and now it's time to focus on security see the thing is when you talk about software development of course we build projects and then in that process basically we have to first learn the language we have to learn the Frameworks and then we start implementing the project the most important thing in a project when you build it is it should work of course right if your software is not working then all the other aspect doesn't make any sense so the first thing is focus on building a working product next is the project or the software should be stable I mean we build projects which works and then suddenly it stopped working for few inputs and then uh maybe because of some issues it gives you other issues now that means your software is not stable and most of the application which I use on my phone are not stable right U even it can be a banking application I mean the only thing which works perfectly I think is calculator right apart from that you will see bugs in most of the software and it will be no software in the world is 100% bug proof and if you think that one of the software is bug proof maybe we have not done enough hard work to find the bugs but yeah it will it will have some bugs we have to make sure that you reduce the number of bugs at least the major bug should not be there and by doing that you're making it stable so in Java also we can do that with the help of handling the exceptions and stuff then the most important thing which comes here is the security and we know know the importance of security right and that's why on your phone as well you implement the locks maybe it can be your fingerprint reader or your face unlock or using a pattern or a password we do keep the password as 0000 just to make it easy but again not a good idea uh still we know the importance of security Now whatever we have built till this point and whatever we have learned in the project which we have built is not secure because anyone can go there anyone can do anything with the project uh what if you want to make it secure you'll be having multiple users not everyone should be able to do everything example if you are building e-commerce uh we will be having different rules there so someone the seller will add the product the buyer will buy the product right so everyone will have different role and they have to log in to achieve those roles and that's how you can basically you can secure it and that's not the only way you can secure it there are multiple ways of securing it but as a developer we focus on uh login log out or with the help of username password or maybe some other formats so yeah so how do we Implement security Now if you're not using spring if you're using a normal s JSP to build web application implementing security is a big task I mean trust me if you spend 10 hours building a product you'll be spending another 20 hours securing it but Spring Security will make your work easy how we'll see that step by step but then how do we know how do we secure the application what are the steps you have to follow sometime we feel that it is secure secure and then some hacker will hack it by showing hey it's not secure then you will secure it it works in the normal applications but think about banking application think about uh uh Healthcare records U so sometime we are not sure how do we secure it we don't want to wait for someone to hack and then tell us that's how I can hack your software or the application now to do this uh we have something called oasp now oos stands for open web application security project and what they do is every four years they release some important security measures which you can take or some issues and then you can work on those issues and make sure that you don't have that in your project and they call it as oasp top 10 so if I click on this top 10 here so you can see these are the top 10 risk of 2021 so they release this in every four years so the next version or next update is expected to be coming into 2025 so depend upon when you're watching this uh so you can look at the recent uh top 10 so this was 2017 this is 2021 and these are the measures these are the security risk and you can just go through this it talks about access control cryptography uh how do you encrypt and how do you decrypt which standards you following are you handling the injection attacks U then designing is it is it your the way you design your software is it secured there are lot of things which are mentioned here uh I would also add a link of OAS top 10 in the description I already made a video on this so you can have a watch but make sure that you follow this to understand different security issues which we have okay so the good thing is if I mean if you are not using spring then you have to think about all those things you have to implement them step by step now when you use a framework like spring which has its own uh security implementation which is called Spring Security it takes care of most of these things and it by default it will say hey you're doing this maybe it will not make your web secure so do this and it will give you suggestions as well it will restrict you to do certain things and if you follow that you're basically making your application secure and what I'm talking about you will get to know that in some time uh I mean in the upcoming videos so now let's try to build a project and let me show you how easy it is to secure your application using Spring Security so to do that what I will do is first of all let's create a new project of course I can edit my existing project but I want to show you how do you start a project thinking Security in the mind okay so let's go to our start. spring.io and here we'll create a mavin project with Java language uh this is 3.3.1 the group ID is com. telescope uh the artifact ID is Spring Security example of course you can use any name doesn't matter and packaging will be J versions 21 now dependencies of course you can secure different type of applications uh example if you are securing your Hardware let's say I have this this uh uh phone with me and I want to secure this basically I can just keep it in a room and I can lock the room so that no one can access it that's external security but what if someone can hack it online so for that we have to build Spring Security so I'm basically trying to secure a web application using sping security so I want to have a web feature uh I will also get Dev tool just in case if I want to use that we can also use database see ultimately when you say login usern login password you may want to store that in database so of course we need to have database as well but maybe we can add database part later at this point just try to keep it simple uh so we got web and uh Dev tools I will get now Spring Security Now this will make your app secure and I will click on generate so it will download the project that the only thing we have to do is we have to unzip it and open that in the intellig idea Community version so unzip done I will just open this project now so this is a project I will click on open and yeah I got my project here so basically I got Spring Security project and now uh I want to test it if this is working so what I will do is to start with I will disable the Spring Security part so at this point I will just say comment and reload the mavin changes that's important now when you once you reload you don't have Spring Security in the project so it is it is normal spring boot application and I will go to SRC in the main I will create a controller because at this point we don't have any controllers and if you want to secure you need some resource to secure right so let's create a resource and I will say this as a simple hello controller nothing fancy a simple hello controller and here basically what I'm going to do is of course I have to make it controller and I'll make it rest controller I don't want to create the uis I will simply go for the rest end points and here I just want one method and we have used this before so I will simply say greet and this will basically uh get mapping and the URL is homepage so whenever someone request for the homepage I want to return welcome to teliscope that's it nothing fancy just a simple text okay so for the homepage this is the text I want to return I want to check if this is working so I will go back to my application and here I will click on run this should run on port number 880 is free and it should be free so if I look at here yeah it is running on port number 880 how do I verify this I will open a browser okay so I got my browser here and I'm going to hit Local Host 880 and you can see it says welcome to theis scope now this is the resource I want to secure of course this can be a very complex Resource as well something which interacts with the database or maybe it is doing some bigger task it doesn't matter right resource is a resource maybe you want to secure your a simple pen or maybe you want to secure your gold chain both are resources you will need a locker to secure it so how do we secure this what I want to do is uh if someone request for the homepage it should first open the login form of course right there should be a login form that means we have to create a UI for the login form that's one next when a user enters the details the username and password we have to verify that in the back end how do I verify that maybe I need a database where I will have username passwords lot of steps right okay let's do that in this video or maybe in the next video Let's see uh okay maybe you can judge by the length of the video how difficult it will be so what I will do is I will just go back here uh to the pal and I will enable this Spring Security because now I want to secure it and just by enabling it let's see if the if the application still works I will just reload the project and let's see what errors you get so that we can focus on the building a login form and other stuff okay so now I'm hitting the same URL which is Local Host 880 if I enter oh this is weird and awesome at the same time weird because I was expecting some error or maybe it should say something that you don't have a login form and the awesome thing is Spring Security is giving you a login form just by adding the dependency but the question is is it just a login form or is it working okay now that's tricky first of all I'm not sure what the username password is I'm just guessing so maybe the username will be user actually the username is user but what about the password is it the user let's try sign in no it's not working so you can see it says bad credential so just checking something I'm saying user uh password should be naven no it's not working maybe it's not even picking my local uh I mean desktop name so what will be the password and username username is user for sure the password where do I where do I find the password now if you go to the console and if you if you scroll up can you see that it says using generated security password is this this is the password I can simply copy this and go back here and paste it and voila so just by adding a dependency it is giving you a login form it is also giving you the logic to check if the username password is correct and it is doing that okay now now let me show you it's actually working if I open the another tab another incognit to tab here or private window for Safari and if I say Local Host 880 it is still asking for the login form so it maintains the session as well but if I open a normal tab or let a new tab and if I hit the same URL it is not asking for the login form so session is also maintaining so a lot of things is doing doing behind the scene right this is cool now we got this right and this perfectly makes sense but it also says something it says this generated password is for development use only don't use it in the production okay that's good also we only got one password in your system you'll be having multiple users how do I achieve that how do we have multiple username password and now you might be thinking there should be some magic where Spring Security will have all the username password no Spring Security is Magic but it's not actually a superhuman can I say that or in India we say rajnikant I'm not how many of you know this context but yeah so Spring Security has no idea what username password you'll be going to use and that's why you have to use database how we are going to do that let's see in the upcoming videos but we have to do a lot of work to secure it with the help of username password but the main thing what it has done is it is giving you a login form it also gives you one more thing what if you want to log out so you can just use a URL here and say log out enter it will say are you sure yes I'm sure log out and then if you're thinking this is just a UI gimmick uh no let me just just open this tab once again and I will hit the Local Host 880 it is asking you to sign in again so log out actually works it's not just a gimmick where you see a UI which says log out done it's actually protecting your application so once you log in once you log out it's gone okay and uh but yeah there are a lot of things we have to talk about and we'll going to discuss that in the upcoming videos but this point we just added the dependency for Spring Security and it is giving you a login form if if you want to change something if you want to change a password you can do that in the resource so in the application properties you can set your username passwords here but again you can only set only one username password maybe you don't want to go for this password every time so maybe a Super Root uh password you can set it here username password uh but the ideal way is to work with database so now we got a default form using which you can log in right but then I want to change one thing and then during that process we'll understand different concepts in between uh the thing which I want to change is the username and password because by default you are getting a username as user and the password you are getting in the console I don't want it I want to have my own password so that's one thing but then there are certain things which you have to understand in between first of all who is handling the security part here how exactly uh when we are defining the controllers someone else I mean that someone else is your page the login page is coming in between how that is possible next I want to talk about the session so when you log in I can access the same page multiple times I'm I mean not just same page in the application if you have multiple controllers in this case we only have one but let's say if you have multiple controllers do we have to login for each request uh not exactly because we have something called session behind the scene how that s is getting created and if I want to see the session ID can I can I do that so I want to check that as well and then what if I don't want to use a login form what what if I want to do that from a postman can I do that so Postman basically any rest client uh can I do that so let's try that everything in this video so first thing how that login form is coming there when I'm requesting for the homepage see to understand this let's go back to the basics of spring web see when you create controllers so let's say we have this box here this is your server and the most important thing here is the controllers right so this are the controllers which you're calling now let's say this is your uh home controller this is your add controller or this is your check balance controller so let's say if you have a bank account or you want to check your balance so we got multiple controllers here right and a client will send the request right so that's how the flow goes right so client send request response goes from the server to the client right everything is good of course the object here is the HTTP request object this is HTTP response object uh which we get from the server and this is your container now if you talk about this controller here behind the scene these things are running on a Sate container see as I mentioned before spring web comes into two parts one is a Sate way which we are doing now and then there's also reactive way we are not focusing on reactive here spring reactive we are only focusing on the spring web now in this every controller gets converted into seret behind the scene so basically you are able to run this on Tomcat because of that servlets so all these things all your controller gets converted into servlets okay so this is running on on the seret container now this is your Tomcat which is a serlet container right but then before the request goes to the controller we got something here which is called your front controller so this is your front controller also called a dispatcher salet so every request from the client when it goes to the controller which you created it goes through the dispat salet but before it goes from the dispat salet there are more things there by default we don't invoke them or even if they are there they're just passing it but we can customize it so when you add Spring Security we are calling those things those things are responsible but what are those things so those things are your filters so there's a filter chain here so I don't have horizontal space I will do that in vertical so basically what you have is you have something called a filter chain here so request goes from the client to the filter first this is your filter chain and then from here it goes to the front controller and then from front controller it interacts with different uh different controllers here now what is this filter chain in the filter chain you will be having multiple filters this is filter one let's say F1 this is Filter 2 this is filter 3 and I'm not saying that you'll be having all this filter by default there might be few filters there might be more filters it depends upon how you configure your application by default there are certain filters but then when you talk about Spring Security it adds its own filter here okay okay so what it does is when the request goes from the client to the server the the Tomcat it looks for the filter first do we have any filters now sping security says yes there are filters multiple filters not just one let's check what are those filters are in the earlier version we used to see those filters here for some reason just not coming in the console uh not sure why so what I will do is I will ask my co-pilot to give me the security filters okay so you can see it is giving you a list of filters 11 filters but I think there are more filters which is not showing uh so if you scroll down or if you scroll up basically here uh we got security context persistance filter we got logout filter we got username password authentication filter now this is what was working when we got the login form so even if you're ACC accessing for the home controller it says hold on uh you are not logged in so let me take care of it so this filter comes on picture then we got login default page generator filter page authentication filter request cashier aware filter there are lot of filter here as you can see uh but I think there are more which is not showing so there are a lot of filters of course you don't have to remember all because Spring Security will take care of it but when you want to customize it yes you can customize those filters then you need to know those filters and this filter so F1 F2 which I'm showing here