing work!
Thanks, will do!
Thanks for the video, a lot of useful info in it! One question though, is with JWT tokens since they are stateless logout part on backend really necessary? Can it present any security issue or is it just enough to stop user from accessing secured resources if it is handled on frontend, invalidated there or deleted from local storage?
It is also enough to delete it from local storage in the frontend.
But this a double check and total logout and revoking the token.
Many have request such functionality, so I answered the call 😁
@@BoualiAli Thanks for the quick answer! Sure, double check can't definitely hurt :D
Thanks for the tutorial. i have some question
How allow access to another resource like /api/v1/course when we already been logged (api/v1/auth/) with token. so we will not provide a token any time to another resource ?
For secured resources, you need to always pass the token
@@BoualiAli okay sir i noticed
I have a question, in 43:11 why do you inyect the logouthandler as LogoutHandler and not as the LogoutService?
Using the service is safe and make the app loosely coupled.
before watch this video ,after doing the login process and using in my react project and user registre and login ,i save the token in storage to use for others api ,this is good or no ? and when he choose to logout i distroy the token storage.clean()
Hello and thank you for your video. In terms of JWT logout, you are assuming we are doing authentication against a database where we record JWT and have a flag indicating if token is revoked meaning user has logged out.
But more often than not do we use database to record that. Often we authenticate against LDAP, for example. There, we don't have such luxury. How do you logout if we don't have user in a database table or we don't have luxury to touch database and add these fields for tracking JWT revocation?
You can use a caching mechanism (redis maybe or even system cache) to store and invalidate tokens.
But don’t forget to invalidate the token when the application stops (this is the down side of using cache).
Otherwise you can have a case where a token is still valid for the user but not existing in your cache, you need also to take care of that use case.
I hope I guided you through what you need
I never used redis.
Is it implemented in the API or client side?
What if API (or client) is restarted? Does user has to log in again?
@@dinobulja redis is also backend
Q2: depends on your logic, i would say yes user needs to relogin
Great tutorial!
But what is the usage of expired flag in token if we never used it?
Can't we just get away with revoked flag?
It is just for you for maybe some future needs and different logical implementations, otherwise you can rely on one of them
Perfection !!!! 👍
Glad you like it!
Hi, are we updating the database accessToken expired parameter when the accessTokenExpiration time finish ?
I didn’t get your question can you please elaborate more?
How can I implement the same in microservice context..
Sir.. please do single microservice projects event driven approach ( kafka or saga axon serve)
You can implement the security on the gatway level.
I recommend using OAuth 2 provider like Keycloak (free, open source)
Regarding event driven approach, it is coming (working on it)
Thank you again, it's very clear !
My pleasure ❤️
Good Job Thanks
My pleasure
Thanks for his sweet video
Happy you liked it
Amazing, Thank you
Great video! could i replace token with jti?
Yes you can!
great
Thax Sir Realy Helped
Happy you liked it
Great great video.
Quick Question: can't we delete the tokens instead of setting revoked and expired to true? i'm saying this because the table will grow tremendously and that's going to be so much unneeded data. any concern with doing this?
It is also possible. You can adopt this as solution
i think it can be useful if you create a scheduled task that runs every month for example that clear that data .
@@khalilmarzouki636 also a good idea 👍
@@khalilmarzouki636 really? But why not immediately? Why do you think we should not remove the token immediately?
@@ngozikalu6938 you can do whatever you want, maybe it's good to clear that data immediately, but i think you can find other use for it , maybe use it for keeping trace of users ( when exactly they logged in )
Thanks and Keep It Up Bro
Thank you. I will
good job, keep going ali 🤩🤩
Thank you 🙏
This was a great add on to the Spring Security with JWT video! Thanks so much! This works great when testing in Postman, but when I test it from a browser (using axios in React) I cannot seem to avoid CORS violations. I can use @CrossOrigin on my REST controllers. Is there a proper way to configure the logout CORS policy?
maybe can add this in your security config
http.csrf().disable().cors().configurationSource(new CorsConfigurationSource() {
@Override
public CorsConfiguration getCorsConfiguration(HttpServletRequest request) {
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.setAllowedOrigins(Collections.singletonList("*"));
config.setAllowedMethods(Collections.singletonList("*"));
config.setAllowedHeaders(Collections.singletonList("*"));
config.setExposedHeaders(Arrays.asList(
"Authorization", "X-Total-Count", "Link",
"Access-Control-Allow-Origin",
"Access-Control-Allow-Credentials"
));
return config;
}}).and()
You just need to add a cors bean
Thank you very much Bouali for your tutorials, I'm a big fan and they helped me a lot in the past. I have a question though, i've implemented the logout like you did in the tutorial and I'm using an angular client but I'm having trouble to make the post request to /api/auth/logout. Do I need to add thist in my controller? I can not invalidate the usertoken calling from the frontend. Does anyone else had this Problem and can help me out here?
Can you give more dettails. How you call the endpoint?
Thank you. Good job!
Glad it was helpful!
Hello Bouali, Incredible explanation and as always very useful content. So, I have a question: this implementation is solving the Multiple concurrent sessions problem, isn´t it? because I had an ethical hack just a couple of weeks ago and that was one of the problems to solve.
Really happy you liked it
Yes it should
thank you so much