Spring boot 3.0 - Secure your API with JWT Token [2023]
Вставка
- Опубліковано 8 лип 2024
- Buy me a coffee: ko-fi.com/boualiali #spring #learning #springboot #springtutorial #springsecurity #developpement #java #arraylist #linkedlist #springdatajpa #querybuilder #aliboucoding #alibou #validation
Are you looking to secure your Spring Boot applications and keep them safe from unauthorized access? Look no further! this tutorial is the perfect solution for you.
In this course, you'll learn everything you need to know about using Spring Security and JSON Web Tokens (JWT) to secure your applications. We'll start by teaching you the basics of Spring Security and how it can be used to authenticate and authorize users in your application. From there, you'll learn how to implement JWT to provide a secure, stateless method of authentication.
👉🏻 Source code: github.com/ali-bouali/spring-...
Don't Forget to
===========================================
💯 Free courses here: aliboucoding.com
💯 Subscribe to the youtube channel
💯 Join our Discord Community - / discord
💯 Join our Facebook Group - / 589612651142975
💯 Join our Instagram: / alibou_coding
Table of content
00:00 Intro
01:55 How JWT security works
07:26Create a new spring boot 3.0 project
09:28 Add Data source
12:28 Connect to the database
17:12 Create user class
20:05 Transform the User to an entity
25:22 Extend the user to UserDeatils object
33:32 Create the user repository
35:50 Create the JWT authentication filter
40:58 Checking the JWT token
44:32 Create the JWT service
47:56 Add the JJWT dependencies
49:59 What is a JWT token
53:06 Extract claims from JWT
55:23 Implement the getSignInKey method
01:00:07 Extract a single claim from JWT
01:01:51 Extract the username from the token
01:02:52 Generate the JWT token
01:08:15 Check if the token is valid
01:11:22 Check the user existence in the database (JwtAuthFilter)
01:15:13 Implement the UserDetailsService
01:19:38 Update the SecurityContextHolder and finalise the filter
01:23:53 Add the security configuration
01:32:51 Create the authentication provider bean
01:36:41 Create the authentication manager bean
01:38:14 Create the authentication controller
01:40:55 Create the authentication response class
01:41:47 Create the register request object
01:42:50 Create the authentication request class
01:43:22 Create the authentication service
01:45:37 Implement the register method
01:49:28 Implement the authenticate method
01:52:17 Update the security configuration whitelist
01:53:35 Create a demo controller
01:54:55 Test the changes
![Spring Boot 3 + Spring Security 6 - JWT Authentication and Authorisation [NEW] [2023]](http://i.ytimg.com/vi/KxqlJblhzfI/mqdefault.jpg)
Join the Micro Services course waiting list and get and get an exclusive *EARLY-BIRD discount*
aliboucoding.ck.page/d0f9317e13
You have no idea how much you have helped me. Due to other tutorials being backdated, I just couldn't find a proper step by step procedure on how to implement jwt in spring boot. You saved my university major project. I wish you lifetime of happiness and health.
Really happy you liked it
@@BoualiAli A small error check : the token will get expired in only 24 minutes not 24 hours. Apart from that everything is crystal clear.
I want to give you a huge thank you. I've been struggling with this for days due to other tutorials being outdated. You really saved the day.
Glad I could help!
Many thanks! Your tutorials are absolutely fantastic. Pure gold! The content, your delivery and the speed - everything is just perfect. Sending loads of love your way!
Glad you like them!
جزاك الله خير
It's amazing content
Thank you so much for this fantastic Spring Security video! It was incredibly helpful and provided me with valuable insights. I really appreciate the clear explanations and the practical examples demonstrated throughout the tutorial. Your expertise and teaching style made it easy for me to grasp the concepts.
Glad it was helpful!
Thank you so much for this fantastic Spring Security video!
Glad you enjoyed it!
Thank you so much, very well explained! Very useful!!
Very awesome tutorial, great explanations on the concepts, easy to follow along. I have really learned alot Ali. Looking forward to learn more courses on Springboot and Java.
Thank you so much for your feedback 🙏
Perfect! This is the most well explained tutorial I have seen and I have seen many regarding the discussed subject.
Happy you liked it
Wonderful ! thanks for the effort and clear tutorial!
