Spring Boot Fundamentals: Implementing Security | ChargeAhead LLC | Skillshare

Spring Boot Fundamentals: Implementing Security

ChargeAhead LLC, Technologist

Play Speed
  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x
11 Lessons (29m)
    • 1. Course Overview

      1:17
    • 2. Roadmap

      4:45
    • 3. Audience

      0:17
    • 4. Prerequisites

      0:23
    • 5. Tools

      1:03
    • 6. Demo: App overview

      1:36
    • 7. Demo: Basic Authentication

      2:10
    • 8. In-memory authentication and authorization

      5:30
    • 9. Demo: Database authentication

      7:17
    • 10. OAuth2

      3:36
    • 11. Summary

      1:00

About This Class

Securing our application is extremely crucial, given how nowadays breaches and exploits are becoming a big threat. Spring Boot makes it very easy to secure our application and provides a rich set of options.

In this course, We will start of first adding the spring-boot-starter-security dependency to our application and see how by just adding this one dependency secures our app with basic authentication.

Next we will configure our app for in-memory authentication

Configure authorization to specify which roles can access what resources

Next we will switch our app to use database authentication. We are using MySQL database as our backend database. We will see the setup required to get database authentication going.

Finally we will talk about OAuth2 support which Spring Boot provides.

Transcripts

1. Course Overview: securing our application is extremely crucial, given how nowadays bridges and exploits are becoming a big threat. Spring boot makes it very easy to secure our application. Android The Rich Set of options Hello, my name is Bunker Jane and welcome to the scores on spring. Good fundamentals. Implementing security In this course, we'll start off talking about who would write audience for the scores because it's the required to be most successful with scores and the tools needed to follow along well. First, on the spring boots started security dependency to our application and see how, by just adding this one dependency secures our app with basic authentication. Next, it will configure our app for in memory authentication. Next, we will configure off tradition to specify which rules can access what resources. Next, we'll switch our APP to use database of indication. We're using my secret database as our backend database. We will see the set of required to implement database authentication. Finally, we will talk about or to support with. Springwood provides 2. Roadmap: I plan to create a series of courses covering the various aspects Offspring boot and wanted to take a moment to go where the courts roadmap to let him know what is coming and what we will cover in each course. The full scores, springboard fundamentals, basics and getting started. We will introduce spring boot, cover its fundamental concepts, and we'll get started developing applications. We will see how to use spring initialize er rapidly build and run a simple Weber first and then a console application in the next course spring. Good fundamentals Creating a spring embassy app will build a fully functional spring, NBC App for Managing Item Elementary. We will implement the model service controller and view layers to show the items in wintry really use timely for the view layer. We will explain how to integrate third body libraries like Jake Witty, bootstrap, acceptable in our application and refer good model attributes in the view Earlier will also introduce Springboard Death Tools, which makes development investing easy in the next course springboard fundamentals. Connecting to read a base will continue building over AB and corrected toe a back end database using Springer the GP repositories. We'll start with anonymity, database H two and then later switched to my sequel to show how springboard makes it easy to work with religious databases and switch them at ease will create the ad update, delete operations and complete our spring Embassy AB. Creating timely views for adding in the leading along the way will further explore time. Leave template engine In the next course. Springboard fundamentals. Building and consuming arrest based Web services will demonstrate how spring boot makes it easy to create and consume rest services. We will create great dressed endpoints for the items in that invent tree. We'll then see how to consume rest FBI's In our springboard project. We will take the Web layer off our spring remesy app built earlier, and it sort of fetching data from Madrid. Abi's will display the front end consume later from the rest FBI's In the next course Springboard fundamentals. Monitoring health and metrics with actuators will demonstrate springboard actuators. Detroit is a lot of useful health endpoints and metrics right out of the box with zero according, we will show how to expose and enable the health endpoints. We'll see how to implement our own custom health checks and create new endpoints in the course Springboard fundamentals. Improving performance by implementing cashing, we will demonstrate the cashing support. Springboard provides with just a dependency and a few annotations who can be wise and effective cashing strategy for the application. We will first demonstrate the cashing with the fourth cash manager Springwood provides, and the later sparked the provider to read this in the course Springboard fundamentals. Implementing security. We'll see how springboard makes it easy to implement security. Well first demonstrated basic authentication. Well, then switch over App to use Didem is authentication. Springboard actuator Security is now integrated with the main apse security. We'll see how to predict actuator endpoints. We want to talk about the or to support in the course spring. Good fundamentals are configuration with profiles and deployment. Using docker, we will see how to configure or app for different environments like Devon Prawer using spring for files. We'll also see Holder Doc arise our application docker containers provide consistent development, build test and production environments and make running and deploying our APS very easy. I would recommend taking these courses in order, but if your family, with a certain aspect of string boot. You must skip that course and more to the next one. Further, if you just want to take the course for a certain aspect, it should be self sufficient to explain the concept without necessarily having to take the previous ones, though I will always recommend great the previous courses for a better understanding. So following these cities, of course, is you would have a solid conceptual, and it's turning off. The various aspects of this framework rapidly start developing applications and micro services. All right, let's not talk about the audience for the scores. 