these are those filters uh by default that it it applies some filters to you and that's why it is giving you a login form now behind the scene how this Filter Works is it works in a chain format so when a request goes to the server it says okay let's execute F1 F1 can decide I I mean F1 I can actually change data as well let's say if you want to add two numbers uh 2 + 5 it goes to the filter checks I mean using filter you can check uh are those two numbers actually integers or are there two numbers bigger than five so whatever filter whatever condition you want to add basically you can do that in the filter you can change the request you can change the response as well because response goes in the same format so if the request goes like this the response goes like this right so it goes to the filter so you can change the request you can change the response and whatever you can whatever you want to do uh but here we are not changing data we just checking if the user is logged in or not so one of the filter here acts like a login filter it says Hey the user is not authenticated let's send the login form okay but let's say if the users logged in already and by sending the session ID they can basically check if the user logged in yes don't ask for the login page let's send the request so that's how this Filter Works and they it uses some something called chain as I mentioned so this filter will send request to F2 F2 will send it to F3 F3 so there's something called Next filter or do filter chain so it goes for the next filter I hope now things are making sense how exactly uh when you call a controller the security part is getting activated is because of these filters we have talked about a lot of things now let's go for the second point which is the session ID so when you say this session is getting generated because if I relaunch this and of course it will give you a new password okay this is a new password I will just copy this because I want to Rel log in and just refresh this just wanted to make sure I'm not logged in and now I'll be saying user and this is a password sign in now I'm logged in right and it doesn't matter how many time I refresh I can still see the the same page it's not like it is giving me the login page but after log out it will give you the login page what if you are changing your browser so when you change your browser you got a new instance right a new particular application even that will ask you for the login uh just to show you the proof I'm opening my Chrome local 880 it is sending a request for the homepage now the inspect element of chrome is better than Safari I've never tried on Safari let's try on Chrome so I will do the same thing again same password enter I'm signed in how do I check this session ID you can check it from here right so you can just go back here and say inspect more tools and developer tools okay so here uh if I refresh once again let's go back to the con Network Tab and here if you can see we got continue so basically that's a a query parameter they're sending but not required this is request for the homepage okay this is request for the homepage I will click here and if you see there are certain things here one of the thing is the session session ID if I click on this uh you can see s session ID so this is a part of a cookie and this is your session ID so that number the alpha numeric number which you can see here it's it's actually hexa code uh that's your session ID and every time you log in it will change let me show you so we just refresh this and now send the request for the log out yes I'm sure and if I go to log out new session ID or is it the same thing even I forgot what was session ID before doesn't matter let's create a new user and I mean new login sign in and request for the Local Host because you can see we don't have question mark continue there so it says Local Host and we got a new session ID there if you can see the number has changed if you remember the old number but what if I want to print this here in the response just to see if the session IDE is changing or not you can do that from your code so just go back here now if I want to print this session ID what I can do is I can just go back here and get the hold on the HTTP svet request so as I mentioned before behind the scene everything is svet right even the controllers are svet so it will have two objects the request object response object they're called HTTP Ser request object and HTTP seret response object I just want a request now don't want to play with the response one so this is the HTTP Ser request object which I got hold hold on now this request object has multiple methods and just want you to confirm so this HTTP solve request should be a part of jakara server. HTP package okay with this object I can simply say request. get session dot get ID so this is this will basically return the ID let's relaunch the application because we have changed the code and we got a new password so let's copy this as well go back to your browser I will stick to whichever Safari is there in fact let's hit back to Chrome itself okay so first of all we'll do the I mean it will log out by default because we have restarted the application no no no session is still there okay so now let me just log in once again and sign in so we are logged in and you can see we are printing the session ID as well so if I go to Local Host you can see this is the same value which you can see there right I hope you can see see this font size but yeah this is this is the same thing and every time you refresh you will get the same SE ID and not just for this particular URL doesn't matter which URL you go to you will get the same session ID but yes if you delete your cookies this will be gone so you will be logged out automatically it's as simple as that so that's the session ID which we were trying to print and of course we can have multiple controllers you do that with let's say I want to print the about content I want to add two numbers whatever you want to do just check if you're getting the same session ID okay what next the next thing I want to do is uh I want to change the username password I'm not happy with the password which is is generating here how do I change it see one of the filter which is the username authentication filter if you remember one of the filter we have here which is this uh this checks if you have your username password mentioned in the property files if not it will simply create its own password what we can do is we can add the username password so for doing that you can say spring. security. user.name and you can mention the name here so I'm going for name naven and spring. security. user. password and I'm going to set this as teliscope so the username is naven the password is Tesco and this is a property okay I know in the community version it will not highlight much if you're using ultimate version this looks good but yeah let's use community so now with this let's restart the application and go back to the browser so first let's hit the log out and now we are logged out so let's try with the user and in fact what about the password is it is it generating the password if you scroll nowhere it is generating a password because it knows now that you have your own password so let's try with this password first which is theis and I will say sign in no bad currenti so now I will try with naven and TCO sign in we are in okay it says save with the password no because I'm going to change it okay so now if you refresh you're still logged in and you can access it multiple times is that good so now you have your own username password I know I know what you're thinking uh what about different users different username passwords we'll do that in the upcoming videos but yeah at least we can change the username password I want to do one final thing which is uh logging in through the postman or maybe any UI tool or any rest line tool so I do have Postman in this machine so will just uh fire it so that's Postman used it for some other URL this time I want to hit Local Host colon ad8 this is the homepage and send okay so you can see we got an status code which is uh 4 41 unauthorized that means you are not allowed here you know why you're not allowed because you're not sending the username password how do we send that so if you can see we have a tab here which is authorization and by default there is no Au we have to say hey I have a username password and to do that you will click on basic Au there are multiple options here we got JWT barrier token multiple options I will stick to basic o now and let's explore others later basic o so let's enter the username which is naven and the password is tcore in fact let's give some wrong password tcore one send still unauthorized thereis go and we got the response it says 200 we are happy and it generates a new session ID because a new login so you can see this session ID is not matching with this so different users different session ID okay uh looks good so that's how basically you can change the username password you can access it through the postman now we understood also how Filter Works we have seen that in the diagram here in this video we'll focus on csrf which stands for cross-site request forgery but why exactly we have to talk about this and we'll do that with the help of an example okay so two things one we'll talk about the theory we'll also see that how it works in the example which we are doing so let's get started so let's say uh till this point what we are doing is we got a client right from where you are sending a request and of course this client can be a postman this client can be a browser or any other application and then we got a server here right and then uh this is a server which we are building in Spring boot so this is your spring boot uh server and now when a client sends a request of course we are implementing security that means whenever you send a request from client to server you have to also send your loging details for the first time if it is not there then of course it will say hey who are you you will not get the access and we were getting the errors right so that's why we have to first enter the username password um you have to login now when you log in what happens is when you pass the username and password by doing login what you receive from a server is success of course all also you receive a session ID so if I want to show you the running project so this project is not running now let's run this and let's hit the URL so this is a login form you are getting right and when you say username password so let say naven and Tesco enter you got this message which is welcome with alisco but also you received a session ID so if you refresh this multiple times every time you will get the same session ID and that's how the server knows hey this person is logged in so let's not ask for login again right so doesn't matter which URL you hit you will use this session ID so that means what you have on your client is the session ID so every time you send a request let's say if you want to get details about a particular resource in that case also you have to send the session ID so till you have the session ID what about the ID is let's say 1 2 5 6 that's your ID now if you have this ID Ser will verify and server says okay you are already authenticated user I will give you the access so this is good right you don't have to log in multiple times and I don't remember last time when I used Gmail when I logged in so basically every time you use these famous applications you normally prefer them to have stay signed in which means you every time you go there on your browser you don't have to log in again is it good of course it will save your time is it bad sometime let me tell you why so let's say I'm using a third party resource here any website which is not good uh I mean most of the applications are secured but let's say if you go for downloading a PIR movie and when you you visit a particular website which you should not of course you get things for free there but what you don't understand is most of these websites are malicious they run some script and they will steal from you then you will say how so let's say I visit to a particular website which I should not let's say I'm downloading a particular crack version of a software and I'm going to this website and it says hey get this software for free I'm so happy and then when I'm downloading it while in that downloading it will give me some popup allow download or allow this file access and you say okay allow everything allow because I want this software and now this particular script which is there in the malicious I will name this as a malicious software I know my handwriting is bad but you got the point right so if I'm going to this malicious software this will what this will do is this will run some script and it will get this session ID because I'm already signed in from this particular machine and then it will send request to the server now server thought hey you know uh this I got the request using this session ID and this it's valid so it will give the access and then this particular malicious software or the website is stealing my information that's wrong but it happens and that's why you should not go to some weird websites now if you talk about this thing how do we stop this and this problem is called csrf which is cross site because it is from other website request forgery because they have they're doing the request on your behalf and we need to stop it and by default your Spring Security will take care of it I will show you how but then when you talk about the protocol called s TP it got multiple methods right it's not just one so csrf works with uh I mean when you talk about csrf sttp by default give you different methods right so you work with get for fetching data you work with post uh you work with put you work with Delete now when you talk about this methods like put post delete they actually change something on the server and by default it will take care of the csrf so Spring Security will not allow you to do this operations if you're not handling the Cs n but get is bit normal right so get will by it will allow get now question arise how will you make it work how how will you secure it now if you go back here don't you think this session ID is wrong uh which should be created every time so what I feel is you should get a new session ID every time so it's something like U see HTTP by default is stateless right so it will not remember who you are and that's why we have this session ID which will remind the server hey I'm that person but why what if you generate a new session ID every time so of course even if someone is hacking your session ID they can't get access to it they can't actually actually access the server that's one the next way you can do is every time you send a request to the server server should generate a token a unique token and you can send that token every time you want to send the request I mean that will be solved right and that is called the csrf token okay let me show you where we can see that so if I go to the browser and if if I say log out because we are changing some data from the server now so if I say log out of course we got this page but if you see the view source of this page okay now this is the thing I want to do that on my Chrome browser so login no thanks okay so if I if I do a log out from here and we got this page let's go to the view source and this is a source now if You observe there a lot of content actually not but yeah we have some content on top here but if you there's a special input tag which is by Default hidden it's not there on the page uh but then it has a value so we got the name asore csrf and then this is a value so if you can use this token to send your job is done but how will you do that and how will I know this token first of all so to understand this let's create an example okay so let's go back to the project and let's understand that this step by step what I will do is I will create one more controller here I will say Java class and I name this as student controller okay and in this I will have some operations so first of all I will just make this as a list controller and here I will have some methods for getting all the students but I want to represent student as well right I should do that in separate package but since we are into learning phase I will put that in everything in one package so that is student and in this student I will create some variables so private int ID and private string name and let's say marks so private int marks okay so we got got these three fields and for these three Fields I need geta sets of course I could have used lombok but let's say generate uh G sets for all the variables and also I need a Constructor parameterized Constructor here for all three variables and next I need a two string to print it okay so we got this uh things here in the student and now in the controller basically I will create some objects I'm not making it as a component is because normally for uh normal poos you don't make them component standard practice okay so I will create a method here which will return me the least of students so I will say uh so let's say from the browser if I want to access let's say if I go back here and refresh it is still working so let's say if I request for students of course you will not get anything because we don't have a mapping for it so when I call for students should print the list of students so here I can return a list of students import the package and here I will say get students so I should do the mapping as well so this will be for get mapping and I'll be doing for slash students so whenever someone request for this I will execute this method and this should return a list of students I don't have it so ideally if you think about the application it should be the data should be there in the database there should be some more layers repository layer service layer but let's say I'm skipping those things now I will just have that here again not a good idea but it works for this scenario so I mean for the example so I will say list of students and let me have some hardcoded values so list do off okay so I want to have the first object new student it should have some values let's say one noven and let's say some marks 60 and let's let's add only two objects so two kidan and let's say 65 okay so we got two students and now here I want to basically return those two two students so I will say return students our job is done right so this will return the data and now if I refresh let's say if this works so restart done let me go back to my browser and refresh and you can see we got data so this is working right and this is awesome so we got this data here I just want to check if the security is still enable yeah it's enabled so you can see we got the data but what if you want to create a student so let's say I go to my Postman now this time we do it with Postman and I want to get the students and if I say send so you can see we got data and we are passing the username password as well but now this time I want to create a new student so let's say we got these two students and now I want to create new one I will just use this data and let's create a new student so I will go to post request I want the same URL but this time post request and in the body I want to have this data so this should be three let's