My pleasure
Great work and content! Thank you very much for this.
Happy you like it
I just finished this tutorial and trust me, if you want to learn about Spring Security using JWT, this is the way. Thanks @Bouli Ali for such awesome content
I really appreciate your great and honest feedback.
This keeps me motivated to provide more and better content
Loving this. Great start as I migrate to Spring Boot 3. Thanks man 🔥.
Happy to know 🔥
Your tutorials are really helpful for me as a beginner. Thanks a lot!!!
Your way of teaching is really nice and I feel if you show an implementation video at the start of the tutorial we can easily understand what we are going to build
Again, thanks a ton!!!!
Thank you very much for this. this was great. you have gained a subscriber forever!
So happy and proud to have you here
Gold. 👍
Thank you.
Happy you liked it!
Thank you too!
Amazing course, i get all workflow about jwt spring security, how to extractAllClaims, single claims, how to use JWTAuthenticationFilter and more. Thanks for this update spring security jwt and hope you take care of you!! Great time!!
Fantastic!
Thank you Ali!
this is the video perfectly understand the spring security for me. Thank you so much @Bouali Ali
Happy you liked it
Amazing content. Thank you for your good work to enable us acquire skills.
really happy I helped you learn
Absolutely great tutorial!
Happy you liked it
Intéressant ! mister bouali ...
Thank you
Thanks a lot man, your explanations are the best! Subscribed! I will see the refresh token vid now :)
Thank you 🙏. Check the spring security playlist for more videos
What a great video! you have gained a subscriber forever!
You’re welcome forever
thank you for this video!
My pleasure
Great Video Bouali ! I have learned many things. Subscribed your channel also . Thanks a lot !
Great to have you
Great video man, I have recently started learning Springboot and there wasn't many content for 3.0 out there, was exactly looking for this, the way you explained everything was very well done and understable, Thanks and Keep it up!
Thank you for the great feedback.
I had the same issue and it turns out I had left User's isEnabled() to false, when it should be true.
This is just what I needed, great explanation and the most important, it works!!! , Thanks and greetings from Colombia.
Great to hear!
Greetings from 🇹🇳
Very awesome tutorial, great explanations on the concepts, easy to follow along
Glad you liked it!
Thank you from South Korea!
how is the job Market in Seoul for Java Devs, I am in China and looking for new opportunities in other countries
Thank you so much bro ! Best tutorial I've ever seen.
Glad you think so!
Great Video, you saved my life on a bug that I've been searching for so long since I migrated to spring 3.0, Keep it up! from Tunisia
My pleasure bro
I like Tunisian people 🇹🇳
Good job ,and i realy appreciate you so much .
Thank youuuu
This video made all my doubts clear. Thank you so much.
Really happy you liked it
Too good. Awesome.
🙏 thank you
this tutorial is very helpful. thanks a million
My pleasure
love the way u teach (:
Great Job Ali,
thans is the best Tutorial I ever see.
I like and Subscribe right now.
More thank happy to have here
Hello, it was a great step-by-step tutorial. The things that weren't clear to me became clear after I watched this video for the second time. The only moment (just statistical) - the token expiry date wasn't 24h from the moment of creation. 1000 ms -> 1s; 60 * 1000 -> 1m; 60 * 60 * 1000 -> 1h. So adjustment should be settled to 24 * 60 * 60 * 1000. Your token expiry date is 24 m.
True, but just for the sake of the tutorial I removed the *24 to have short living token.
Sorry for the confusion
It is astonishing with what fast pace spring boot is moving forwards. Alot of the methods shown here are already deprecated and marked for removal.
Great explanation !! Thank you very much, u're awesome
Glad you liked it!
OMG this is the most awesome tutorial I've ever watched
Thank youuuuuu. Happy to know that
thank uuuu so much !!!
Great Video, thanks a lot
Glad you liked it!
thank you khouya, merci beaucoup pour ton effort.
My pleasure
Thank you very much. you save me and my university project. Subscribed
Glad I could help!
awesome tutorial!
Glad you liked it!
Excellent tutorial
Thank you
great content, I'll be finishing the one on amigos code cause I'm still using spring 2.7, I'll book this video once I upgrade!
That’s good
thanks for your efforts
Welcome 🙏
great!