3. Audience: This course would be useful for Java and spring developers who want to understand spring boot and also for sort for architects who want to understand this powerful free work and how they should apply to their applications. What are the prerequisites to be most successful with scores? 4. Prerequisites: there are not a whole lot of produces its for the scores. The only thing you need is some basic Java knowledge and some basic spring concepts. Even if you do not have a lot of family already with these, don't worry. I will try to explain the concepts along the way, and you should be able to follow along without much difficulty. Let's next talk about the tools you will need to follow this course. 5. Tools: we will have a lot of demos in the scores as a believe that is the best way to learn the tools I would using. The scores are off course. Jama. I would be using open Judy Kay Warren, 11 but you can feel free to use Java or open Judy Kaye versions eight or above on. Most of examples should work for the i. D. E. I would be using Sprinkle Sweet, which is a flavor of eclipse but is highly customized and optimized for spring development . I would be using the version for it is open source and free and comes with a lot of bells and whistles. But I think you would like, however, if your family with and we like to use some other I d like intelligent etcetera, please feel free to do so. We will use spring boot version 2.1 point four for the databases. We will be using my sequel version, 8.0 point 15 You can find the cold for the demos in the scores and the falling Go WRL 6. Demo: App overview: Let's take a quick look at the app will be working on in this course. This is the Spring Embassy AB we had built earlier in the course Springboard Fundamentals. Monitoring health and metrics with actuators. It is the APP with its familiar moving structure. Here is the main class where we have the art spring boot application A notation Under the model package, we have our model object items with feels item mighty item name at M Prize and Adam Quantity. Next is the repository layer were using crown repository into face Springer gp a generates a crowd methods for our items Object We're working with a my secret database in the back and here is the service class with the crowd metres using the item repository interface. Here is the controller which listens at the base inventory Earl and then has map ings for the various Ural map ings for viewing, adding editing and deleting items. We're using time leave for creating webpages. Here is how our ab looks. You can click this button toe, add a new item you can click add it to a did an existing item and delete to delete an item Even now predict this app using spring security. Let's see how to do that 7. Demo: Basic Authentication: in this demo, we will add the spring boots, started security dependency your palm file and see how it enables basic security for our app. As off now all the pages of this app are accessible. You can view, edit and etcetera. Let's go to our products poem file and an independency for spring boots. Sort of security. Let's start over app now. This added. This dependency would violate our app for basically indication and secure all pages, since we did not specify ever. User name that before user name user is used. And if you look at the console, it generates a passport. But you can see here. Let's copy this. Let's go to the browser and access the URL. Now we have presented with the log in page. Let's enter user name User and pays the passport, and we have access. Let's click on the Edit page. Since our browser has told the credential it is not asking for it again. Let me go to the history. Clear the history and cash and now try to access the Spada gain and it presents us and Loggins cream pretty cool, right? Just by adding one dependency provides basic on indication to our app. With zero lines of code. Now weaken your own user name and password. So go to the application or properties file and using Springboard Security not to use the road name and terrible user name. Let's say Dave User and using Springboard Security, don't use your passport. Enter a passport. Let's say them. Let's restart our app And this time we see no passwords And Richard, as we have created our own user name and password, go back to the browser, clear the cache and now, accessing the page. Let's enter our user, Dave User and Possible Dev, and it goes through a fine. Next. Let's see how we can add more users and rolls and protect release pages with different rules. 8. In-memory authentication and authorization: In this demo, we will see how to use in memory authentication we create a couple of users are Dev User and an admin user, and two rules, a user role and an admin role and then specifying the rules needed to access. We get speeches, so let's get right to it. Let's stop the APP. Let me first remove the user name and password we had specified in the Properties file. Next, let's go to our main package. Right click on our package Jews, New Glass, College Security Conflict. Let's extend it with Web Security configure adapter, and we will write a couple of its methods to customize authentication and authorization. Let's fix the import. Let us first auto wire the configure Global Method, which takes in the authentication manager builder. This allows for building in memory authentication. L'd Abbott indication jdb zero indication, etcetera. As you can see here, we will choose the in memory out indication create the first user with name as Deb user password as the keyword nuke in curly braces and then our text password. The general format for the password is I D. And then the included password with I d you specify which passport and quarter needs to be used. And then you specify the included pass for the I D can be of type be crypt as a change to 56 except Tre. But for simplicity, I'm