say hush and hush got let's say 70 so we got this data are there and now ideally what should happen is it should give you an error that the method is not there if I click on send it is saying unauthorized this is weird what I will do is I will go back to my code and I will disable this sping security just to see what happens what type of Errors you get so M reload done now we are not implementing sping security and I don't even want to pass the authorization data I will keep it no o because we don't have sping security now and in the body I want this data first of all I will try to do send okay so you can see this is that I was expecting it says 45 method not allowed but what you got is unauthorized now that is weird uh but first of all let's create this method so that you will not get this error so go back here to the code and let's create a method which will accept the post mapping so I will say post mapping and here I will say stash students the URL is same but the mapping is different and this will return a student whatever student you're adding it will return the same student and I will say add student and here basically I want to accept that student so I will say request body and student let's say student I'm accepting a student and this student I want to add in the list how will you add it's very simple you say students dot add and you will pass a new student it's is that simple again of course it should be in the database but since we are doing Harding here this works and we have to also return the student so return the student whatever you receiving let's let's send that so we have implemented the method I will just restart the application and let's see will it work let's go back and click on send so you can see it says okay that's good and if you try to fetch all the students now so you can see we got three students so this is working right we are happy but as soon as you enable this Spring Security let's see what happens I'm enabling the Spring Security Now restart okay so let's try to do the get students first I will click on send and of course we are passing authorization so it will work but if you go back to post and now if you try to add the same data and in the authorization we have to go for basic Au with the same values click on send it should work right it's not it's because csrf token is not there so whenever you do any update request like put put put post and delete where changing something CSF token you have to send otherwise it will not work okay how will you make it work then so one thing I want to try is how do you send CSI token you can just go back to the headers and here you have to pass one of the one of the key pair value or key value pair which is X csrf and hyphen token this is what not toen token this is what you have to send now I know the key I don't know the value uh maybe I can get the value from the browser not a good idea but let's try so I will just go back here and I want to get the token so so I will say Local Host call 880 how will I get a token you get the token from SL logout don't do the log out just go on this page right click view page source and just copy this this is your token I will just reduce the size of it so that I can copy in one go okay copy I'm not sure if this works let's try paste send it's not working so maybe I have to generate the token and get it I thought it would work okay no problem let's generate the token from the from the code and it might work you try it out you try it out and let me know if it is working for you so I don't want to get that from the browser again it's not a good idea to get this from the browser can you return the token from here so from this particular uh code so what you can do is you can request for the token and you can send it so I will say public and it should return a csrf token so I will say csrf token and this is coming from sping security. security. web. csrf and say maybe I will say get CS RF token and this should return a token right now what should be the mapping maybe I will say get mapping and the URL I want here is csrf token so when I request for this it will generate a token for you okay and then you should return a token now how will you do that that's tricky see uh when you talk about a method like HTTP okay so when you talk about a protocol like HTTP and when you're working with svets because behind the scenes spring is salet right or spring MVC suet and if you go back to hello we have used one of the object type which is the HTTP subet request right now if you get the object of request you can get a lot of data including the session ID and also the token so I can just go back here and say HTTP seret request request and with this request okay where I'm doing that wrong place wrong place it should be here and request okay and here with the help of that object TR will return so from the request dot request has a lot of methods one of them is get attribute now what is attribute name remember when we were trying to see the browser not this one yeah this one this is a name which is underscore csrf so we simply use it here in double quotes underscore csrf and you will get the token right but then get attribute gives you a type of object you want a type of csif token so you know it's very simple you have to just do type casting so cast it with this your job is done so what this will do is this will give you a csif of token which you can use to send the request let's try or maybe the token was not working when we tried with browser I don't know how I forgot that we are using two different users right the browser is a different user they post as a different user okay so here I will go back to my my Postman not the browser where is my Postman it's here okay so now I will first of all let's check if the students are working this is working but I don't want to request for students I want to work for I want to fetch csrf token and click on the request and this is token you got you can see this is a parameter csrf token and this is a value so when you copy you have to make sure that you copy from double Cod to double codes and copy so you can see the header name should be this x hyphen csrf hyphen token and now with when you get this token you can just go to your post request and in the headers we got the key replace the value this is a value new value and I hope this will work the body is same headers we have changed send it worked okay so this is good right so this is how basically you generate a token and send it uh there are two more ways to handle this one in fact we have talked about one before what if you simply generate a new session every time then you don't have to worry about the csrf you can disable it you can disable the check of it on the server side and we'll see that how do we do that in upcoming sessions but uh we can disable that next you can work with the uh same site strict so you can make sure that no other site can access it so that's one of the way you can do that so yeah that's it from this video where we talked about csrf token but again as I mentioned you can also disable it and make sure that you generate a new session or basically you make your HTTP stateless or your session stateless so till this point we were able to configure the application right and we are basically able to implement Spring Security but then most of the settings are default right so we implemented Spring Security by saying hey I got the dependency this project is secured by Spring Security and Spring Security says okay since you are using me let me give you some default configuration and then we have changed something okay so basically we went to application properties we we set the username password we have done some changes but then we want to do more we want to connect with database we want to uh disable let's say I don't want to go go for a form login so there are a lot of settings which you have to do and then we'll do that step by step in this video let's see how do we configure that how do we create our own settings how do we change the way the security filter chain works so to do that of course we want to change the way it works right but by default Spring Security provides you a filter chain there are lot of filters which comes into picture and then it will check for the defaults but now I want to customize it I want to have my own filter chain and the way you can do that is by creating a config class see when you talk about spring framework and if you want to customize something or when you want to have your own configuration you create a separate Class A config class and then you define beans there which will inject the object so now what I will do is to achieve that I will create a class but then I will create that class in a package I will name this package as config and in this package I want to have that class which is the security config so this is the class we have and in this class we have to do that first of all I want to say that this is a configuration file to Spring and to do that you will say configuration now your spring knows that this is a configuration class and I have to search for the configuration here next I don't want to go for the default Spring Security configuration I want to implement it here so to do that you will say enable web security Now by doing this you are saying hey don't go for the default flow go with the flow which I mentioned here so by doing this we are doing two things first we are saying this is the configuration and we are saying that go with this configuration now what I want to change see by default it will work for the security filter chain I want to customize it so in order to do that what you have to do is you have to return a bean for security filter chain so let's do that so I will create a method which will return you the object of security filter chain which is coming from uh springf framework. security. web. security filter chain and then we can give any method name here so I will say security filter chain and this will basically give you the object of security chain but how so of course you have to return the object of security filter chain now who will give you this so there is a type called HTTP security if to use this let's create reference for it called HTTP you can also say HTP security but HTTP is a small word so it makes sense and I will be using that because sttp has a method called build so basically the build here Returns the object of security filter chain now it is giving you some error here is because we have to add the exception throw exception here a signature now this will do so what we are doing is we are saying hey Spring Security don't go for the default this is a security chain you have to go for so this is a filter chain follow this and you're good to go now since we have not specified any filter here by default no filter is applied I will show you so what I will do is I will just uh restart this in fact you know let's comment the bean tag and let's restart then or maybe we have to also comment enable security so I've commented both enable web security and the bean here that means this is still not applicable what we are doing and I want to check without those things if I hit the URL you can it is still enabling the login form so that means Spring Security is still implemented but if I do this and if I UNC commmand this B now and if I restart so let's see if disables the default configuration so let's go back here and instead of hitting the login I will hit the URL and it's working without login it is working so if I refresh it is still there that means security is not implemented now we are bypassing all the security it's something like you're buying a lock and uh you have not closing it properly or maybe you're not even locking it so we don't want to do that right so let's Implement so how do we secure it how do we provide that uh layer the first thing I want to do is I will Implement defense security I want to achieve that login form I want to maybe uh send the request through the post Postman uh but the first thing I want to do is I want to disable the csrf so let's do that so I will go back to http because that's the object which using which you are creating this build right so we have to make some changes in this object of H P which is the object of HTTP security and in this the first thing I will do is I will say csrf I want to disable this right in the initial days it was very simple you can simply say uh csrf do disable but it will not work now in Spring six uh things are bit different now I will show you this in two steps one using the lambra syntax and one without it with lambra it becomes very easy to read and write but then if you want to understand what is happening behind the scene we'll go for imperative as well so here I'm I'm saying HTTP doc RF and to disable it I will use customizer again I'm not explaining that now I will do that bit after some time so I will say customizer do disable so what we doing is we are disabling the csrf the next thing I want is even if you write this you're still you will still not get the login form I want it to be authorized so if I don't authorize it anyone can go there and they can log in so even if I open a new incognit mode here so if I go to incognit mode and if I say local SC 880 you can still open it so there's no login restriction now and to achieve that what I will do is I will say HTTP do authorize HTP request for every request and people who are good with lamb expression they know what I'm writing but in case if you're not familiar I will show you the imperative style so request dot any request should be authenticated so by doing this what we doing is no one should be able to access any page without Au authentication so now after making those changes if I restart my uh ID the application go back to the browser Ander refresh and now you can see it says access to Local Host was denied that means authentication is applied here so now that means you have to enter username password but then where you will do that even if I do that in Postman and let's try to fetch the homepage here and if I say send you can see it says forbidden even if I pass the values you can see I'm passing the username password it still says forbidden because you are sending username password but no way we are using it here so how do we do that first of all I want to enable the form login so HTTP dot you can use something called a form login using customizer dot with default so it will pick up the default properties and it will Implement form login now just by saying form login let's see what happens so let's go back here and refresh and you can see we got a form login now is it working let's try so I will say naven teliscope and it's working you can see if I refresh it works so that means the form logins is been implemented so whatever customization want you want to do you can do that in The Code by using this HTP object but what about if I try to do that from Postman let's try from Postman and if I say send okay we got the status okay and we are happy about it but look at the response response is basically a login form why we got login form here it's because we are saying form login that's why we got it so if you want to do that from the postman in that case you have to add one more uh thing here HTTP do HTTP basic you have to implement this or you have to enable this for the postman for the rest access rest API access so let's go back here and see if that Postman is working now says send and you got it so you can see we got the page cool so we have used two things one is form login for the browser and one is HTTP basic so form login still works now log out will not work since we're implementing our own it is expecting you to have your own login page so log out will not work or it will it will sign out directly it will not give you login form so now if I do naven and Tesco okay wrong password so you can see it is working so basically uh by doing this we are enabling that that feature of course you can disable your form log if you want uh you can directly use your Postman to access it uh next thing I want to do is I want to make sure that you don't see we are disabling this CSF right now why we disabling it is because in one of the video we have talked about different ways of handling csrf one of them is what if you make your HTTP stateless and if you do that you don't have to worry about the session ID so how do you make it stateless is you have to say HTTP do session management and you will take the session object and you will say session dot how do you specify that you want to go for stateless or stateful in that case you have to use something called a session creation policy so there's something called session creation policy in this you have to say session creation policy so you can see we have different options we got never if required stateless I want to go for stateless and job done so by doing it stateless what we are doing is see the problem with this is you can't login from your browser with the login form is because for every request you have to pass the credentials and when you have a form login let me show you what what I'm talking about uh so if I refresh and if I say naven and Tesco so it will give you login form again because now you are accessing a new resource and new resource is a new session right new request so you have to pass this detail every time but with Postman this will work so if I go to post man if I say send you can see this is working and every time you send a request you will get a new session ID if you can see the number is changing here so that's how you get the new session ID right but if you want this to work on a browser what you can do is you can disable your form login because then you have to maintain your own sessions and now if I restart let's see what happened with the browser enter okay so you can see we got a popup not to login for a popup and in this popup you can say nin telesco enter and now it will work so not with the form login but HP basic will give you this popup refresh and I mean if you say enter you will get new s an ID every time cool right so that's how basically you can uh do this but again the problem is how all these things are working so what I will do is time being I will just comment this everything and let's see what is happening behind the scene so comment why is not a commenting here comment am I using a wrong uh I know shortcut is that maybe they have done some changes so now uh let's understand what is happening behind the scene see we understand what is this object HTTP SEC HTTP object right which is HTP security and we also know that method object will have some methods right so we got csrf and in this we are passing this customizer and disabled so what is this thing to understand this thing let's do that in a imp imperative way so I will say HTP Dot and I will use this meth which is csrf and if You observe csrf you can see what it takes it takes the object of customizer in fact that's a big name can't even copy this so yeah we have a big name customizer uh in in the I mean the type it takes is csrf configure the type and the again the type is HTTP security I hope I will remember this U so I will say customizer so that's a part of security config package and this will take csrf configurer and uh it was checking something I forgot so let me just say control space again I don't want to do dictate HP security object so inside this it should be HTTP