Spring Security JWT: How to secure your Spring Boot REST APIs with JSON Web Tokens
Вставка
- Опубліковано 2 жов 2024
- In this tutorial, you are going to learn how to secure your Spring Boot REST APIs using JSON Web Tokens (JWT) with Spring Security.
🔗Resources & Links mentioned in this video:
Blog Post: www.danvega.de...
WebSercurityConfigurerAdapter: • Spring Security withou...
👋🏻Connect with me:
Website: www.danvega.dev
Twitter: / therealdanvega
Github: github.com/dan...
LinkedIn: / danvega
Newsletter: www.danvega/de...
SUBSCRIBE TO MY CHANNEL: bit.ly/2re4GH0 ❤️
Hi Dan, This is the tutorial that was missing in 2022. Thanks a lot. I was struggling with those outdated tutorials and dependencies to make a working solution. this saved me lots of time. Looking forward to your next videos.
Same, Docs mentioned some stuff that are new but honestly Spring Boot Docs is not for Beginner.
Great video. This is like the only one guide about this topic that is quite easy to follow and does not break your spirit (I have tried to follow like 2 different videos just to realize half way into 3 hour videos that implementation was changed/got deprecated and I wasted my time).
thank you Dan, this video help me a lot to understand how to generate JWT in Spring. the only one site where I found the explanation with the new version of spring security and works. regards from Colombia
Thank you! I'm glad my videos are helping.
Just what I needed after struggling with an issue whereby a single user's token expiry invalidates all other users' valid tokens leading to error 403 even for authenticated users. Thanks a lot for this 💯💯
Thank you for making this tutorial. As you mentioned in the beginning there are so many more complicated ways of doing out there because the are not using what is built in to Spring Security. I unfortunately had used one of those more complicated ways so now I'm going to use what I learned in your tutorial to simplify my project code!
Thank you Bob. Glad I could help out.
I am a nodejs and Golang API. I found this tutorial very help for my current work using Spring-boot.
One thing about Spring-boot is that, when you use Spring-Boot with higher version some errors like this shows up:
This error occurs in the NimbusJwtDecoder.validateJwt method of the org.springframework.security.oauth2.jwt.NimbusJwtDecoder class. The NimbusJwtDecoder class is used to decode JSON Web Tokens (JWTs) and is part of the Spring Security OAuth 2.0 framework.
Great video! Really helpful to get people started with latest Spring Security stuff and JWT! Few questions/comments though:
1. It would be good if you can extend the github repo and add a branch which shows the symmetric key approach - i guess it would be easy for the Decoder as u mentioned, but would like to see how to change the Encoder
2. Maybe to make it more realistic instead of HttpBasic - it would be good to have a UserNamePassword Authentication where the user calls an endpoint with username/password as body and the token generation happens based on that
3. Building on top of 2), it would be great if this gets connected to a database where hashing + salting is used as this can be used as a starter for real projects
4. Having roles in the example/video would be great
Looking forward to your next video Dan!
Great suggestions. Thank you Aleksander
Is there any tutorial that would build on top of this I need the DB connection for users...
@@lukamaletic9557 You could inject UserDetailsService in SecurityConfig rather than InMemoryUserDetails @Bean
public UserDetailsService userDetailsService() {
return username ->
userRepository
.findByUsername(username)
.orElseThrow(() -> new UsernameNotFoundException("user not found"));
}
finally, an informative tutorial that ACTUALLY uses BUILTIN jwt tools, and not some filters and JwtUtility classes to secure an app
I really appreciated this video. Wishes your channel get bigger n bigger.
Thanks Dan, really educative content that's very well and clearly presented. Exactly what I was looking for!
Thank you, glad I could help out.
Thank you very much! Greetings from Greece!!!
You are welcome!
Awesome Dan! Thanks for the rich tutorial
Very good video, if anybody haven't mentioned yet, it would be good to replace inMemory user with UserDetailsService on data base. Additionally securing rest api with roles. Video would be a bit longer than 1hours, but woud cover topic from A to Z
Thank you Dan. I meant A LOT!
Would you consider to create a video for those like me with a title "How to read Spring documentation and connect things together"? Lol. Thanks again!
I really enjoyed this video. Thank you for providing such great content.
Great information. I think a simple video will also be helpful which explains how to protect API using Okta or Keycloak since in most situations you don’t write authorization server yourself.
Wonderful. Very helpful. Thanks for sharing!!
Glad it was helpful!
top quality content. very infomative
Thanks for asymmetric rsakeys knowledge you've shared.
For me as a complete beginner it was so easy to follow. Thanks for this tutorial, it was really helpful.
You're very welcome!
