
Explore how Spring security uses http basic authentication by default, encoding username and password in the authorization header with base64; the app decodes and matches them, returning 200 or 401.
Spring security uses convention over configuration to auto-provide http basic, form login, and secure rest endpoints, letting you focus on business logic with sensible defaults and customization when needed.
Explore the user details manager interface, extending the user detail service to create, update, delete, and change passwords for full user lifecycle management, via interface segregation.
Fetch saved authentication and authorities from the security context using security context holder, getAuthentication, and getAuthorities, demonstrating how authentication and authorization data flow through F1 and F2 filters.
Define the granted authority and explain how authorities drive authorization decisions in Spring Security, including how user details fetch and apply them to gate access to resources.
Compare authorities and roles under granted authorities, showing how authorities denote actions like read, write, update, or delete, while roles bundle multiple authorities, such as admin, as a badge.
Explore how the permit all rule in Spring Security allows access for unauthenticated and authenticated users, and why a failed authentication yields 401 before authorization.
Demonstrate the has any authority matcher in spring security, supporting multiple authorities like read and write, and illustrate in-memory user details manager and authorization filters.
Explore the advantages of the access method, offering powerful, flexible fine-grain control, context-aware decisions, user-specific rules, and the ability to invoke pre-authorize and custom bean methods within security configurations.
Explore a request matcher that restricts the get /test me endpoint to admin. Require the post /test me endpoint to be accessed by the manager, returning 403 or 200.
Learn how the ant matcher uses ant-style path matching to handle http requests with wildcards like * and ** and the question mark, and why it is deprecated.
Explore ant matchers as post office address matching: single star under slash foo for one level, double star for the foo city, and star dot html for html endings.
AntMatcher was deprecated with Spring Security 6+ due to limited ant-style pattern flexibility and no regex, causing inconsistencies with Spring MVC path matching; RequestMatcher replaces it as a general solution.
Discover how the mvc matcher in Spring Security matches urls like request mappings, understanding path variables such as id, and respecting the servlet context path, unlike end matcher.
What are we going to cover
Spring Security Basics
Master Security
Security in Spring Boot & Microservices
Why Security for your spring boot app?
What is Spring Security?
Key Spring Security Concepts
Authentication
Authorization
Servlet Filters
What are its alternatives?
Security Implementation - Who’s responsibility
Let’s get started !
Why 401 ?
Summary
Spring Security: Convention-over-Configuration
Key Participants in Authentication Framework
Flow of Authentication in Spring Security
Spring Security Auto-configured Beans
UserDetailsService
PasswordEncoder
Spring Security Configuration
Introduction to POC 2
Overriding Default Configurations
Customizing Spring Security Configuration
Why Authentication Fails Now
Fixing Authentication Step by Step
Define User Credentials
Adding User to InMemoryUserDetailsManager
Defining a PasswordEncoder Bean
Why Avoid HTTP Basic Authentication?
User Management
User Management
User Management Components
UserDetails
UserDetailsManager
User
Customising User Details Service
POC 3
Creating User & Authority Table
Mapping User & Authorities table
Why Authorities are eagerly fetched
Fetch saved Authorities from SecurityContext
Authorization
Authorization
How Authorization works
What are we going to learn
GrantedAuthority
Difference between Authorities and Roles
Authorization implementations level
Endpoint Level Authorization
Security Filter Chain
Security Filter Chain
Defining a Filter Chain
Modifying Filter chain
Why still 403 ?
anyRequest().authenticated()
anyRequest().permitAll()
anyRequest().hasAuthority()
anyRequest().hasAnyAuthority()
Role
anyRequest().hasRole()
anyRequest().hasAnyRole()
401 VS 403
anyRequest().access()
Advantage of anyRequest().access()
Disadvantage of anyRequest().access()
anyRequest().denyAll()
Request Matchers
Matcher Methods
List of All Matcher Methods
Request Matcher
Request Matcher Methods
Real-life analogy
How requestMatchers() works in this setting
Code Block
Types of Matchers
Ant Matcher
ANT Matcher Methods
Why it was popular
Example in Spring Security 5.x
Why Deprecated in Spring Security 6+
MVC Matcher
MVC Matcher Methods
Why it was used
Regex Matcher
regexMatchers()
Why use it
Dispatcher Type Matcher
Purpose - What is DispatcherType
Servlet Path Matcher
Purpose
Is it any relevant in spring boot app?
Combining all Matcher methods
Method Level Security
Authorization at the method level
Where do we stand now?
Can Spring Security Be Used in Non-Web Applications?
Where Can You Apply Method Security?
Why Use Method Security?
Role of Authentication in Enabling Method Security
Why Not Use permitAll() with Method Security
Code snippet
Enabling method security
New way of enabling Method level Authorization
What Happens Behind the Scenes
Why Called “Aspect Behind the Scene”?
Prevent GOD class with Method level Authorization?