security so this is a type you have to work with Okay and then let's create the object of it because csrf method takes the object of customizer of type csrf configure of type HTTP security and let's give a name to it I will say cust or csrf cust cust csrf equal to and then you have to say new and the object for this now the customizer itself is an interface you can see we have the interface and the method name is customize that means if you are using this uh if you want to create the object of it we have to create a method you have to define the method of it using Anonymous in a class okay and in this particular method you you using this object I will name I will not use a name as HTTP configur uh cslf configurer I can use any other name I will say customizer I mean you can use use any name right so the name I'm using here is customizer and using this object I can do whatever I want now so using customizer you can you can use different methods what we are using it for is disable right now this is the way you create the object of customizer csrf configur HTTP security because this object have to pass inside HTTP do csrf I'll pass this object and your job is done so by doing all these things you are disabling your csrf oh let it task right now since this is an interface and this is a functional interface if I show you configur this is a functional interface which means you can use lambra here and people who are familiar with lambra they know how to create lambra it's very simple you create uh you remove the extra stuff and I mean if you don't know lambra just search for lambra expression on YouTube or theis lambra Java lambra that should make sense so you can replace the entire code this this entire code with one line so this line here which I'm which I've written is equal to this number of lines oh we can do the same thing for authorized request let's try that uh HTTP do authorize HTTP request and look what it is asking you for look at the name customizer authorization manager request match registry and then you have to get object for this and then you have to pass it in the method like authorize HTTP request same goes for the HTTP basic let's try for that HTTP basic it is asking you for the object of again customizer but since we want to go for default configuration we are not changing anything we are saying customizer do with defaults so it will pick up the default settings and that's how it is working behind the scene and now you know what is happening behind so for all the methods here same thing you have to implement certain uh interface and Define the method and pass the object here uh another thing which you can do here is uh instead of doing all these things one by one you can use a builder pattern what I'm saying is remove this semicolon and remove this HTTP so you can just add at the end something like this so HTTP dot csrf that particular uh setting then authorize request and then I will just put that below somewhere okay what's wrong with my uh ID settings all the settings have been changed this is weird Okay I'll just say enter here remove the semicolon and now you can put this after this so you can see for one object you are applying different settings I can remove this and the same thing goes for this part cut and paste it here just that you don't have to put semicolon at the end and put it together if it is Big you can just Center here to make it moreable and remove this so by doing this you are making it more readable and in proper sequence so this is this is called build a pattern so for this object object you are doing this then you are doing this you know we when you have a belt in the factory where the object passes from one machine to other machine same thing Just Happening Here one object is passing to different methods and customizing it in fact what you can also do is you can directly say return here then you don't have to write return again it's just that at the end have to say dot build even this looks cool so that's it uh let me just run this after making all those changes I hope this will work if you you see a Waring here just that it is saying you to use method reference instead of lambra you can replace this uh method reference of lambra to Method reference even that works okay restart done let's verify from the postman head this you're getting the response maybe I'll also try to work with students if you're getting all the students and you got it okay let's also see if the post request is working so I will say post you can see we have a post request here uh I'm sending the headers okay we are sending have token let's let's let's not send it and done you can see it is working so even without the token it is working because we are disabling the csrf request or csrf setting things are working out basically we were able to uh secure the application with help of Spring Security and then we are able to log in as well but the only thing is we are able to log in with the help of this username and password what I want to achieve is I want this data to be coming from database because we can have multi username password and even if Spring Security says hey let me give you an option of having more users here don't you think we are hardcoding the values uh in the real world we don't do that so we want to store this data in database and fetch it from database to verify the user that should make much more sense but if you want to do that we there are multiple steps involved and lot of steps and that's why if you can see the video is lengthy the thing is when you build applications huge applications which will go for months or years this setup like Spring Security and database connections will hardly take one or two days or maybe more depending upon the complexity of your project but then you do that only once not for the entire time of the project you do this setting once and you just you you just use it in the remaining time which is a lot of time you focus on building a feature right whatever logic business logic you want to implement so in this video let's do that initial part of work of securing the application and let's see how that works U again video is bit lengthy so just be with me and and I will do step by step so make sure that you practice when you are watching this so that you will make much more sense okay so let's go back to the security config now what is happening is whenever you log in of course Spring Security is using the application properties to verify the username password but who is working behind the scene if you remember we have talked about different filters in fact we have asked our co-pilot as well what are different filters we have one of the filter which is username password authentication filter now that filter is responsible to verify to take the username password and get it verified and who is responsible to do that so somewhere somewhere in between we have something called a user details service see in the application when you talk about different layers like web application we have different layers right we got controller we got service we got repo layer and when a client sends a request request goes to the controller controller says okay my job is to only accept the request and respond but if you want to do any processing that will be done in the service layer what if you want to do some database connection that's where you have repository layer right now here to verify the username password we can use something called a user details service now by default it was getting used but I want to customize it I don't want it to use the application properties I want it to verify the way I want and how do we do that it's very simple you can ask hey don't use the default one use mine which I'm giving you but how you will give it something to the Spring Security and that's where what we can do is we can create a bean because when you create a bean bean will be the spring spring container and your Spring Security will pick it pick it from there so what bean I want to create I want to create a bean of user details service this is the inil thing inside the Spring Security and I will say user details service what I want to do is just return this object my job is done right so it will behave the way I want I'm happy but then how will you create the object of it first of all let's verify the package for this so if you see here the package is springf frameworks. security. cor. user details. user Detail Service and now I want I just have to return the object of it how difficult that can be I can simply say return new user details service okay but the syntax is bit different you know we are getting cly backets as well what is US user Detail Service if I click on this oh it's an interface I was not expecting interface the thing is if you have interface you can't create the object of it then we have to go for a long way uh what but is a long way either we have to get we have to create the implementation of it or we can use some inbuild implementations we have to create a class which implements this but we'll do that later at this point let's go step by step and and use something which is inbu so I'm going to use a class which implements user details service and that is in memory user details manager okay how do I verify that this class implements the user Detail Service you can click on this and this is a Constructor if you go up it's a class that a good thing that means we can create the object and this implements user details manager okay uh if I click on this this extends user details service so our job is done uh so indirectly in memory user details manager is implementing user Detail Service okay is our job done here uh not exactly we are simply ring an empty object right or the object which is not having any value so it will work and it will not work it will work because it will run it will not work is because if you Pro provide the username password how it will verify I want to show you something and I'm expecting it will it will work the way I want let's see I'm going to enter the same username password when I'm when I'm logged in or when I'm trying to log in and let's see if that works so the username is naen password is Tesco and if I go back to I will try with Postman at least you can see the username password there right I can go to authorization you can see the username password is Na and delisco I'm going to try to hit students let's say not the get request or sorry not the post request but the get request for the students and let's verify the authorization once again it's Navina and Tesco enter you can say it failed 401 un unauthorized so why it's not working is because now we are not using default service we are basically returning our own user details service object and if you want to do that you have to customize this now how will you do that now if you look at the Constructor of inmemory user details service there are multiple Constructors let's go to it in this uh you can see it has a Constructor which is empty it also has a Constructor which takes the collections of users okay and we got one more which takes a weog basically we can pass different user objects by giving commas or user details objects by giving commas let's use this so what I want to do is I want to return different objects or different users how would I do that it's very simple you come back here and if you remember it was taking the object of user details so let's create the object of user details and if you see user details oh even this is interface okay lot of interface to deal with that means we have to get a class for this to implement uh not exactly I will show you something so we say user details I will say user one is equal to uh let's use a class called user so there's inbuilt user in the spring framework and if I click on user it is a class and this implements user details and it got a lot of methods one of the method which we going to use is the Builder so we are going to use the Builder Okay so to achieve that what we can do is we can say user since it's a builder patter I will say enter and dot dot dot the first thing I want to assign is the password encoder see the thing is whenever you store data in database or whatever data you are saving by default we store that in a plain text what I want to do here is uh let's say if I want to store the username and if I store that in a plain text that's fine but if you want to store a password it's a plain text anyone can read it not a good idea right so you should you should do encoding of your password so that no one can read it so at this point I don't want to make it complex so I will just go with the default password encoder so I will say with default password encoder and this is dicated don't use it I'm just showing you so that since we are learning into learning phase I will I can show you anything but don't use it in production uh next I want to assign is a username so let's say the first user is Kieran let's not use n nain now because we have used it before so let's use kidan uh the password I want to mention is k1 123 then I also want to assign the roles again it is optional but let's say I want to assign a rule so K is user here and the password or then once it is done so we got the username password and role I can simply say build Now by doing this build we can build this particular object and this build so not the Builder I think we have I've talked about Builder build okay it doesn't matter so this build Returns the object of user details and that's what we wanted right so we got our first user we can create more users if I want otherwise I can simply pass this user user one and our job is done but let's say if I want to pass one more just for the experiment this is user two and let's say hsh hsh is h 8 1 to three and let's say hsh is an admin so we can create different rules maybe user add admin trainer or anything you want anyway and then I can pass different users here not just one multiple now since it supports weo you can pass any number of users just by giving comma okay still till this point we have not connected with database okay we are still trying to understand how do we uh customize stuff okay let's see if this works let's restart the application we can use browser or maybe I will just try to do that with the postman this time I will go for nav and teliscope it should not work and if I use Kieran and the password is K at 123 I could have used browser but then on browser you can't see the password I want you to see the password if I click on send it says okay so this is working if I give a wrong password of course this should not work uh let's try with hsh as well and hsh is H atate 123 let's say 1 2 3 4 it should not work and one 12 3 it should work and it's working so that's how basically you can customize or you can have different users but again not a good idea still is because we are still using the hardcoded values in the code I want this to be coming from database in that case we can't use this is because this thing is actually returning the default one so comment okay next step now we want to work with database how do I do that see if you want to work with database we have to understand One More Concept see whenever you pass the details username and password in the login form that object when your server receives it it's basically an authentication object which is still not authenticated it goes to something called authentication provider who will basically provide the service of checking it and validating it and then make it as a authentication object by default is running behind the scene but now I want to customize it because this time I don't want to use a default authentication provider I want to use mine and that authentication provider can be used to connect with database to some ldap service or some other service and for database we have a different authentication provider and let's use that so basically what I'm trying to say is let's create a bean to change our authentication provider itself Al together and I'm not going to use the default one so let's create our own so public authentication provider and I will say authentication provider there's a method name and let's return the object of authentication provider how difficult it can be uh we can simply create the object and return if I click on authentication provider it's back so interface is back it's an interface so that means we have to look for a class which implements authentication provider as I mentioned before there are multiple authentication providers right one of them is for database and that is called a dow authentication provider so let's use that so da authentication provider and if you see this is a class A Relief okay and uh okay so it actually extends abstract user details authentication provider if I click on this it implements authentication provider so indirectly it is implementing it and we should be happy with it let me close all the extra files which is open here want this and let's say this is a provider equal to New D authentication provider and simply return return this our job is done right actually not now what's wrong with this see this will return the object for sure okay this should return the object but the problem is this one basically need to connect with database and get the data and at this point we don't even have the database we don't even have I mean we have not speciic specified who is our dbms we are going to use pus by the way uh it has no idea what is your table name database name nothing we have mentioned and that thing we have to do first so we'll do that sometime uh but if you want to specify those things we have what we have to do is we have to go to provider the first thing you have to mention is I don't want to use I mean I want to use a password encoder which is the default password encoder which is no op password encoder do get instance so what we doing is we are not using any password encoder you can use that I will show you that later how do we use some different password encoders at this point I'm saying there's no password encoder default one so you will see the pl text next I want to specify before return returning this object is the user details service if you remember at the start also I mentioned that uh behind the scene user details service works and that is responsible to verify it and now I'm saying that I want to even change the authentication provider it will also use the user details service we have to specify that so I will create my own user details service not the bean of which we created but somewhere here I want it to inject the object I mean I want spring to inject this object at Auto but unfortunately even spring will have no idea how do we provide this or maybe spring will provide a default one I don't want default one I want to customize it I want to have my own user Detail Service okay how do we create our own user dat service it's very easy right this is the interface the only thing we have to do is create a class that will make our job easy right okay so let's create a class called user details service or maybe some other name which implements user Detail Service and before I do that I just want to make some changes I want to get different packages you know we are not keeping things in a proper package so I will say controller package we already got config so we got controller I want to have a service package I want to have a repo package I want to have a model package okay so the