Thanks
I just discovered your channel, what a great content, Allah y3tik lkhir
Thank you so much 😊
Amazing course, I learned so much! It is even more amazing the code you gave on github, however I wish I could have some explanations on all the additional stuff there is in the repo
Happy you liked it!
Just follow the playlist order and you will get each line of the code
I was struggling to learn this, thank you so much for this video. It helped a lot
I’m happy to help
@@BoualiAli what changes to make in order to specifically allow USERS to one endpoint? .hasRole("USER") doesnt work SecurityConfiguration
@@muniapriyansu8805 you need to add the annotation @enableglobalsecuritymethod on the security config class and the @preuathorize will work like a charm
I have another spring security in the same playlist that explains authorization and how it works
muchas gracias por la explicación y por compartir el repositorio 🤓
My pleasure!
thank you very much for the information and excellent explanation
Glad it was helpful!
Thank you 🎉
You’re welcome 😊
Good job aloulou ;)
thank you 3chiri
thank you so much for the course, it is very helpful. I hope you could make a continuation video implementing the APIs in Angular. I 'm really stuck right now
Happy you liked it
I'm already preparing a video for that
Great video Bro keep going 😀😀😍
Thank you, I will
Thank you for your efforts, your brother from morocco..
Keep it up 🙂
My pleasure
baraka al Allahu fik. Keep up the good work!
my pleasure
Check the new one, it is more updated with no deprecations
@@BoualiAli Awesome! may you share the link for it?
@@mahmoudotri6103 check the videos and you will notice it. It is a recent upload
I am subscribed
Really happy you liked it
that's perfect, please keep on keeping on!! could you please tell how you learned it and how you would recommend people learn it?? imho documentation usually gives the "What" about everything in it, not "Why"
Thank you so much, I followed this guide and everything works great. I have a question though. In the isTokenValid method of JwtService we check if the username(email) from the parameter userDetails is equal to the username found in the token. However the parameter userDetails is always aquired from the username found in the token (e.g. in AuthenticationService or in JwtAuthenticationFilter). So the way I see it we extract the username from the token and then check if the extracted username is equal to the username found in the token. Wont that always be true?
really great video!!!! thanks!!! I would adapt the title just put (registration & login) because UA-cam does not show your video, when searching for spring boot registration & login
Thanks for the tip!
❤️👏👏
Hi Ali, if possible, could you show the imports of the class briefly after you finish with a class, for comparison next time? Thank you!
Check the code on Github
COUPON Code: *EARLYBIRD20* => Spring Data J PA course: aliboucoding.com/p/the-full-guide-to-master-spring-boot-data-jpa
thx
Great content, thank you. can you please provide a tutorial in Oauth2 implementation in spring boot 3 (Authorisation server + Resource server) using JWT?
Working on it
Thank you very much for explaining to us how jwt works under the springboot 3 to do whole authentication part , would you give a follow-up with the role based version in the next comming up videos?😁
Sure thing!
@@BoualiAli thank u so much, after watching your old 2.0 role based version and your comment down below I assume using EnableMethodSecurity as well as preAuthorize can do this . But for controlling the role to limit on CRUD or refresh token I have no clue
Great! One question, you take the jwt of the authenticate(log-in) to send the Demo Controller request. If I use jwt I got from Register, it is the same ? In simple words, if I want log-in directly after the register (and not log in again), is there any extra step I need to do? (for example set SecurityContextHolder). I guess both in log-in and Register the SecurityContextHolder must be set ! Thanks !
For the Spring Security package to be complete on your channel, could you please make a video explaining how to configure CORS using Spring Security? For example, as routes from other origins that need authentication with the head "Authorization" in the request, I would be very grateful
Coming soon 😁
Hi! Great Tutorial! One of the best I ever seen. I have only one problem, I can still add more users with the same email. You don't check this in tutorial too.
Thanks for the comment.
Yes duplicated users are not prevented. Add @Column(unique=true) on the email field and it will fix it
🥳🥳🥳
This is soooooo long ! Thank you for doing everything step by step but its my request please bring a Course on Spring Security where you can explain things on a slow pace. That would help us get more clarity.
Sure
Thanks for the video, it's so useful!
