
Learn to create and sign json web tokens (jwt), pass tokens to users, and secure a backend api with Spring Security and an Angular frontend, translating roles and permissions.
Explore a front-end user management app with role-based access—admin, manager, and super admin—covering create, read, update, delete, profile, avatar, and login security features.
Identify the essential prerequisites for this course, focusing on familiarity with Java, Spring, HTTP, HTML, CSS, JavaScript, TypeScript, Bootstrap, Angular, and MySQL.
Understand the teaching approach: present concept-first slides, then code in the IDE to demonstrate the concept with hands-on examples, and share developer insights to solidify knowledge.
Watch all the lectures to learn everything I teach and understand what will be on the tests; use the source code, review others' code, and ask questions in the Q&A.
Set up your environment by installing the Java JDK, NodeJS, Angular CLI, and MySQL. Configure your IDEs (IntelliJ or Eclipse) and Visual Studio Code, and use Google Chrome for debugging.
Understand the typical three-tier web application: a front end with HTML, CSS, JavaScript and Angular, a back end, and a MySQL data store.
Explore the front end as the visible interface on devices, delivered as HTML, CSS, and JavaScript from servers. It uses HTTP/HTTPS to fetch content and handle login interactions.
The back end hosts the core logic and data access, built with Java, C#, Node.js, or C++. Access it via HTTP, programmatic calls, or a CLI on a server.
Understand how data stores map to relational databases on servers, and how applications access them via open database connectivity using tcp/ip and ssl for secure data storage.
Learn how front-end, back-end, and data stores sit on cloud servers, with compute power and databases deployed in the cloud and accessible via http or aws cli.
Define a user domain in a Spring app, implement serializable, and model fields like id, userId, first name, last name, username, password, email, profile image, roles, authorities, and status flags.
Create getters, setters, and a constructor for the user entity, mark it as a JPA entity with a primary key, and enforce not null and non updatable constraints for mapping.
Define a uniform http response domain to standardize api replies, delivering a consistent json object with status code, http status, reason, and message for both success and error cases.
Create a separate user principal to adapt your domain user to Spring Security's user details, mapping username, password, and account status while exposing authorities for access control.
Convert the application configuration to yaml and configure a MySQL data source, including url, username, and password, while enabling show sql, hibernate ddl-auto create, and the MySQL 8 dialect.
Launch the application with a configured data source, then sign in with the default user to access the /user/home rest endpoint that returns 'application works'.
Understand web application security as an information security practice, securing web services, apps, and websites on the internet against cross-site scripting, SQL injection, denial of service, and cross-site request forgery.
Differentiate authentication from authorization by validating credentials to prove identity and then enforce access to resources based on permissions after login.
Secure your application with json web tokens (jwt) by authenticating a user and issuing a token. Use the token for all subsequent requests to verify access to protected resources.
Define a security constants class to centralize JWT token settings, including expiration time, bearer prefix, token header, issuer, audience, and public URLs, enabling secure token generation on login.
Add the Java jwt library as a dependency in your pom.xml to generate and decode tokens; follow oauth's java jwt guidance for secure implementation.
Develop a jwt token provider that generates a token from an authenticated user principal, then verifies it, extracts authorities from claims, and returns them as a string array.
Describe how to extend a jwt token provider with methods to build user authentication, validate tokens, and extract subject using a verifier, string utils, and spring security context.
Implement a JWT authorization filter in Spring Security that validates tokens, authenticates users, and forwards requests, while correctly handling options requests.
Explains how a JWT authorization filter validates bearer tokens, extracts the user and authorities, and sets the authentication in the Spring Security context for secured requests.
Override the JWT authentication entry point to customize the 403 forbidden response when authentication fails, building a JSON error with a domain response object via an object mapper.
Use the Jpa repository to fetch user data by username from a MySQL database during login, validate the password, and enable token-based authentication via security configuration.
Build a user details service for Spring Security by creating a user repository with find by username and find by email, and wiring the service with service and transactional annotations.
Wire the user details service, jwt authorization filter, access deny handler, and authentication entry point into a security configuration, including the bcrypt encoder for password hashing.
Test the api security by applying stateless and public url imports, verify unauthenticated access is blocked at user home. Add a timestamp to error responses with formatting and timezone handling.
Identify what an exception is, why it occurs during program execution, and gracefully handle it with best practices for API applications, including try-catch and secure responses.
Create and use custom exception classes in Java, organized under an exception.domain package, including email not found, email exists, username exists, and user not found exceptions.
Create a rest controller advice class to catch all exceptions in the spring rest API, log events, and use predefined messages for account and request errors.
Implement a reusable http response builder and a dedicated exception handler for account disabled errors, returning a response entity with uppercase status reason and message.
Implement custom exception handling in a JWT with Spring Security and Angular app. Create handlers for credential errors, access denied, token expiry, and unsupported methods with clear messages.
Demonstrate testing custom exception handling by throwing specific exceptions such as email exists and user not found to verify consistent JSON error messages from the handler.