reason I'm doing this is because the controller should be a part of a controller right the home contr should be part of hello controller the student controller should be part of the controller package the student which is a model should be part of a model and that's it now in this service basically I want to create a class which implements the user details service and I will say my user details service I can also say theore user details service but that's fine and this implements user details Service as simple as that the only thing you have to do is uh first of all let's Market a service second I want to you know you can see we got an error here it's because in user details service we got a method we have to implement this method which is load user by username so okay it's simple you can just come back here and say implement the methods which is load user by username and do something okay I'm not sure what to do it just say load user by username this is tricky how will I load the user by username and from where I have to load it see that's where we have to think about layers now we have a service right and service says I want to get some data and data should be coming from database and who is that layer who will give you the data it's your repo right so that means if you want this to fetch the data we need a repo layer so I can simply go back here and create uh in the repo I can create a class it's actually interface because if you remember we have talked about jpa in jpa you define the interface for the repo and it will give you all the methods so I will say uh this not student I'm what you working with so I will say user user repo and this repo will extend the jpa reposit the thing it is not working is because we have not added the dependencies see till this point the project is still a simple web application right nowhere we have talked about the jpa nowhere we have talked about database so that means if you want that dependency we have to add two dependencies one for the jpa and one for the Post G now as your dbms changes you can use different dbms driver here so I will go back here and I want some dependencies to achieve that I will go back to my browser and I will go to mvn Repository and here I will search for spring boot jpa uh the first one which version anyway we are going to remove the version so anything you pick up that works and just copy this not the entire stuff it also promotes their own website it's a good thing but I want to keep it clean I don't want to specify the version because that's something we have specified up here if you can see yeah we have spei the version in the pent so we don't have to specify that here okay that's one the next dependency I want is for postgress now depend upon which dbms you use you can change it so let's say if I want to use uh postgress SQL DBC this is a driver if you want to use MySQL sear for MySQL driver and from this I will pick up the uh one which is not vulnerable which is this one again it might be vulnerable it's just that they have not tested it properly so I can just copy this and paste it here so we got two dependencies and once you add them you just have to reload your mavin so it will download dependency for you okay I think dependency added let's go back to the repo the user repo and let's see if you can get the dependency now so we'll just cut this control space yeah now I got it so it says jpa repository we have to pass two things one is the class which will refer to the table I will explain that in some time and the primary key so the primary key is integer now uh in fact you don't even need the primary case integer okay we'll see that so what we can do is when you talk about JP report or the concept of data jpa you define a model class so for a table so of course in your database you'll be having a table in fact let's do that let's let's do step by step it will make much more sense now since I'm using poist you can use any dbms you which you want I'm going to use pois okay and uh to do that I will open my PG admin so in this machine I already have post already have PG admin installed so make sure that you download post quiz uh get PG admin if you want a shortcut way you can just go to post quiz download uh for Mac they have done something new not sure about Linux or Windows so you can get something called post. app I'm not sure if this works on Windows but for Mac we have this for Windows anyway the setup is very easy for pqu for Mac you can just get this and run it it will work by default the username will be your system username and your password will be zero I mean blank so you can use that so it depends upon how you configure this so I got my PG admin open uh I will explore the database in this I got theis database I'm going to use the same one and if you see there are different tables here Let's ignore all in fact there's also user okay let's not use telesco database let's create our own so I will click on database I will say create a database and let's name it Tesco one not a good name for database but that works click on save so now we got different database and in this if you say schema we don't have any table you can see it's empty so now let's create a table here so I can just open the query tool here and say create table so create table users in fact you can also get this done from the code itself using jpa but I want to show you let's say if you already have a table how do you make it work so we got table and let's say we have three values username and password so the type of ID should be integer the and this should be also be primary key the username is text the password is also text and let's execute this so what this will do is this will basically create a table for you and now let's see if you have data so I will say select star from users and run this it's empty let's insert some data so we will say insert into users values I want to insert one that's my ID then I have to enter username which is let's say naven and the password is let's say n at 1 2 3 I want to have one more user let's go with two users so we a two not double codes single codes social and the password is s at rate one 2 3 so we got two users and I will simply execute this line I think it executes both the lines okay so select uh select and run works so you can see we got the data Here and Now I want to basically connect them so we got table right now in jpa when you want to connect your table with the code basically what you do is you create a class which represents it so let's go back here so we need a class like user which connects with your table and the user class should represent the user table the reason I went for users in PO is because I think user table is already there for the POG inbuild implementation so it doesn't allow you can just check check and let me know in the comments but here I'm using user or maybe we should create users even that makes sense so let's create this class we don't have this class users and where will you do this you will do that in the model so in the model I will right click I will say new class CL and we will name this as users so what are things we need here first of all I need the we need to basically represent your table and a class right so I will say primary int ID primary string username and private string did I say primary before ignore I will say password and in this I will say at ID because that's my primary key and I'm assuming that you know JP okay I'm not teaching you JP here so I will say entity and that's done now job is done here but we need data sets for this so I will say generate data sets for both all three variables and maybe in future if you want to print it you will also use the two string for all the variables okay uh it says one problem what is that one problem okay we have to import the package that's the problem don't tell me okay that's it looks like our job is done is it let's see let's go back here and now since I already have a usero now we have a power to connect with database I'm so happy no actually we don't we don't have a power is because even if your user EPO says it is connecting nowhere in the application we have specified which dbms you are working with what is your user name for the DAT for that dbms what's your password let's configure that first and we will do that in the application properties so here basically we have to specify different properties one is spring data source. URL and we have to specify the UR for jdbc which is jdbc colon post SQL now depending upon which dbms you're using if you're using MySQL replace MySQL there colon SL SL Local Host this remain same colon then you have to specify the port number for your for the dbms now since we using postgis the port number is 5432 for M it is 3306 depending upon which dbms you use just change the port number change the name here and then slash your database name that is sc one next we have to mention the username so data source dot username is equal to I think it is postgress for my machine and the password so spring. datas source. password and the password for this machine is 0000 okay so now we have specified dbmc working with we have specified the username and password this should work but it will not the reason I know I mentioned that we have lot of things to do so just be with me this is looking good let's go back to the my user details Services because we are still returning null we don't want to return null what we want to do is we want this to connect with the user Appo so I will say private user repo repo and I will say this is Auto wir and for the repo I have to mention that this is the repository okay and now basically with the help of this repo I can fetch now what do you fetch if you see the method name is load user by username that means we are getting username here we just have to verify if the user exist in the database so I can say users user one or maybe a user is equal to I can Sayo dot now in the repo we have lot of methods right we got uh find by ID and all those stuff but then we now we don't have to find by ID we have to find by the username so I have to say find by username and just pass the username right uh and in the Depo we can use DSL and we can say users find by username and we can specify the username so now basically we got this method and this will return the user and we just have to check if the user is there we can say if the user is equal to null in that case I want to print on the console as well first of all let's print on the console that the user not found okay how will you let the your system know that the user not found If You observe this particular method returns user not found exception what if you can just throw it so here you can say Throw new user not found exception with the same message user not found is that simple but what if you found the user in that case what you will return it's very simple in that case you will return the object of user details okay and if you see the video is still not completed we have we still have to work with the user details okay now if you click on user details I can simply create the object of user details right you can say new user details but unfortunately user details is a interface you can see I here that means we have to look for a class which implements this or we have to create our own class and the idea is create your own class so many classes right but as I mentioned this is just one time setup okay so let's go back to your model and let's create the user details or maybe you can call it some something else you can say my detail my user details or you can say user principle so normally in the terms of Spring Security the user principles refer to the current user who is trying to access or who is trying to login and that's a user we are checking right so instead of saying my user user details you can say user principle but user principles implement the user details that's what we are trying to implement and if you see the list of methods we have to implement let's go back here and if you click on user details look at the methods so many the methods to implement okay we don't have a choice so I will just go back here and say implement the methods all the methods so we got all the methods here okay now is it difficult to implement all see when you're are building a full-f application yes you have to mention everything but in this example I'm going to skip certain things example you can see we have different methods which which returns Boolean example is it enabled uh we have to return something at this point I'm assuming that the account is enabled so I will say a true is currenti not expired true it's not expired yet is account non loock yes it is not locked of course in the big application you have to take care of all those stuff uh is account not expired no true get username I can't say true now because we have to actually return the username we have to actually return the password and we have to actually return the authorities the rules uh we can even skip roles if you want uh but let's try to implement that but the question is if I'm creating this class which is user user principles or which is implementing user details how will I return this values I don't have this values you don't have it but from the class where you want to access this has this values you can see in users we have this values so the username and password is there so what I can do is I can simply create the object of user principal and we can pass this object our job is done right once you pass it you can accept it here and then you can get the value you just wanted the values right I can just right click here say generate a Constructor which can take uh okay I could have return this my by by myself I'll say private users user and let's pass users user and this dot user is equal to user so what we doing is we are basically assigning this object uh which is coming from the Constructor to the user and once you got the hold on the object I can just go back here for the username I can say user do get username password user. getet password and for this collection now we have to return the roles right because one user can have multiple roles and in the database we are not even working with it how do I handle this here so maybe we can return some static values on null so let's return the static values I will send new but it is asking you for the object type of granted Authority okay so I will return so there's a class which implements this so I say simple uh granted Authority and I can pass the role as user so by default every user will be getting the access as user now the only thing is we can't return return a single object it is expecting a collection okay so I will say collections dot uh if you want to return only one object there is a method called Singleton let's use that okay after talking for so long I hope this will work let's try uh so let's try let's see if this works and then I will explain uh let's let's go back to everything step by step so let's restart the application and go back to the postman let's see uh we don't have Hersh in database do we no click on send you can see this is unauthorized but what we have in database let me verify the database Fields once so we got naven or let's we work with Su and sual is username and password is S1 123 so it is sual and it is s let's try with wrong password okay another authorized let's write let's work with the right password it worked okay so after so long things are working out so data is coming from database but still uh we have one thing to do which we'll do in the next video which is we have not encrypted the password so yeah let's try with naen if nav is working so naen and it's n add 1 2 three so this is working let's go through the code once and understand what we have done the first thing we have we are doing is we are making the change is okay let's talk about the XML first we have added two dependencies one for jpa because we are working with database and which database we are working with post that's one thing next we have done some changes in the application properties we have added the URL username and password so the URL is this for post username for post and password for post then we have to basically configure this security config by default it was using some authentication provider we are saying let me provide authentication provider which is the Dow authentication provider to make it work you have to pass two things first password encoder and second the user Detail Service our own user Detail Service and since we want our own we have to create our own class which we are doing here and this says okay you can create this class you just have to implement one method which is load user by username to make it work we need to work with the repo because repo will do the database connectivity if it is connected you got the data it's it's good you say return the data data or return the object if not you can print user not found in fact when I was testing it we also got a message here you can see user not found okay so you can do this but then you can't simply return this user server user principle is because we have to implement the user details uh interface there which has so many methods we just have concerned about the username password and the authorities so that's lend the code make sure that you check the code okay uh you will find the link in description and do that once do this code by yourself then it will make sense I know there lot of files to work with and we have spent enough time to understand this it's time to focus on encrypting your passwords now what I'm talking about is when you go back to database of course we do have now users in the in the database uh in fact we have added few users right and if I want to show you the users if I say select star from users here in the database and if I hit the query these are users the problem here is I can see the passwords okay imagine you are running some huge applications or critical application and then uh you open your database and you can see the users password and most of us use the same password on multiple platform not a good idea I can never do that but yeah people do that right so they have the same password on multiple platform so that's how you get hacked right u i mean not just one thing where if I have the if I a database administrator if I can see the passwords that's one risk but what if you are using certain application and then most of the application which are using are safe this particular application is not safe and uh someone was able to hack it they got your password and then they're using these passwords everywhere so again don't do that don't use the same password everywhere but again the problem here is we are not encrypting the password you can still say it so what's the ideal way here what I can think about is uh let me just go back to my ID and let's use some area to type what I'm what I'm talking about uh okay which is empty file so this is this looks like empty file right so I will just use this area so what we can do is we can take a plain text from the user okay so user will say n 1 to three and before I store that in database what I can do is I can simply encrypt it right so we can get a cipher format so we got a cipher text in the database if a user is trying to basically verify you can convert that Cipher text into plain text and then you can verify right that's one way but the problem is when you talk about encryption like