Thank you for the tutorial
You’re welcome 😊
Hi! Great video, like all your videos! Especially now that Spring Security 6 is mixed in with older tutorials on the web this is very helpful. A suggestion: this is now already deprecated: ".oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)" and has to be replaced with ".oauth2ResourceServer((oauth2) -> oauth2.jwt(Customizer.withDefaults())". Also a question, how do you get this snippet-functionality at 30:00?
can't fix it even using Customizer.withDefaults();
Thanks a lot, can you create new video for spring boot 3
wonderful tutorial, thank toy very much 😊
Hey Dan,
New question, obviously us as viewers are following along and just basically copying the code that you write down - but you seem to know exactly what we need and why we need it.
Are there any resources you can point me to that could potentially help me understand the architecture of spring security in more detail but also how you learned this to a point where you just know what you need to use?
Bit of a loaded question, but i’m keen to learn as much as possible. Right now all it feels like is that i’m copying code from you without truly understanding why we’re doing certain things.
Cheers
Thanks for the video ❤
Hello @Dan, it's amazing! Great video. Please keep producing videos regarding Spring Security, I think it's a black hole in the Spring modules. A lot of specific concepts and it deserves good videos with good explanations like yours. Congratulation and thanks for sharing the content.
hey, this is one great :) ... but for some reason, this error showed up after trying to run the app (26:36) :(
Any ideas?:/ We are forced to use Java 8 which does not include records yet.. so I created RsaKeyProperties class instead..
Parameter 0 of constructor in com.greenfoxacademy.springwebapp.config.RsaKeyProperties required a bean of type 'java.security.interfaces.RSAPublicKey' that could not be found.
Action:
Consider defining a bean of type 'java.security.interfaces.RSAPublicKey' in your configuration.
I have the same problem. What we can use instead of record in java8?
Try this one
@Configuration
@ConfigurationProperties(prefix = "rsa")
public class RsaKeyProperties {
private RSAPublicKey publicKey;
private RSAPrivateKey privateKey;
public RSAPublicKey getPublicKey() {
return publicKey;
}
public void setPublicKey(RSAPublicKey publicKey) {
this.publicKey = publicKey;
}
public RSAPrivateKey getPrivateKey() {
return privateKey;
}
public void setPrivateKey(RSAPrivateKey privateKey) {
this.privateKey = privateKey;
}
}
a video on keycloak and SSo auth? thank you! good video
Thank you for the suggestions.
awesome video! subscribed!
Thanks for the sub!
Great Video, keep up the good work
Thanks, will do!
Also to use the authorization as a micro service and export it, import it in multiple application across the company portfolio for a aligned one platform!
thank you very much !!! this is bread and butter even honey.
if anybody wondering how to configure http basic to be used only for /token and all other endpoints with bearer check Den Vega -> how to create multiple spring security multiple configuration
You are welcome!
Thank you teacher
great video very useful
Hi Dan, can you also please talk about how spring mvc works internally, like dispatcher servlet, how by default exceptions are handled in rest apis etc.
hello great video btw can you do a video on opaque token that are stock in database
Thanks for this video, it is like a revelation for me. But I think it would be better if we used HTTPS instead of HTTP for our endpoint URLs because of the BASIC type login.
That was great! What about video about OAuth2 with Auth/Resource/Client?
Fantastic content! A couple of suggestions request is to extend this video (or create a new one) where you actually secure a couple of REST endpoints using JWTs. Perhaps use the Spring Cloud Config Server to store the keys and the username and password or even better the Hashicorp Vault?
Thank you for the suggestion. I have added it to my content suggestion list.
github.com/danvega/office-hours/discussions/30
Seconded Spring Cloud Config Server!
First off awesome video Dan. I have seen no code/logic on the resource server side to validate token. Is this optional on resource server end or its a must.
Wow. Learned a lot of very relevant security implementation in a very smooth and clean fashion and in such a short time.
Glad you liked it!
Thanks you.
Can please explain also keycloak with spring.
Very good your video!!!
I have a question for you: since you said that this is the beginning with jwt and not the goal, what other functions can I do with jwt?
awesome
I'm guilty of rolling up my custom solution, pulling in a third party library. Thanks for this video, Dan! Gotta refactor a bit!
Thanks Alex. Hope the refactor goes smooth.
For some reason 99% of tutorials and guides on the internet use that approach instead of resource server.
I love you dan vega. Minus points for not being Indian though
Great video! Thanks a lot! I just have one question though: In Postman, you use bearer token as authorization type. The dropdown also offers "JWT token". Why did you not choose this option and took "bearer token" instead?
I just don't think I realized there was a JWT option. At the end of the day it should be sent via bearer token so that option might just be a shortcut to do the same thing.
@@DanVega Thanks for the quick response and for clearing things up!
