Spring Security Fundamentals (OAuth ,JWT,CSRF and more)

Install the latest Java JDK, download and set up Spring Tool Suite 4 for Eclipse, and configure STS to use a Java SE JDK rather than a JRE.

Install MySQL community server on Windows by downloading visual C++ prerequisites, choosing server-only installation, and configuring a root password. In the next lecture, validate the setup with MySQL Workbench.

Install and configure MySQL Workbench, a GUI client to connect to MySQL servers, create databases, and run queries for local or remote setups.

Install Postman, a RESTful API testing client, to test your microservices by launching the app, selecting HTTP methods, adding headers and JSON body, and using basic authentication.

Learn fundamentals of web application and web service security, covering authentication and authorization, confidentiality, integrity, and how tokens, signatures, CSRF, and CORS secure OAuth, JWT, and more.

Explore the six key spring security components: authentication filter, authentication manager, authentication provider, user details service, password encoder, and security context, and how they validate credentials for rest apps.

Discover how Spring Boot starter enables default security with basic authentication, then customize with Java config, form based login, and pluggable authentication providers including in memory, LDAP, or custom implementations.

Build a Spring Boot app and see Spring Security in action; configure basic authentication, explore in-memory user details service, and plan custom user details service and password encoding for production.

Discover how the basic authentication flow creates a J session id cookie on first login, stores user details in the security context, and uses it to authorize subsequent requests.

Learn how security configuration shifts from extending WebSecurityConfigurerAdapter to defining a security filter chain bean in Spring Boot 3.0, using HttpSecurity to set application security.

Explore Spring Boot 3.2 security API updates, comparing old and new Http security configuration. Learn to replace deprecated Http basic with withDefaults and implement request security using a lambda.

Expose a security filter chain bean in a configuration class to override defaults, then configure http basic authentication and require authentication for all requests.

Configure a custom user details service with an in-memory user details manager, adding Tom with an encoded password and read authority, and use a bcrypt password encoder.

Demonstrates testing a custom Spring security configuration with basic authentication, validating in-memory user details via Postman, and confirming correct Tom as user and Cruise as password.

Create a custom authentication provider by implementing the authentication provider interface and writing authenticate to validate username and password, returning a username password authentication token on success.

Comment out the user detail service in security configuration to use the authentication provider, then test with Postman after clearing the Jsession ID cookie; wrong passwords yield 401 unauthorized.

Enable form based authentication in Spring Security by replacing http basic with the form login method in the filter chain and test it with Tom and Cruise on localhost:8080/Hello.

Explore additional http security methods by adding a second endpoint, securing the hello and bye endpoints with request matchers, and enforcing authentication with deny all.

Learn to add a custom servlet filter in Spring Security, handling form login, basic authentication, and CSRF, by inserting it into the filter chain before the related filter with http.addFilterBefore.

Discover inbuilt spring filter classes you can extend, inject init parameters from web.xml with setters, and understand once-per-request filters and their handling of http servlet requests and responses.

Create a product via the product microservice and apply a coupon code by calling the coupon service through rest APIs, which stores coupon details and returns the discount.

Create the product and coupon tables for the micro services using the provided sql, including product (id, name, description, price) and coupon (id, coupon code, discount, expiry date).

Create the coupon service Spring Boot project using Spring starter, selecting Spring Web, Spring Data JPA, and the MySQL driver, and review pom.xml for rest endpoints and ORM setup.

Create a coupon model with id, code, discount (BigDecimal), and expiry date, mark it as a JPA entity, and implement a CRUD repository by extending JpaRepository<Coupon, Long>.

Create a coupon rest controller to expose a rest API at /coupons, supporting post to create and get by code via Spring Data JPA.

Configure the data source by editing the application properties. Set spring.datasource.url to the JDBC MySQL URL localhost:3306/mydb, and provide spring.datasource.username and spring.datasource.password (example: test. one, two, three, four).

Test and verify the coupon service end-to-end using a Spring Boot app and Postman, creating coupons via request body, using path variables, and retrieving by code.

Create the product service project, define the product model with id (long), name, description, and price, annotate with @Entity, and implement a Spring Data JPA repository.

Create a product rest controller in spring cloud, expose a POST /product to accept a product via @RequestBody, save it with the repository, and plan future coupon service integration.

Configure data source by editing application.properties, setting spring.datasource.url to a MySQL JDBC URL at localhost:3306/myDB, and providing spring.datasource.username and spring.datasource.password.

Run the product service on port 9090 to avoid conflicts, then create a product via Postman with a JSON body and verify it in the product table.

Integrate the product service with the coupon service by retrieving coupon details using the coupon code from the request and applying the discount to the product price via rest template.

Demonstrate end-to-end integration testing between the product and coupon services, validating a super sale coupon discounts ten dollars and persists product data via a Spring Boot app.

Refactor the controller with specific http method annotations such as post mapping and get mapping to improve readability, removing redundant request mapping at the method level, and test the app.

Configure authentication and authorization for the coupon microservice by creating user and role tables, repositories, and a user details service, then enforce admin and user access via web security config.

Set up secure microservice access by creating user, roles, and user_role tables in MySQL, with unique email login, encoded passwords, and admin and user role mappings.

Add spring security via pom.xml, rename web to security, and create user and role entities implementing GrantedAuthority with getAuthority returning the role name.