cryptography we use a key there right and using a key you can basically do this encryption and decryption but the problem is what if the key gets leaked and of course for all the users you'll be using the same key if one password is compromised and if someone got the key they can basically get all the passwords we don't want that right so instead of creating a cipher text what if you can create a hash of it now what is hashing so basically hashing is one way so if you get a plain text you run some algorithm on it let's say sh uh or md5 and then you find a hash hash is like a fingerprint for a text for me this is this is my fingerprint and imagine if I change any part of my body let's say if I remove this specs the fingerprint fingerprint should change that's how basically hashing Works U and you can't get back so from the fingerprint you can't get the person but from a person you can get the fingerprint that's how hashing works so from the plain text you can get the hash but from the hash you can't get the plain text and we we can use different algorithm to achieve that one of the algorithm is SJ 256 but you can do that only once right you can run you can run one round but what if you can do multiple times same thing you know uh get the Plaine text run the algorithm get the hash run the algorithm on the hash and again you will get a new hash so let's say this is Hash one again you done the algorithm you got has two and multiple times how many times maybe 10 15 20 100 Millions so if you do it more and if if it takes some time for the computation of course you can secure it and to achieve that we are going to use something called bcrypt okay so let's head back to the browser and here I want to search for uh B bcrypt generate password there are different websites we can go through uh one of the thing which I use is sometime I use BPT online or browser link so let me go to browser link or how do you pronounce it browser link doing doesn't matter so here we got this bcrypt password generator so basically it finds the hash and you can do multiple rounds for it okay so let me let me just enter the password so let's say if I say n atate 1 2 3 and if I click on bcrypt you can see is generating a password for you so basically not a password but the hash value of it and this is the hash value so from the password or from the text you can get the uh hash value but not other way around so you can't basically get uh the the text from the hash and you can see it is uh World simplest online bcrypt hasher okay not sponsored by this link I hope they will soon but yeah we got this we got this thing here but if You observe we have one more thing which is rounds as I mentioned before you can talk about the rounds right one round two rounds so it says 10 is it does it mean 10 Rounds no it's actually two the power of 10 Rounds you can imagine how big the number is and we can also go for 12 rounds and we are going to use 12 rounds and if you see when I change that number observe this with with 10 Rounds it gives you this text uh this is a type of bcrypt so there different types we can use or different versions We can use this is 2 a there's also 2 y the different versions and this 10 here means the rounds so if I say 12 now if I could click on big gript you will get a different number so you can see we got 12 here and the hash also changes so the bigger the number it is difficult to cck but again by doing this you might be thinking what if I say 100 and I want to make it more secure you can do that you can click on bigp and okay it exceeds the limit but let's say if you give a bigger number and you have no idea okay it's still calculating that's a problem you can see I clicked on BPT it is still calculating it imagine you are using this on your server and every time a user login you will run all this number of rounds on your server imagine the bill as well if you're using Amazon imagine for even verifying a user you will they will pay they will charge you a lot and that's why is not a good number and still it's still not going ahead maybe I can go with 15 if that works and I hope it will come back Gone Gone just we'll try with again some text here round let's say 15 so the higher the number it will take more time you can see it is still calculating U so better 10 12 works and we going to use 12 again I'm okay we got 15 so yeah it takes time so don't go for the bigger number 12 works and I will stick to 12 click on big rpt and this is the thing okay now once we understood this now what we have to do is we have to implement this in our project so that every time a user is logged in or every time a user creates an account at that time when you ask for the password don't store the Plaine text so that means we have to do two things one we have to implement bcrypt when I user register and we have to implement bcrypt when also we are validating it so let's do for the registration and as you can see in the project we have not done the registration part yet in the earlier video we had the user in the database right so we went for some SQL query and where's our PG admin it's here let me make it full screen browser full screen yeah so we already have this values but now I want to create a new user so what I will do is I will go back here uh to the code and let's create a controller for this so for the creation we'll create a Java class and we'll say user controller and in this basically first of all we have to make this as a rest controller that's the first thing and next I want to register a user so I will say public I want to return the user and the class we are using is users not user and we have to import the package for this again the reason I'm using users not user user makes sense but then if you say User it's a inbu class inside uh Spring Security so sometime you will import some wrong package and it will give you errors and that's why on the saf side I'm going to users normally we use user and I will say register and while you're registering it of course you will receive the data from a client so I will say request body and and users user and we have to also pass the post mapping because we are submitting data from the client and this will be double c/ register okay now here basically the first thing I'm going to do is I'm going to return the user itself as it is but don't you think I want to store this in database that's our aim okay so to do that I will need a service layer so I will go back to my service and here I will create a new class a user service class I will say users oh do we have user service service no we don't user service and the job of user service is just to accept that particular request right so and it will return the users and I will say uh save user or maybe we can say register itself register and this will basically take the object of users user and who will store this in database of course service is accepting it and I forgot to write service yeah so service is accepting it from the controller but service will say that's not my job if you want to store something in database send it to database and to do that we are going to use the repository layer right and that's we already have it here user EPO so I can simply use user EPO in my service and I will close certain things here which we don't need at this point home controll not required user principal not required my DET service not required student controller we don't require okay so let's head back to the service and let's create the reference for the user repo so user repo repo and on top of this I will say autowire so that I don't have to create the object and here I will simply say repo dot I want to save so we can simply say save and pass the user this will save this data in database okay and also return the user in fact I will return the user which we are storing in database not what we got okay so I'm returning the user here and also I'm going to uh user controller okay we need service here so iate autowired private user service user okay I will say service and here I'm going to basically say return service. register user so we got the request on the controller controller sending to service service sending to database and we are done again till this point we have not talked about BPT we are just storing the user in the database as it is okay so by doing this let's restart the application and see what can go wrong okay server started I will use my Postman okay and let's send get student let's see if this is working first and yeah so this is working authorization is this now I want to create a new user right so I will say post and I will send the request for register but we have to pass the body as well right now in the body of course I don't want to pass the product what I want to pass is the ID I want to pass the username now from where you will get this field now this is depend upon what you have used here so this is a type of users and if you go to to users these are the three Fields you have to pass ID username and password so let's get back ID username and password the value is three here because we already have one and two uh the username I want to go for this time is let's say okay what user we don't have let's verify from database we got naven and sushil let's go for hush and the password is H atate 1 23 okay so let's click on send it should work you can see we got the user back from the uh database and the best way to verify is actually hitting database right so I will just run this and yeah we got new user again no bcrypt implemented now let's Implement bcrypt what I want to do is I want to create this new user but then the data which you are storing in database should be with a new with a bcrypt so what we can do is here before you send the user to database in the service layer what you can do is you can change the password so you can say user. set password but how will I know what is the bcrypt version of that password maybe you can just get the password here go to that website uh copy that uh I mean what I'm talking about is take the password type it here copy this and paste it there again we don't want to do manual process so in that case we have to use a library the bcrypt library and the good thing is in Spring Security you will get bcrypt by default you just have to use the object so I will just create the object here there are two ways of creating the object you can use the bean in the security config file or in the configuration or I can just hardcode the value or I can just create the object by myself so I will say bcrypt password encoder and you can see this is a part of Spring Security so Spring framework. Security so we are happy at least we are not using some third party which is which will give you some errors so we got uh encoder and we can say new B password encoder now in this bracket basically for the Constructor of B script password encoder we can pass this strength what is this strength the rounds 10 Rounds 12 rounds by default it will be 10 if I'm not wrong uh they don't have the documentation let's download The Source let's see so strength is by default okay they don't have a default strength is it okay by default is minus one is weird uh if you pass something they've not mentioned this Str so log rounds to use between 4 to 31 so we can use between these numbers uh next we you can also mention the version so uh with the strength you can also mention the number version like we can have 2 a 2 b 2 y we'll stick to the basic version whatever it passes let's go back to the user and here I will just mention 12 we not going for 10 now we are going for 12 strength is 12 so using this encoder I can simply say set password encoder do encode that's the method and pass the password but how will I know the password actually we know in the user object we already getting the password right so get the password encode it set it in the user set it to the to the user and it will do your work okay so I mean I am hoping this will work let's try so let's restart the application now go back to register of course I will use the same username password for the authorization in the body I will create a new user now so I will say for uh this time it is Oni and a at rate 1 to three let's see if this works send it worked we got 200 okay and we also got a password can you see that we got a B password we can also verify that in the database so let's head back to database let's hit the query and this is your new password but we got another big problem now let's try to do something so let's say I want to fetch all the students I'm just trying to access some resource and in the authorization nain will work so if I say run it works but let's say I'm trying to use a new user which is only a at theate 1 123 if I click on send we got authorization fail why this is the right password it's just that when you are storing the when you are creating a new user you are converting into bcrypt right the hash but when you're validating it we are not doing that because in the validation if you go back to your uh security config this file we have written one line here which is this line can you see that we are saying that when you're verifying it still use no op password encoder that means we are using a default one not the big SCP so yeah for storing we're using it but for verifying we're not using it so how do I verify so we have to convert this of course if I want I can go to database and copy this string I'm just hoping this will work never tried it yeah it works in that way but do you think user will enter this of course they want to enter the normal passwords you can't expect them to remember the hash values and again it's not safe to transfer this on the internet so what can we do of course while verifying it instead of using no password use bcrypt how difficult that can be maybe creating some classes and objects no just one line what you can do is just create the new object of B password encoder and pass this strength that's it you just mentioned that we are saying that hey authentication provider the password encoder you have to use is bit and this is 12 that's it now it knows okay whatever password I will receive I will convert that into BP hash and now I will verify it and by doing so let's run this and let's see if this works so go back to the postman let's use the hash and hash will not work now yeah you can see we got 41 but now let's use a normal password it's a at the rate 1 2 3 send it worked what about the normal users nven I mean normal users means the user with a plain text even for them it will not work in that case you have to basically uh ask them to update their passwords maybe you know sometime you receive a link from some applications or some service by saying hey it's time to change your password maybe they know they mess up sometimes and they ask you to change the password I mean I doubt anyway so one thing you can do is uh if you want to change the new password if you want this to work you can create a b version of this and copy this again not a good idea I'm just showing you what you can do and here you can just update naven so you can say first of all ID of novine is what it's uh one so I will say update users set the password I don't know why I'm feeling that I'm doing a crime here where uh the ID is equal to three oh sorry yid is equal equ Al to one just hit this query run uh got updated and run so you can see for naven also we got the encrypted password or the hashing password and now I can verify this and this should work so make sure that all your passwords are encrypted and who is not safe it's sushan and hsh okay it's time to send them a link by saying update your passwords so anyway uh we have talked about bcrypt and now we know why encoding your password is important and how do we do that so we can use bigp It's Not the Only Solution we have other solution as well and if you tried something let me know in the comments and others will also try jot oh this jot JWT stands for Json web token in short we call it as jot because it is easier to pronounce so we'll say jot from this time or jwd I will go with both the words jot or jwd stands for Json web token as I mentioned so we'll talk about why do we need jot we'll talk about what is jot and then focus on how do we Implement that in our project see the thing is when you talk about security of course we have done a lot of things about security till this point we were able to login so that we can access the resource so what resource I'm talking about so let's say uh we have a client here a happy client and then we got a server here and of course every time you uh try to access any resource from the server basically we send a request of course but the first request should be for the login otherwise you cannot access the resource yes there are certain resources where you don't need restrictions but let's say you got a resource which is protected and if you want to access it you need to login First and when you login you of course for loging you have to provide your credentials it can be username password or anything else and this goes to the server server says okay you are an authorized person or a application and you can access the resource now so of course you are very happy you are doing transactions and everything is going well but then every time you access some other resource let's say on the application or the server you have 10 resources and when you access one resource you provide the credential it works for the next access you don't have to provide credentials right because you logged in already then why you have to provide credentials and that's why we use something called session so what happens is when a client sends a request to the server and it is logged in you maintain a session basically you have a session ID stored on the server let's say the session ID is one2 and then every time client goes to the server and say hey I uh I'm this and my session ID is 102 and then server knows okay this person has logged in earlier we don't have to ask for username password every time and that's why if you go to any website let's say Gmail I don't remember when was the last time I have logged into Gmail so on this machine not this machine my personal machine I have Gmail logged in for a for a very long time uh I mean not just Gmail most of the application right and then I can actually use other Google applications let's say Google drive or uh Google meet just by that sign in so we we have something called SSO which is single sign on where you log in once and you try to access all the other applications but yeah the main point is you don't have to log in multiple times you just do it once so to achieve that we use something called session okay so what is wrong with session it's great but then there's some drawback and to understand that let's go with an example so let's say I'm am N Ready I am N Ready okay so let's say I go to different uh offices for training or some Consulting work and then every time I visit a company maybe the process goes for 2 weeks or 3 weeks or a month okay and then every day I leave my home I go to the office and in between maybe I want to have a coffee okay so what I do is I know for a particular office there is a coffee store there uh so there's a coffee store here and then this store name is what I made a cube I don't know why but let's say this coffee store is tea coffee I know that sounds a good name but yeah so we we got a tea coffee shop here and then I go there I pay some