What setting you are using for your Intellij, looks good :)
Thanks for the feedback
It is the new ui from the latest version of intellij
16:50 You don’t need to specify the driver-class-name since Spring Boot can deduce it for most databases from the url. See Spring Boot 3.0 Data docs.
True, but if I don’t specify it people will ask about and I forgot to mention that in the video.
Good comment 👍
Awesome, I love your explanation. Can you make video on Spring boot 3.0 - Webflux with JWT Token
I will take note of that.
I’m preparing a new video that you’re gonna love absolutely
@@BoualiAli I’m waiting
thank you for your tutorial i hope you do tutoril for spring boot microsrvice securty JWT
I’m preparing something already
Randomly found this channel. Wonderfully explained. Thanks a lot. Just a request, could you paste that key generator url in the description?
You can check the code in my github account (link in the description)
Thank you for your awesome tutorial! I learn a lot from your video. Let's say if we had multiple microservices and Spring Cloud Gateway routing to process requests to those (downstream) services. I was wondering if you could let me know how we can apply the jwt from your video (user microservice) to other microservices as a global one.
Thank you once again for your time and consideration!
It works the same way.
Just implement it on the api gateway level
Really happy to have you here
Hello sir i saw video tutorial n these are awesome like each n every topic will convered in videos. One request from my side for desktop native application using electron js with angular in details project like books library project i possible please consider it in your upcoming playlist because no one is on you tube who is doing electron js tutorial.
I will try my best
Hey, @BoualiAli awesome tutorial and content on the channel at all :D
You are doing a great job. :)
I have one question. How can this code be improved, what can I do additionally to secure my app better?
User OAuth2
Thank you very much for the quality content Ali. Just a small query, how can we make sure the /register endpoint isn't open to everyone. I mean there should be a mechanism to let only specific people register and access my api who know something (may be a secret key).
Thanks for the feedback.
In this case, you can restrict access to your app/api via the network (ingress) and you allow specific white list ip adresses (aws security groups with vpc / ec2 for example)
I can't really express how you are amazing Mr. Bouali. The explanation is clear and straight to the point.
I wanted to ask you if there is a way to not to hit the database for each request as this will be overhead for it. can we make it in the register & authenticate part only?
You can implement caching
can you please recommend me a good way for In memory caching? or any other way that make me avoid using things like Redis aka other database with its own server?@@BoualiAli
From JavaDocs - method parseClaimsJws() throws some Exceptions (ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException...). Can we catch those instead of creating methods like isTokenExpired() etc...?
yes
Nice content boss, it was really helpful.
I've fallen in love with your IDE, is it an intelliJ theme or a newer version of intelliJ.
I really do need it
Thank you for the feedback.
It’s the new Intellij design from the latest version
@@BoualiAli Yes, i use the new version. But which theme is it? 🙂
Can you please make a tutorial about authentication and authorization exception handling. Like where to throw exceptions if invalid credentials were prompted or JWT related exception 🙏
Check the exception handling video. You have the answer there
Hi, I have implemented your project for me for all the api in Auth Controller I am getting 403 error.
Thank you for your great explanation. I watched this video many times, it 's very clear. Can we have the sources of your project ?
Hello,
The repo is in the description of the video
Hi Ali, thanks for these awesome tutorials! I have a question, how I can exclude some packages o urls from the authentication, something like /health, /docs, etc. I have trying to override the method shouldNotFilter but not work for me
Add these urls to the .permitAll()
Check the openapi video (same playlist) and you will see the exact code you’re looking for
When I add "private final JwtService jwtService;" Could not autowire. No beans of 'JwtService' type found.
Don’t forget the @service
I'm unable to load the allkeysgenerator webpage with the exact same address. Anyone knows what issue could be? I'm getting resource cannot be found error.
Firstly thanks for this video. Could you explain how to set token expiration time and refresh token expiration time. Thanks again. Greetings from Turkey 🇹🇷
I will create a new video about refresh token asap.
Greetings
thank you for the video. Do you have a video about CSRF ?
I will take note of that and make one soon enough
Thank you very much for the content! Can you write for us the non depricated solution for setSigningKey() and parseClaimsJws()?
Yes, check the playlist and the videos and order by publish date
MapStruct tutorial on of these day showing us how to use Entity & Dao for more consistency data modeling? thanks a lot
Can you explain better please? I didn’t fully get it