Define the user–role relationship as a bidirectional many-to-many in JPA with a user_role join table and join columns user_id and role_id, fetching eagerly.

Create user and role repositories with Spring Data JPA, define findByEmail to auto generate a query, map to the User entity, and supply data to the user details service.

Implement a custom user details service that implements UserDetailsService and loads a user by username from the database using a UserRepo, returning a Spring Security UserDetails with roles and authorities.

Create a web security config using spring boot 3.2.2 and Java 21, with a bcrypt password encoder and a security filter chain for role-based access to coupon endpoints.

Test authentication and authorization by restarting the server, then verify coupon endpoints in Postman. Admin can post to create coupons; regular users can only get, with access governed by role.

Secure an http get endpoint by validating the coupon code in the URL with a regular expression enforcing uppercase letters, returning 403 when it doesn't match, tested via Postman.

Build a secure coupon service front end with custom login and registration, coupon management, and endpoints protected by a custom web security configuration, role-based access, and logout.

Add the Spring Boot starter thymeleaf dependency to your pom.xml alongside Spring Web and Spring Security to enable thymeleaf templates for the upcoming web app.

Set up a coupon web application using Thymeleaf templates and a Java rest controller, configuring resources and implementing create and get coupon flows.

Configure form-based authentication and role-based access in the web security config to render index.html, protect the create coupon flow for admins, and save coupons via a post request.

Explore securing the get coupon workflow with spring security fundamentals, enabling both user and admin access to show get coupon and get coupon forms via http get and post.

Implement a custom login by creating a security service and its impl, load the user by username, authenticate with the authentication manager, and store authenticated token in the security context.

Create the login view and user controller to handle login with email and password. Authenticate via the security service and redirect to the index on success or login on failure.

Enable explicit saving of the security context in Spring Boot 3 by turning on save to true and injecting a security context repository to persist the login context across requests.

Enable explicit security context saving, expose a delegating security context repository and http session security context repository, and adjust the login method to pass the http request and response.

Configure a custom login in the web security config, permit all for the login page and absolute url, then test role-based access by admin and non-admin users managing coupons.

Explore how spring security handles logout in a spring web app, routing via the log out url, redirecting to the login page, and optionally deleting cookies or invalidating the session.

Implement user registration by submitting a form with first name, last name, username, and password, encoding the password, saving the user to the repository, and redirecting to the login page.

Configure and test user registration by wiring the register flow, encode the password, assign the role_user, and verify access to the get coupon page after login.

Learn how cross-site request forgery works and how Spring Security uses cookies and a generated CSRF token in forms to secure post, put, and delete requests by default.

Learn how to enable and use CSRF in a Spring Security app with Thymeleaf, automatically including a hidden _csrf token in forms and enforcing token checks for secure logout.

Learn to customize CSRF behavior by using the CSRF configurer with the lambda syntax CSRF customizer to ignore URLs or request matchers, including ant patterns, regex, and MVC request matchers.

Learn how cors enables cross origin request sharing between a React frontend and a Spring Boot backend, and how to configure origins, methods, and headers to avoid blocked requests.

Install node.js and the create-react-app cli using npm i create-react-app, then verify installations by running node -v and npm -v to initialize React projects.

Create a React frontend and configure spring cors to allow the frontend to access the coupon REST service, exposing endpoints, installing axios, and resolving cross-origin issues.

learn to customize cross-origin resource sharing in spring security by implementing a cors configuration source with a lambda, returning a CorsConfiguration that sets allowed origins, headers, methods, and credentials.

Explore spring security testing module to write integration and unit tests with mock user and user details annotations, simulate security contexts, and validate authorization, CSRF, and CORS on REST endpoints.

Configure spring security test dependencies, set up auto-configure mock mvc, and write tests using with mock user and user details to verify authorization, csrf, and cors across scenarios.

Set up and test a coupon service by securing endpoints with method-level security using pre authorize and has any role, then add spring security test dependencies.

Test the security of the get coupon endpoint with and without authentication using MockMvc, covering negative and positive scenarios with OAuth and mock user roles.

Test CSRF and roles by validating the create coupon endpoint using MockMvc, with and without CSRF tokens, and with admin vs non-admin roles to verify forbidden and OK responses.

Simulate a browser-like test for cors by sending an options request to a url, then verify the response includes access-control-allow-origin: * and allows post from any origin.

Test cors across origins by sending an options request and verify headers like access-control-allow-origin: *, and access-control-allow-methods: post, confirming cross-origin sharing works.

Use @WithUserDetails to fetch actual user data from the database via the user details service, placing the actual user in the security context for testing instead of using mocks.

Test authentication flow by enabling http basic authentication for restful services, verify that unauthorized requests return 401 instead of 403, while other tests cover authorization and cors.

Replace enable global method security with enable method security in Spring Boot 3.0+, and preview configuring method-level security via a configuration class.

Enable global method security and use pre authorize to secure methods across controllers, services, and repositories with spring expression language, demonstrated by admin vs. user access and 403 outcomes.

Learn to apply the post authorize annotation in global method security, executing after method completion and before results return, using returnObject to filter data like coupon discounts.

Explore other annotations in Spring Security beyond pre authorize and post authorize. Enable method security and use jsr 250 enabled and secured enabled to support roles allowed and @ secure.