amount let's say maybe $5 for a coffee I know that's a costly one but let's say I pay $5 for coffee and then I get a coffee right I'm very happy so that's a server that's a client the planation has been done and I was thinking okay so I go there every day right so for next two weeks or maybe next three weeks I will I will be having my coffee there so why don't I make a pass a monthly pass or maybe I will pay a front well I will get some discount I don't have to stand in a queue to order the coffee I can just show my card and I can say Hey you know uh give me the coffee and that sounds good right you don't have to stand on a queue you don't have to carry change or you don't have to scan to pay every time you just pay that once so we had a deal okay so that person there so let's say the person name is Bob so let's say Bob is here and then Bob says hey naven you can just pay $50 once and then you can access the coffee you can get you can come here every morning you can get your coffee and we'll give it to you so $50 good amount uh so that's for uh the entire three weeks I'm very happy I got discount as well lot of lot of benefits right and I'm going there I'm showing my face and then this Bob knows who I am so he give me a coffee but let's say after a few days I can't see Bob there Bob has been replaced by some other person let's say Rohit so when I go to coffee shop now and then I I don't see Bob there and Rohit says who are you and that's weird right I mean I have paid for the coffee but Rohit has no idea who I am so if you go back to the scenario instead of Bob knowing my face we could have done some better thing right what if uh what if Bob could have given me a ID let's say Bob will maintain a book there and in that book it is mentioned that 102 is naven and he has already paid $50 right and then I can carry an ID card with me which says 102 and every time I go there I can show the card and then now Bob or R doesn't matter who that person is can see hey you know I can see your uh name mentioned the registry I can just give you the coffee so it doesn't matter who that person is I can get my coffee now so that's one scenario let's go for more scenarios let's say now I'm not just going to one training one city let's say I travel to multiple cities and I realized that most of the spa the tech space have the same coffee shop te tea coffee shop okay and then let's say I was in Mumbai now I'm going to let's say Delhi and there I want to do the same thing I'm going to a company but I want to have a coffee so I was in Mumbai and now I'm going to Delhi same cof same coffee shop this time I'll make a just a box and now when I go there there's a person here let's say the person name is different I will not draw this again so let's say there the person name is Mahesh and I go to Mahesh by saying hey you know uh I have a I have already paid $50 in Mumbai Office and now I want to get my coffee and now mahes says I don't know who you are and then I will say Hey you know don't worry I got an ID with me I will show you the ID and now mahes is looking at the registry the local book in Delhi coffee shop and then he can't find my name there the reason is very simple the book was there in Mumbai not in Delhi right so we got two different offices or maybe we can have 10 different offices in all over the world and every time I go there no one knows who I am so this is failing so what could have they could have done is instead of going for a local copy they could have made a server in between uh and all these offices can share the same server where they can maintain the uh the history by saying N Ready already paid $50 and for 3 weeks he can access the coffee and now they can do it so all all these different offices can share the same server and this will solve the problem right and I was happy he was happy everything is done but sometime this common database between different servers creates some issues okay it Al it may also slow down the stuff so this is one problem how do we solve this problem so in order to solve this problem let's go for some other approach let's say I'm that person let let's go back to the original scenario this is the coffee shop which is tea coffee shop and then there's a Bob here initially it was Bob right so let's go with Bob and now let's change the scenario I'm going to the server or the coffee shop I said I will pay you $50 you gave me the access and then on that day of course I got the coffee but then instead of giving me an ID and they have to they have to also maintain the registry right inste of that what Bob is doing now is Bob is giving me a card initially also I got the card but this time a different card now this card will have certain different things example uh first of all the card will have my name the card will also have the issue date when the card was issued and when is the expiry of course expire is important right otherwise I will enjoy the coffee for the entire for my entire career or for my entire lifetime provided doctor says don't drink coffee otherwise I will enjoy this right so name issue date and expired that's what I want from the that's what I got so every time I go to the coffee shop I will take my ID I will give it I will show it to them and they will say okay the ID looks good and they will give me back back my ID and then I can access I can get the coffee so name issue date and expiry works here now what is not working is you know uh one of my friend he also goes with me for different trainings or maybe we meet sometime and then I have given him this idea hey you know what you can do you can talk to Bob and you can get this card you don't have to stand in a queue you don't have to pay every time you can pay it once and you can get discount as well and now this guy is very smart what he did he looked at my ID or the card and he says okay I can simply make a fake copy of it and then what he's doing is he's basically changing just one thing instead of my name he's using his name let's say h and now hush can access uh the coffee so hush can go there so hush is here hush take this car and go give it to the coffee shop and then coffee shop give him the coffee but don't you think this is a fake one it's not given by Bob and maybe H can go to different cities all over the world and use the same card so how can you stop it it's very easy what if the manager gives a sign there maybe Bob or a manager or maybe a stamp of that copy shop which you can get here and that St that stamp is important and if any card which not having stamp then you know that this is a fake one okay so this is how you can solve this and this thing which I got is called a token okay so I can carry this token every time now question arise how would you represent this token in the data format we have different formats uh we can use XML so in the earlier days people used to use XML for this token now which trans I'm talking about this the is virtual world client and server so when you got a client when you got the server when they want to exchange a token they will exchange a token with XML format but the problem with XML is it is very bulky and even if you want to encode it the output will also be bulky and that's why we have to go for a smaller format so we got the alternative there and the alternative is Json now Json stands for JavaScript object notation so you can represent your data in a small format and also you can encode it to make it become it more smaller so you can it is very easy to carry between the client and server it would be lightweight and that's where we thought okay let's let's use Json and we are building some token and this will be used for web so in short this is called JWT which stands for Json web token in fact there's a website called JWT do. or Ms you can go to any of this okay so what is Json so Json stands for Json web token are open industry standard are C 7519 method for representating claims now what is claim so this data on this card is claim so I'm claiming to be N Ready I'm claiming that the issue date is this the expire is this those are the claim I can uh transmit between two different parties the client and server and the beautiful thing about this is you can store your data in this format if you can see we got a data here right which is called a payload so whatever the car is that's a payload it will have the name it will have uh the issuance time you can also have the expiry time here so you can see this is the uh issuance time I can also add the expiry here colon with the same number but I will just modify something I will just paste it here instead of three let's say four any number it just doesn't matter so you can see this time is 18th Jan 209 2018 and 7 a.m. hopefully and this is what it's not able to interpret that this is weird yeah so you can see this is 9:47 so we got 2 and a half hours of session so this is the issu time this is the expir time that's how you can pass this apart from this you can also send a header so header header will have the algorithm so to build this uh token you can use some algorithms we have HS we got RS so HS basically is hmac RS is basically RSA we also got es RSA and Es they are a symmetric cryptography they use public and private key and HS uses symmetric key now if you're not sure what these keys are I will give you a basic introduction but to know more you can check out the video in the link a separate video on data signature and cryptography okay and then you you specify those things algorithm and the type which is which is dot here which is JWT and you will also give a signature remember Bob or the manager will give a signature and you can use that to verify this is valid but then you don't have to send all this data from client to server server to client what you send is this encoded format a short format okay so when you say you're exchanging between client and server you send this so that means every time now you don't have to maintain session so let's go back here with this original uh client server so now every time you want to access a resource let's say you want to access a resource for students what you do is you send a request for the students SL students but then you also send the token now how you got the token when you logged in for the first time what you received from server to client is JWT the token and every time you go to the server and if you say hey I want students and server says who are you you can say hey this is my jot I'm sending it with the the request verify it and you will know who I am so that's how basically uh jot works now when you talk about the signature basically you can use different algorithms right so we have something called cryptography so what you do is uh you send a plain text right now instead of sending a plain text you can send a cipher text you encrypt it and then of course you can use a key there to encrypt and decrypt U if you use a different key for encryption decryption that's called a symmetric where you have a private key public key but then let's say if you want to achieve data signature you can use these two keys to achieve data signature as well again how you can find the link in description check that video it's very important and you will get to know how data signature works and by doing this by doing jot you're not actually achieving secrecy what you're achieving is accountability that means if you see a stamp on a card you know that this is this is valid anyone can read the card uh it's not like you are stopping someone from reading this card because you're sending the data on the internet right so you're sending the jot with the login request of course anyone can see that uh you can also encrypt it you can use https instead of HTTP so by default we are using HTTP here uh you can use https to secure your token as well but the main reason for using dat is not secrecy it's accountability but yeah you can also achieve secy as I mentioned so now it's time to implement JWT in our project the thing is when you want to configure JWT in the project in the spring boot project there are a lot of classes and interfaces to work with we have to get multiple layers uh the thing is see we have to do two things one whenever user logged in you have to basically send a token generated on this server to the client and then when a client send some other request they have to send this token with them to the server and on the server side we have to validate the token and based on that you have to send the response looks like a less number of steps but then when you say you have to generate the token it involves itself a lot of steps when you say you want to validate the token it will take a lot of steps now you might be thinking for a simple project as I mentioned before for a simple project you do a lot of settings see security is very important and you will do this configuration only once I don't know why I'm saying this every time as a disclaimer but I have seen the mindset of people who are learning Spring Security they're like hey you know I'm building an application to add two numbers and then uh the amount of time I'm spending on security is much more than the feature but when you build big applications you are spending more time on the features than on security but if you you do security properly that's what you get less time security more time development but do it properly and now we're going to divide entire JWT implementation into multiple stages in this video let's do the first step setting up the project so that you can work with JWT see we are going to use lot of classes to generate those token Ved those tokens and these are not part of Spring Security by default we have to add those libraries for jwd that's one next we have to create layers so that when you send a request request goes to the Spring Security but then at this point point we were working with if I go to Spring yeah security config uh we are asking our authentication provider to talk to database to verify it and we still want to do that now since I want to use JWT now we have to add one more layer it is there behind the scene even if you're not using JWT till this point we have used authentication provider but when the request goes that object of authentication goes to the server and there is something called authentication manager which calls authentication provider and by default authentication manager is handling this stuff behind the scene and now we want to say hey I'm working with this token system and let me handle it so we have to work with authentication manager as well so which dependency I'm talking about so what I will do is I will go back to my pal file here so let's set up this project once and here we have to add two more dependencies so one is for the JWT API and to do that uh we will go to our favorite website which is mvn repository and here search for JJ WT API and this is what we need so if I click on this this is the API we have to work with now which version looks stable so 12.3 because it has a maximum usage so I will use that or maybe this one also works 12.5 so let's get this and based on when you're watching this you can pick up any version make sure that it is used a lot and now I'll copy this without the ad of course and go back here and paste next so this is just an API right of course I to do I have to do M reload but we need two more uh dependency see we have got the API not the implementation so you have to take both they give you an option of API implementation difference so that you can use any other implementation if you want but I want to use the JT WT implementation so I will just say imple and this is the one so this implements the API go for the same version and as you can see they have found a vulnerability so learning purpose this works but then if you are implementing this in your project check with your company's policies what kind of uh security they are implementing and they and your team the security compliance team they will have their own set of apis available so I'm going to use this and I'll copy this and paste it here so we got the implementation sometime you also need a Jackson converter I think that's optional just try it out without the Jackson converter if it works it works but I will get that here so J JJ WT Jackson I know there are lot of JS here but let's take it same version and you know version plays a major role sometime when you have a different version it might create some issues so stick to the specific version so do the MAV reload it will download all the dependencies as you can see it is doing it here took some time but it should be here soon yeah we got it now once you got dependency let's do this stuff the first thing you have to do is now we have to make sure that the authentication manager is something which you are handling so and when you say you want to handle something we have to create a bean for it so let's create a bean for authentication manager so if you say Authentication uh we got provider but I want manager yeah authentication manager and let authentication manager now question arise how will you give the object of this you just have to get the object and return the way we have done here for the authentication provider we got D authentication provider but here uh either you have to look for a class or some other way now if you because if you see authentication manager it's an interface so we can't simply create object of it so the way you can what you can do here is uh you can basically pass the object of authentication config ation and I will say config and using this config object if you can see there are some methods and one of the method is get authentication manager so this will give you an object and you as a programmer just need to hold on it then that's why we are saying be right so I can simply ask for Au authentication manager object in any of the classes and I will get it but it might throw an exception that's what it's saying so I will say okay I throws exception I'm happy with it I think we have to return this so return yeah so this is working so that is the first step we want to get we wanted to to get the hold on authentication manager and authentication manager will talk to authentication provider as the flow and now what's the next step see we are able to register the user so if you go to your user controller and that we have done this in the earlier videos uh you can basically do registration right so you can create new users and everything is working out basically when you say register we do have a way to register the user in database and we are also making sure that we are using a bcrypt password encoder to save it that's for the registration but what for the see by default if you don't implement the thing which we have done now which is the authentication manager behind the scene it will take its own flow what I want to do is I want to have my own flow so I I want to create a login option something like this so if a user says a URL SL login they should be able to do that so I will say public I want to save the login successful and I will say login in which it will pass you the object of users so I will say users user and I have to say request body and let's return success at this point I'm not checking if the user is valid or not I'm just saying success and for this I need a post mapping URL because we are accepting data and here I will say login so when someone sends a login request this method should be called and it should say