Amazing, how simple it is when explained by experts. Thanks for the great content. Well explained, with the right level of details to understand without getting overwhelmed.
I still have to review the blog post if I am not missing any details.
Looking forward for the next video :)
I can't see jwt-home-controller-test in my Intellij IDEa. Is this a plugin or something?
That is an IntelliJ Live Template... You can basically create snippets of code and I use them for demos or for repeating common tasks like setting up a logger.
Thank You very much. Can you next guide us how to secure JWT in frontend app ? (ex: Vuejs or Nuxt) - that gonna be awesome.
Thank you for the suggestion. I will get it added to the backlog.
Thank you for this, Dan. I would love to see a follow up video for implementing "Refresh Token" on top of this :) I know people will love it.
Thank you for the suggestion, it's already on the backlog.
github.com/danvega/office-hours/discussions/27
19:40 private key
These videos are so concise and easy to follow, appreciate you.
That makes me so happy. Thank you ☺️
thank you so much ❤
Great video as always! I got two questions though:
Why does it needs to be annotated with @EnableWebSecurity. Is it like automatic once you added SecurityFilterChain in the app context?
Can I create public and private key using keytool instead of openssl?
It isn't automatic. Spring Boot will actually add it for you if you forgot it but I like to be explicit with it.
If you don't want to use OpenSSL and you're just using self-signed certs you can generate them with code. I have an example of that in the following repository.
github.com/danvega/jwt-username-password
Thank you Dan! It is a great video. I wood like if you can provide a video showing how to consume these API from an other Spring boot Web application using Feign client how with JWT (aut he ti cation for the web app is throw the same api
)
Thank you for the suggestion. I have added it to my content idea list
github.com/danvega/office-hours/discussions/29
@@DanVega thank you
Add Role & Permissions with RoleHeirarchy with spring security 6, Spring Boot 3
I love your videos! I had a question on how you would approach deploying this application. I am trying to deploy to AWS beanstalk, but I'm having difficulties with the RSA .pem files. I have been trying to add the public and private keys as an environment property in elastic beanstalk, but am having difficulties because it is a string value and not a file. I also tried to add a key converter with @Component and @ConfigurationPropertiesBinding, but I still get a failed convert from string to RSAPublicKey. What do you think should be the approach/best practice to remedy this?
저도 이에대한 같은 오류가 발생했습니다 어떻게 해결할 수 있는지 궁금합니다
No one has taught this way in youtube yet
Hi, please can you do a tutorial on combining JWT authentication with google's Oauth2 SSO?
Hi Dan, I love the way you explain and it’s much better than a lot of tutorials i have gone through. I have searched in udemy for a springboot course by you but i see it’s outdated. It would be wonderful if you could create a new course or atleast a series of videos of spring topics. Thank you.
Hey Dan, it's amazing, but is there any mechanism in order the user logged out of the system, how we can invalidate the user token?
Hello Dan, do you always need to encrypt ? If you care only on integrity and not on confidentiality of the token wouldn't be enough with signing the token (JWS vs JWE) ? Thanks!
A JWT would just be a base64 encoded string without the encryption. You absolutely need to protect it.
Hey! Great video! But how did you do to autogenerate code just by typing jwt? Thanks a lot!
When the jar is run manually, there is a filenotfound exception. How do we handle this?
Thank you Dan, it's a greate tutorial for beginners. Can you please make a guide about refreshing jwt please.
Noted! I have this suggestion here github.com/danvega/office-hours/discussions/27
I get 401 when trying to reach any endpoint. What should I do?
Dan, why do you use @EnableWebCecurity and @Configutation together? as I see @EnableWebSecurity includes @Configutation within itself. Or am I missing something?
Nice catch, Serhii. You're correct, @EnableWebSecurity is all you need for that configuration class.
@@DanVega Dan! plz share your magic jwt-test template! plz plz!! it is a really great thing. for all of us, it would be a great thing to study how to compose templates(i know you have such video but your template has a few tricks which were not included in that tutorial)
@@kensaitakeso I have a video on my channel on how to create live templates. Other than that you can just copy the code from the repo and create your own.
Thanks a lot for this tutorial. I have been stuck in other tutorials for hours.
Thanks for the great video!! It helped me a lot!!!!
dan what is the alternative to csrf should be used as it is deprecated in later spring security version 6.+?
can u explain how to do this but with session cookies instead?
Great video! Is there a way to user roles with the currente JWT configuration in this video?
You can set the roles as part of the claim. I do have something on the backlog to create some content around this. If you want to add more to this you can.
github.com/danvega/office-hours/discussions/8
Hi mam ,is it any simple way to generate ans filter the token on spring boot??
How do you have those shortcuts, such as at 39:16? Thanks.