using Nube, which will delegate it to know our password and quarter and takes the password literally a specified using authorities. We specify the role assigned to this user, in this case, rolling to score user and then similarly, we specify the second user admin user with password as admin and rules assigned as ruling the score user and ruling score admin. Next, let's implement authorization. So we're already configure Met her with Dixon the http security, which allows Web based security for specific issue to be requests. So we say, issue db dot authorize all request and then dot and matters where the u. R L is having slash in wintry slash edit slash, and then you put an Asterix to allow for anything else. After that request, parameters etcetera. Putting Asterix is important that the hackers cannot avoid his authorisation by putting something after, and then we say that allow access to anyone with the rule user. Note the framework for preplanned ruling to score automatically and so will master rule. We have specified up here we want to protect the Earl slash and wintry slash our ass tricks with access only to users with the admin role slash elementary slash delete slash ass tricks to users with almond role, as I mentioned earlier, the actual security also, now that Springwood to is integrated with the obscurity. So if you want to secure our health and point so slash actuator slash health Onley to user the admin role, so slash actuator slash health is a lot older users with the Ottoman rule for the slash and wintry Slash All and Slash and wintry Asterix. We permit all the view and you want to use basic authorization. Let's mark this glass as a configuration class and also in order this glass with art enable Web security an audition which, among other things, enables issue to be basic and form based authentication, automatically rendering a log in page etcetera. Lastly, let's go to our main configuration class and using the important notation, indicate that our second configuration class security conflict class should also be included. While configuring spring, let's fix the import that is it? Let us start the app again. Go to the browser. Let's go to history. Clear the cache. Let us start. The girl is really be local Host 80 eighties laughing, wintry and it is accessible. Let's click on the add new item link. If remember, only a user with the admin role can access it. So in this log in page if he entered the Dev User and it's possible, Dev, it will not allow access. Let's go to history. Clear the cache. Let us enter Let us enter admin user and password admin And now it lets us access the page . Let us enter an item and so it to a written item. It needs a user role since over admin use it already has the user role. It lets us in So as you can see, our custom authentication and authorization is working just fine. Typically, you would not be using in memory authentication. Let us see how to switch this app to use data base authentication 9. Demo: Database authentication: in this demo will switch your application to use the deliveries Authentication. We will use a my secret database. Our app is currently tied back to a MySQL database in the back end, if you open the application of properties file, we can see the my secret connection properties the GBC driver, the killer swords U R L with my sequel running a local host and listening on poor 33 or six born into a schemer demo and the user name and password Properties and spring boots sees this. It'll automatically configure a data source and make it available for our AMP here in our former XML file. You can see the dependencies for spring boots started a g p a and the My sequel Connector Java. Let me open a terminal window and log on to our my sickle database with a user as Dev User , Let me enter the password. Let's use the demo schema Now If you Google Spring security database schema, it brings up this u R L on dog start spring, not Io. Where there is a reference provided with spring for the database tribal structure. To support your baby is a vindication. It expects a user's table with columns, user name, password and whether it is a neighborhood or not on the table. Authorities, which has a foreign key to the user name off the user stable on the authority column, which is the rule. A signed note. These are the four table and column name it expects, but it also allows us to use our own names, and we will see how to specify our custom table and column names later. Back to the my secret of the base hair. Let me paste the Sequels to create the user stable. I have modified the Syntex for my secret of the base. Here is the sequel to create the authorities table. Here is a unique index on your authorities table, including user name and authority columns or right before we insert data, we have to generate encoded passwords. Spring security supports multiple password in quarters. We will use be crypt as it is a good in quarter. Now he'll know what project. Let me create a new class by right clicking on the comrade example or demo package. It was in new class and calling it possible and court this class need not be in this project, but I created it here for convenience. Let me paste some core here to see what sometime So I have a mean method. Here, let me fix the import. Here we're taking the password, Dev, creating a new instance off. Be gripped possible and quarter and then generating a hashed password using password and quarter Got in court Myth heard were then printing it out. Similarly, we're generating a B crypt included Pass for for the literal text admin and putting it. Let's run this class as a job application and we see the B group included passwords. Hair. Now that is, Go back to our my sequel session. Let's uncertain the user Stable User name, password enabled. Specify User name is Dave User password for Dev. Let's copied from hair and based it and then, but it's true. Similarly, let us insert the admin user password. Let's copy and goaded password from here and based it in April is true. Next that is uncertain. The authority stable user name Dave User and give her the role user in certain authorities table the admin user with Rule Aardman and then the role user. Let's come, it all right. We're good with babies now let's go to our security conflict class. Our tradition stays the same. Let us comment the in memory of authentication