Best Practice
Priority of Rules: Security Config vs Method-Level Authorization
Performance Consideration: Method-Level vs Filter-Level Authorization
How Method-Level Security Goes Beyond Filters
Multi-line @PreAuthorize for Complex Security Rules
Disadvantages of Multi-line rules
Moving Beyond SpEL: Bean-Based Security Checks
Post Authorize
Difference Between @PreAuthorize and @PostAuthorize
Filters in Method Security
Pre filter
Pre filter - Key Pointers
Postfilter - Key Pointers
Post Filter Pitfalls
PreFilter VS PostFilter
@Pre/@PostAuthorize VS @Pre/@PostFilter
OAuth 2 & OIDC Basics
OAuth 2 & OIDC
Basics
Actors/Roles in OAuth2
OAuth 2 Flow
The OAuth 2.0 Solution
Why this is powerful
Steps in OAuth 2
How to get the token?
Heart of how OAuth2 + Spring Security works
Grant types
Types of Grant types
Deprecated Grant types
OAuth’s Main Security Principle
Why Password Grant Type Is Deprecated
Modern Replacement
Why Implicit Grant Type Is Deprecated
Summary
Authorization Code Flow
Authorization Code Flow
What Is the Authorization Code Grant Type?
Step-by-Step Flow
Advantages
Disadvantages
Authorization Code Flow with PKCE
What is PKCE
Why PKCE was introduced
The Players
Authorization Code Flow with PKCE — Step by Step
How PKCE Prevents Attacks
How Verifier & Challenge Work
Real-World Analogy: The Locker & Key
Summary of PKCE Flow
Authorization Code vs Authorization Code + PKCE
Points to remember
Client Credentials Flow
Client Credentials Grant Type
What is Client Credentials grant
When to use it
The Actors
Flow (step-by-step)
Typical token response
Client authentication methods with AS
How Scopes → Authorities Mapping Works
Scopes & authorities
Tokens: JWT vs opaque
Security considerations / best practices
Pitfalls & gotchas
Refresh Token Flow
Refresh Token Grant Type
What is a Refresh Token?
Why Refresh Tokens Exist
Who uses the Refresh Token flow?
Refresh Token Grant Type Flow
Static (Reusable) Refresh Tokens
Rotating (One-time) Refresh Tokens
How OAuth2 servers decide
What clients must do
Key Token Lifetimes
Why Refresh Tokens Are Sensitive
Refresh Token Flow vs Access Token Flow
Tokens
What is opaque token?
How opaque token Works?
Introspection response
Non-opaque tokens vs opaque tokens
JWT
JWTs
What is a JWT?
The basic structure of a JWT
How JWT works
JWT signing methods
Common JWT claims
How JWTs are verified
Private and Public keys
What is /jwks.json?
Why JWTs are so popular
Limitations / Pitfalls
OIDC
OIDC
What is OIDC
Authorization code flow with PKCE
Real-world example (Google Login)
Why OIDC exists
What OIDC Actually Is
Core Components in OIDC
ID Token
Standard Claims in ID Token
OIDC Scopes
OIDC Endpoints
Benefits of OIDC
Common pitfalls
Nonce
Why Nonce
SSO
SSO
What is SSO
Actors in SSO
Steps in SSO
Why SSO works
Common Pitfalls Of SSO
Security benefit of SSO
SSO Logout Scenarios
Why OAuth2 + OIDC are REQUIRED for SSO
CSRF
CSRF
What is CSRF
Core browser behavior
Why CSRF is dangerous
How websites stop CSRF
Why Spring Security enables CSRF by default
CORS
CORS
What is CORS
Why CORS exists
What is an origin
CORS Rule
Spring Boot CORS config
Common CORS mistakes
CORS vs CSRF
Full Stack POC
Full stack POC
Intro to Foodify App
UI Of Foodify App POC
Backend Of Foodify App POC
Auth0 configurations
Spring Security Implementation
Auth0
What is Auth0
Key Components of Auth0
What Happens During Login
Why Use Auth0
MFA
Social Login
Centralized Identity
Developer Productivity
When SHOULD you build yourself?
Roles & Permissions
What is Authentication vs Authorization?
What is OAuth2 / OIDC?
Architecture for End to end POC with Auth0
What is Application in Auth0?
What is API in Auth0?
What is Audience?
What are Roles?
What are Permissions?
Roles vs Permissions
RBAC
Why RBAC is Used
Why roles & permissions in JWT?
JWT Processing in Spring Security
What is JwtDecoder?
What is JwtAuthenticationConverter?
What is Authority in Spring?
ROLE_ prefix
Common Mistakes
Implementation Steps
Steps to Implement Spring Security
Steps to setup Auth0
Steps to add Roles in token
What happens in backend
FINAL FLOW (END-TO-END)
KEY CONCEPTS
COMMON MISTAKES
Keycloak
Keycloak
What is Keycloak?
High Level Architecture
Core Terminologies
Types of Clients
Role Types
Client Scope
Groups
Identity Provider (IDP)
Flows
Keycloak vs Auth0
Feature Comparison
who should choose Keycloak vs Auth0
Social Login
Social Login
What is Social Login
How Social Login works
Benefits of Social Login
Configure Identity Providers in Keycloak
Google login Steps
Github social login steps