Thank you so much..I was just working on a project and had a lot of difficulties understanding JWT, I opened youtube and I found your video. How lucky I am!
Thank you Abdelhamid. I hope this clears it up for you.
Hi Dan, Quick Question, This seems one sided, the configurations on the server side, but when client makes the request after the token is expired (i.e. 1 hour), how would the client get new access token without relogin.. Would I have to implement refresh token mechanism for that?
My scenario, is to enable communication with jwt token between service 1 and service 2 both are REST based, so how can I achieve that?
Should I make the JWT token as never expire?
Please let me know. Thanks
Hey Dan, quick question. I notice your .pem files are not pushed on the GitHub repository but you also did not gitignore them. How did you prevent pushing them to GitHub? And how do you deploy an app that relies on these files but does not have them on the repo.
Great tutorial and topic. Really clears things out. Would be great to show next how to update JWT to include user's roles and permissions. And of course looking forward for Spring Authorization server!
I actually set the authority and I believe in the repo there is an example of checking for it at the method level. If there isn’t let me know (I’m away from my computer at the moment)
How on earth do I allow for Java 16+ Langauge Level? My Intellij only allows up to 15. Tried many JDKs (of Java 17 and 19) but it didn't fix it, it's still stuck on max version of 15.
Sir, I was working on a project and while surfing the web for JWT, I came to know that JWTs are not safe when used on frontend applications on browser. They are open to XSS attacks. Also, disabling csrf() is not recommended when used with browsers (like ReactJS+Spring Boot). I don't fully understand what's wrong and what we should do. Please help!
Great video! Thanks!
Could you explain: you have showed the project creation with the spring starter io source. But, after project was created, you show 2 pom files - problem in that the spring.starter actually created only one single pom. How to I have to understand and follow your solution? And the main issue - I have implemented all steps and this solution doesn't work: yes, I received token, but this token doesn't work for other requests - I have receiving 401 error for all following requests. Now I try to understand the difference - and the difference only in the pom files between your and my code. But you are not explained them
Hey Dan, great work, I have just one question that this oAuth2ResourceServer() takes one Customizer but the jwt() referened by method reference is not having void return type as of thr customize() of Customizer..and we are not getting compile time error...how it is possible?
Hi Dan. I managed to adapt it to work with UserDetailsService and it worked correctly. However, in my controller the Principal comes as an instance of org.springframework.security.oauth2.jwt.Jwt. I expected it to come as a User (which implements UserDetails), as I want to associate with other entities through JPA. What do you suggest?
Nice video you just earn a subscriber I actually love the fact you don't define another class just to write another method like other youtubers do
Thanks for the sub!
Great vedio and i am on java 11 so i creating a record is not gona happen, so i tried to create a class equivalent to record but it require the bean of these kind
java.security.interfaces.RSAPublicKey
and when i create it saying cycling depency injection.
Can i ask where does the RSAPublicKey and RSAPrivateKey instances comes from???
Hi Dan, thanks for the great tutorial! I am facing a slight issue, not able to auto-generate the test class code, the way you do at 39:15, by writing "jwt-home-controller-test", is some plugin required for this? Thanks!
Yes this is an IntelliJ live template. It’s not generating it it’s just pasting it in there. I use it to save time in demos.
You can grab source from the repo
Is anyone else getting a "There is no PasswordEncoder mapped for the id 'null'" Exception early in the video? Right after creating the SecurityConfig class and its first two methods.
This is a great tutorial. You have a way of explaining complex topics in simple terms.
I have subbed to your channel.
Hi Dan.
Since we're already on Spring Boot 3.2+ would you mind an update video on this matter?
Keep up the good work!
Thanks for the video.
When I put the following line in my SpringFilterChain, it shows the message "'jwt()' is deprecated since version 6.1 and marked for removal "
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
That is for access token.
How about refresh token?
How does it work with the private/public key, because now you are creating one on your pc, but if someone else is pulling the project to work on, how are they going to use the public/private key, what would you suggest fixing that problem?
this works perfectly in locla but when I deploy it to external tomcat gives me 404 error. Any idea why ?
Hi Sir, I'm novice in spring security, can you please tell me where is the logic behind to refresh token if it's expired?
Hii Dan,
I love ur tutorials.. my question is how can i create a seperate authentication servuce using jwt. And then use that is a seperate client service to secure endpoint? Thanks..
Great video! You make it so easy to grasp the concept.
A quick question. How would you secure the APIs using JWT if the application is using (username & password)
in some cases and also biometrics authentication in other cases.
Hi Dan, I did the constructor injection of RSA properties still getting the getting error parameter 0 of construtor and bean not found
The only missing part of this is to deal with access useing: antMatchers("/admin").hasAnyAuthority("admin") in the Security Filter Chain