code. Let's out a wire. The data source, first in a variable spring boot, will do the heavy lifting for us to inject it. Hair fixed the import. Let us our authentication manager dot gov BC authentication Choose that it a source as ever . Order Where did a source password encoder as newbie crypt password in quarter that has fixed the imports sort of generate a bigger passport hash for the password entered by the user on the log in screen. Compare it with a big group included Passport we had inserted in the database. Doc, is it? Let's run this app down. First, let's clear the history and cash. Now let's died. The URL HPV local host 80 80 slash and wintry and it is accessible. Let's click on the aren't link, so only a user with the Agron rule can access it in this log in page. If we enter the Dave User and it's possible, Dev, it will not allow us. Let me clear the history and cash again. Refresh the U. R L This time, let's enter admin, user and password admin, and now it lets us access the page. Let's enter an item and save it to wear it tonight. Um, it needs the user role. Since they were avenues that already has the user role. It lets us in and allows us to enter the item. So, as you can see, our custom authentication and authorization is working just fine, but this time with data base authentication. Now to consider the case wherever table and column names may not be the same as the documentation states, let's go back to her my sequel session and rename our authorities table to user. Underscore rules. Let's change the authority column in that table to roll. Let's make a modification to the user stable. Also, let's rename the password column Toe pss WD No, If you go to the browser, clear the history and cash and click on the edit button. We give the log in screen as expected. But now entering the admin user and it's passport does not work as it cannot find the standard table and column names in the back. And let's go back to our Code Crispus Fire Custom Table and column names. Let's say users by user named Quickie and specify about equity said it to user name password enable from users for a given user name. Similarly, using authority by user name quickie. Specify the table and column names to get the user name and rule for a given user name. Save. We have deaf tools as a part of our project, which automatically deploys the incremental changes. No, you never browser. Let's clear the history and cash. Click the edit button. Enter the admin user and it's possible, and this time it looks. 10. OAuth2: what two is in our tradition protocol. Using tokens, it lets the plant applications have limited access to the users resources. It is not an authentication scheme. It delegates the user. Authentication to the service that hosts the user account and other time also lets the user specify the kind of access it wants to grant to the client application to its resources. The authorization server issues access tokens to the client application upon successful authentication by the user. These tokens are then passed by the client in the headers when making requests for resources to the resource server. They're so server, were very friendly tokens with the authorization server and then grant appropriate limited access to the user's data. The requesting client application. What do provides our tradition flows for Web and the stop applications and mobile devices. So as we talked about, they're subtle actors. In order to flow the resource owner or the user just typically you, you would authorize a client application to access your account, specifying the scoop off access that is so server is the server. Hosting the predicted resources are the FBI's Detroit access to user data. A client application is the application which wants to access the protected resource on behalf of the resource owner or the user. The Art Tradition server. Verify the identity of the user by delegating it to the service that hosts the user account and then issues access tokens. There are several flows want to support, like the authorization court grand or client credentials flow, etcetera. We will not go into these, but in a very general level, this is how what to flow works the blind application requests or tradition from the resource owner. Typically you you're not. Raise the grand specifying the scoop off access. The client then sends this grand to the extradition server, which then issues it access tokens. The client that includes the access tokens in the header and making requests to resources or Web services. The source server will evaluate these access tokens and upon successful validation for where the data declined. Application was requesting. Spring boot along with spring security makes it very easy to implement what do in your applications. It droids some simple and additions, which is importing on applications and then springboard behind the scenes managers. All the logistics off, getting tokens, passing tokens, etcetera. You do not have to hand code all of this or manage all of these complex interactions with very simple and petitions. You can create off tradition servers, so servers extra so many create, for instance, and our tradition server, spring boot and security will create all the or two endpoints for you like authorizing point token and point, etcetera. I will in great you, before the read up on over to support with spring boot, we have reached to an end of this course. Let's summarize what we talked about. 11. Summary: in this goals. We started off talking about the audience for the scores, prerequisites to be more successful with scores and tools to follow along. Next we saw how does anyone dependency spring boots started Security Springboard configures basic authentication for our app protecting all the pages we saw how to specify our own user name and password we look at in memory authentication very created a couple off users and rules and configured authentication and our tradition for our pages using that finally , with fished over app to use data base authentication using a back and my secret of the base , you also briefly spoke about what does want to and the order to support present with spring boot. I enjoy making the scores and I hope you found it useful. I wish you all the best as you take all this knowledge and applying to the projects you're working on. Thanks for watching and see you next time