Define and implement user authorities and roles to secure the app, map roles to permissions like read, create, update, and delete, and enable account creation for authenticated access.
Define a roles enum including role_user, HR authorities, manager, admin, and super_admin, then map each to authorities and expose getAuthorities in Spring Security for user permission inheritance.
Learn to implement user registration in the application by adding a register method in the user service to create and persist users with first name, last name, username, and email.
The lecture demonstrates validating new and existing users by checking username and email, throwing username exists exception or email exists exception, and handling new versus updated registrations.
Demonstrates end-to-end user registration by validating input, creating and encoding a new user with id, password, and roles, setting a temporary profile image url, then saving to the repository.
Wire a post register endpoint to return the created user after saving, using a request body with first name, last name, username, and email, and validate inputs to avoid duplicates.
Register a new user via post /user/register using Postman, sending firstName, lastName, username, and email; observe an encoded password and database entry for a user with role user.
Refactor the authorization logic by renaming super admin authorities to admin authorities, moving repeated username and email lookups into the method scope, and introducing constants for error messages.
Test the registration flow by changing the yaml from create to update to preserve existing users, then verify unique username and email via postman, noting this manual testing.
Build a login endpoint that validates credentials against the database and returns a json web token. Use the token to securely access protected endpoints and share user information.
Develop a login flow that authenticates a user with a username and password, creates a user principal, generates jwt headers, and returns the user with the token in the response.
Test the login flow by sending a post request to localhost:8081/user/login in debug mode and verify the jwt token and user details in the response header.
Discover what a brute force attack is and mitigate it with an in-memory cache that counts failed login attempts within a time window, locking accounts after a threshold.
Create an in-memory login attempt cache using Google Guava, configure maximum attempts and increment, and expire entries after 15 minutes to monitor and control failed logins.
Build a brute force attack cache for login attempts using Guava loading cache. Initialize a 15-minute, max 100-entry cache and manage add, evict, and max five attempts.
Wire an authentication failure listener to capture failed logins, extract the username from the failure event, and cache it via the login attempt service.
Implement an authentication success listener that evicts a user from the login cache after a successful login, wiring the login attempt service and handling principal casting and safety checks.
Integrate a login attempt service to validate user login, track failed attempts in a 15-minute window, evict from cache, and lock accounts after five tries in Spring Security.
Test the authentication flow using breakpoints and Postman, verify successful login, then simulate failed logins to lock the account after five attempts and explore mitigation options.
Define email constants in a simple Java file to configure smtp, Gmail credentials, from/cc, subject, and tls for sending a registration email with the user's password, encoded and not logged.
Learn to create an email session using JavaMail by adding the Maven dependency, configuring Gmail SMTP properties, enabling TLS and authentication, and returning the session instance.
Create a private method that builds a mime email using a session, sets from, to, cc, subject, a body with the first name and password, and sends via Java Mail.
Learn to send a new password email by creating the message, connecting to the Gmail SMTP server, and dispatching the email via SMTP.
Wire the email service into the user registration flow and send a new password email using the first name, password, and email, tested via postman on localhost:8081.
Extend the user service to add, update, delete, and reset password, and update profile images, using username, email, role, isActive, isLocked, and multipart file for the image.
Define a file constant class with user image paths and folders. Create the user folder on startup and use robot hash to generate default profile images.
Refactor the user service by updating, deleting, and resetting passwords for existing users, with validation, current-user checks, password encoding, and profile image handling.
Implement user-specific rule retrieval and robust profile image saving by creating user folders, replacing existing images, and updating the user's profile with the new image URL.
Implement the set profile image url by building the user image path from the username and extension to locate the image, and expose user service functions via resource for testing.
Java Spring Framework (Spring Framework) is a popular, open source, enterprise-level framework for creating standalone, production-grade applications that run on the Java Virtual Machine (JVM). Java Spring Boot (Spring Boot) is a tool that makes developing web application and micro-services with Spring Framework faster and easier through three core capabilities, mainly its auto-configuration An opinionated approach to configuration.
Spring Boot is an open source Java-based framework used to create a micro Services. It is developed by Pivotal Team and is used to build stand-alone and production ready spring applications. This course will give you an introduction to Spring Boot and familiarize you with its basic concepts. For practice, we will build a Spring Boot REST API that manages employees.
The ability to create standalone applications These features work together to provide you with a tool that allows you to set up a Spring-based application with minimal configuration and setup. Spring security provides authentication and authorization to applications using servlet filters - a security filter chain.
Web applications are susceptible to security threats and attacks, as they are accessible by anyone uses the internet. In this course, we will build a REST API that will expose endpoints having restricted access to specific only authenticated users, for to manage the employees, for creating, updating , editing existing, and deleting employees. We can use spring security to secure URLs. Spring Security is a security framework that secures J2EE-based enterprise applications, by providing powerful, customizable security features like authentication and authorization . It is the de facto standard for securing Spring-based applications.