success and that's what I want nothing fancy I will just relaunch this I mean first run this and open my Postman first of all I want to know in database what are the fields we have so we can see we have naven and I forgot the password it should be naen n 123 I hope there a password anyway Postman will tell me what the last thing okay we have used that last time now I want to send a post request for the login okay and maybe you know the better thing would be also to print the data we are getting here so let me print the user as it is let's relaunch okay let's go back to the post man and here I have to specify the basic auth even if it don't do that I think we have done it for the login if I'm not wrong uh we have made sure that it should not stop login oh okay okay so we have not done that yet see the thing is uh whenever you try to access any resource the thing which we do is we basically make sure that uh you pass a username password and we are doing that from a long time in the postman basically we were sending this authorization right even for the registration so if I want to add a new user I have to pass I have to pass some authentication basic Au basic Au and even for stud if you want to fetch students you have to do that but don't you think for the login and for the registration we should not do that we don't need to do that uh so can we skip certain things as open resource and everything else as a close because by default if you see everything is closed every any request will be authenticated so what I can do is I can free up I can say hey there are two links which I want it which I I don't want to implement security on so I want them to be permitted so once we got the request object here just say enter and here so before the any request you can say request matches and you can pass the patterns here so I don't want it for the register and I don't want it for the login so for these two URLs it will skip it how you have to say permit all so when you say permit all that means this will be permitted and then any other request will be authenticated that's how you differentiate between open links or the closed resources okay so let's restart so now if you want to register in user it will basically not check for your uh credentials you can simply skip them and you can add a new user but now when I say login I don't want to pass the O but in the body I want to pass something not this I want to pass certain things uh I want to pass the ID first of all so I will say I want to pass the id id should be new we already have let's let's start with 11 because I'm not sure what's the last time last ID there uh I will say username and how do you know this field these are there inside your users if you can see we got three Fields here so username new username I want to add is let's say G and the password is gate1 123 okay so we got this detail and when I C click on send it should be login and you can see we got success let's verify if you're getting that on the console so you got this object so this is working till this point now we want to actually do the login right how do you verify the users's log in or not in that case I don't want to print login now what I can do is I can ask my service layer to verify we don't want to do that right so I can return and here I can ask my service to verify the user it's that simple if if this if the service class is done if it is a real user you will get that text if it is a wrong user you will get that text right as simple as that but we don't have this method so I will just click here and I will say create a method verify and we have to verify it here now question arise how you are going to verify that's a big question right uh because if you see the flow before this login was happening automatically because of the authentication manager behind the it was working and now we are changing a flow right so in that case we already got authentication manager object I can simply get that object here and pass the request to it so I can say Authentication manager we got the hold on it uh I will say Au manager and once you got this object I can come back here and I can use that object but using that object what you will get see ultimately you want Au authentication right so to do that I will simply use authentication authentication is equal to and using the Au manager I can say authenticate but how will you authenticate what you want to authenticate so whatever this user details are I want I want to authenticate see behind the scene we have written all the for authentication right we have mentioned that we have authentication uh provider who will verify my database I just have to call them and to do that in this authenticate I will just enter that here so that I can read it you can pass the object off because if you see authenticate it needs the object of authentication okay lot of authentication there so what you are passing now is unauthenticated and what you will get is authenticated but both are the same class object it's like you're sending a box without the stamp and what you get in return is box with a stamp so to do that I will use a class called user password authentication token in this you have to pass two things the username and the password so you will say user. getet username and user. getet password so we we want to pass these two things and what this will give you is the authentication object and once you got this object I can verify if you are authenticated if the if the user is real soice authenticated dot is authenticated this will return true or false and I just have to check if it is authenticated I can return success else I will return not even else I will say return I can throw the exception as well but I would say return failure okay so basically what I'm doing is behind the scene all the verification of the user is correct or not is happening okay it's just that we are taking the control of login so when when you say you're passing username password we are manually verifying it we are asking the authentication manager hey we got the details take this detail and let me know if the user is logged in or not and we have done all the hard work before we have done all this hard work before right so now uh this should work let's try if this is working so I will just restart this and go back to postman literally check it so we don't have to pass ID when you're verifying it right so now I will click on send and it should give you 401 because this is a wrong username password let's pass something real so I will say naen and naate 123 so naen and and N at 1 23 send it's it works you can see we got success if I give a wrong password and we got failure in fact it's not printing it here but yeah that's what we got it's basically throws an exception and you got this error here the thing is earlier also we were doing login in fact we even we never tried login right we are just using this URL now uh we were accessing the resource by passing the authorization but now I'm actually logged in and I'm not passing any off from here now what I want to do is we are getting success but actually we don't want success what we want is if for example if I run this and if I get the success I don't want success here I want to generate a token which I can use later but the question is how will you generate token that's a big question so instead of returning a success here I want to generate a token so we can do that right it's very simple I can say uh generate token so this method should return me a token and the beauty is actually not Beauty uh maybe I was you were thinking that there might be some method and magically it will give you a token uh no we have to generate the token by ourself and we have to create this method I can do that in the same class okay in the user service I can do that but I want to keep the JWT stuff apart from the user service so what I will do is in this service package here I will create a class for the JWT service and in this class I want to have that method so first of all I will say this is a service layer and go back to the user service and create the object for that here so I'll say private JWT service service or JWT service and on top of this I will say at autowired now using this JW service I want to say do generate token and we don't have that method there so what I can do is I can just go there here and say create a method and this method should return the token okay but how will you generate token it's easy actually you can go to the browser remember we went to this website I don't know where where my Chrome is gone okay so browser is here and if you remember we went to this website and this is a token right a random token but this should work at this point maybe you can generate a random token any time you want so let's say I want to say this is for naven this is for the subject token reference tool like I will just keep it empty or whatever default is and this is the expiry I will just use this token and paste it here that's it we got the token right I know that's a big text but we got the token let's restart this and go back here click on send okay Ser not started yet send okay we got a token okay so ultimately we got token right but there's one little problem this is not the actual token I mean this is a token but not the valid token reason first of all it is expired right this this is 2018 one and second doesn't matter who the user is all the user will get the same token this is the one of the biggest security breach right yeah someone is logged in and then you are using the same token to access some other resource we want to generate token for users different users different tokens but at this point we know we have done with the flow okay we know a lot of different stuff now what is happening with the only thing you to do is generate this token you might thinking that easy no multiple classes are there so the code is not that easy but if you be with me and practice it together it becomes easy and now it's time to generate the token this is the hardcoded token which we are sending not a good idea because different user get different tokens and every time you log in you should get a different token now how do we do that so to achieve that first of all of course we don't want to return this but time in I will keep it there I will change it later and I want to generate the token now now when you say you want to generate a token it should be based on certain things right uh it should have the subject may maybe we can use the username as subject uh we have to specify the issue date expiry and other things if you want to mention and where you will exactly you will keep all these things so what you can do is you can create a map of uh claims so basically I want to create a map of claims and the type of this map will be string and object because the key will be string the value will differ right so you can have different type of data so I'm I'm going for the object type here and we have to import map and we'll say new hashmap okay so we got the claims here which is the map at this point this is empty but we'll build it step by step and now I want to return the token so to generate the token we can use something called J WTS class if you can see this belongs to Json web token package which we have got it from the M repository and you can use this let's import the package so we'll use this this is basically a class it has multiple methods to work with one thing if You observe there is a method called claims and this is where you can mention all the claims uh it also has claim Builder so we are going to basically use this claim Builder to build our claims uh because we have to specify multiple things there so either we can use claims to build it or we can use Builder even claims okay let's use Builder because that's JW Builder we have and with this I can use certain methods so the package which we have used uh let me show you the package so the version of that package is 0. okay is that so I will go to my P XML now since we are using 0.12.5 they have made some changes in 0.12 so we have to use a new new code in the initial days we were basically using I think set claims and you can see set claim basically is replicated now this got dicated in I have to download the sources so that I will know in which version it got updated uh so set claims is basically dicated from uh 0.12 so if you're using the older version it will work properly even for this version this will work there's no error but again this is duplicated so use the latest one and which is the latest one so we can use directly claims so I can simply say instead of saying set claims I want to say just claims then Dot and now we can set whatever the values you want so basically I want to first of all add the claims so I will say add and this is where you will add this map so in this map it will add all the claims the next thing I want to do is I want to set the subject so again earlier we used to use set subject and now you can see it is replicated here so all this methods set issuer set expiration all this are duplicated so we can directly say subject and this makes much more sense right so we are adding claims and what are the claims we adding we adding subject uh subject is basically the username and okay so to get the username I have to accept the username here and from where you will set the username we are calling this from user service right so when you are generating a token we need to send the username so we're sending username from here to here and we can set the username here subject or we have to set the issuance time so I will say issued at and I will say new date I want to specify the current time so I will say system do current time M okay not DOT and then we to specify the expiration this will be again the same thing but then with the expiration we have to add some extra time so I will just multiply this with 60 so this is milliseconds right so into 60 is seconds into 60 is minutes and I want to let's say do it for the 10 minutes so this will be applicable this token will be applicable for 10 minutes or maybe we can also make it 30 minutes that's fine and then we have to specify one more thing so this will generate the token for you I mean you can generate token from this but we have to also sign it remember we have talked about data signature and to do that we have to use a method called so we have to say dot and the method name is sign but if you can see it is not there now now so we have to basically say and I want to also me mention something so you have to use and let me just delete this line right not giving suggestion for signing oh okay it's add not add typo and when you say sign with basically you have to pass a key okay now I'm not sure what key I have to pass and maybe I have to generate the key every time we can use some standard key but as I mentioned if you want to make make it secured we have to use some uh technique to do that once it is done you can simply say compact this will generate the token for you okay but then how do we sign it now this is a this is a critical part so when you say sign we have to generate a key here now I don't want to write the code for the generating key in this particular method there should be some other method to do that so I will say get key and let's create this method okay and since we don't have this method here so I will simply say Okay create method get key so I want to create this method which will return the key for me and how do we generate the key so what you can do is you can simply return the key here right uh and then there are multiple ways one way you can create a key here you can say a private string key or maybe I can say secret key and I can mention whatever key I want to mention here uh maybe something like CF 7 81 I'm just generating a random key okay so let's say this is a key and then you are basically return the secret key here again not a good idea I will show you the proper way uh but this is a normal string right and to convert this normal string into a key uh what I can do is I can basically return Keys dot so there's a method called keys Dot and for which algorithm we are using this key so we are using it for hmx sha and then we have to pass this key here let's see if this works no uh even hmax sha takes the bite okay so this basically before I send this I have to convert this into bite okay no problem I will create a bite array I will say key bytes equal to now how do you convert the string to bytes so basically I can use something called decoders do base 64. decode and we have to pass the key here so what it will do is it will use this 64 base decoder and it will convert your string into bytes and we have to pass those bytes here so by doing this we are generating a key and this should this should work uh let me verify if this works I'm not sure I'm just experimenting it uh we have a proper way but before doing a proper way I just wanted to show you will it work if not we'll do certain things so so there's no error till this point that's a good thing okay no error let me go back to my browser and you can see we were getting this static text because we returning it now let me just hit the login and okay so we got 401 okay we got an exception let's see what is the exception it's huge it says the specified key bite array is stud to bits which is not secure enough okay this is not secure so we have to basically generate a secure one in fact you can Google it you know you can search a key from Google and you can get it there and it should work uh so this is not working so what I will do is I will generate this key so this is not safe that's what it says so if is if this is not safe then how will you generate this so maybe I can create a Constructor in which I can just create this key uh so J WT service and let's write the logic for generating key here so I don't want to use this key this is a default value and in fact this is not secure so I will just remove that now how do you generate this key so there's something called key generator so if you see key generator this belongs to Java x. crypto not the crypto currency but cryptography and I'll will use this and I can say key gen and using this key generator I can create the object of it so key generator. get instance and in this instance you have to specify which algorithm you're working with so I will say hmac sha 256 so this is algorithm we are using and this might thr an exception okay that's what it says I want to use TR catch not those exception Okay so this is basically the thing now once you got key generator I can basically use secret key equal to so use using this key gen you can generate a key so you can say there's a method called generate key okay but generate key will not give you string it will give you of type okay so we have to use something else I will use SK here so generate key returns a type of secret key okay so no problem I will just use secret key it's a inil type in Java x. crypto and from this secret key we have to get this string right and if you remember we have used something called the base base 64 decoder here so we have to do just encoding there and I can use SK dot in fact not SK dot so I can use base 64. get encoder and we have to encode that into string so let's just use our secret key or not secret key SK dot get encoded so basically this will convert that into the string and I will just use that here so I will say secret key is equal to this so what we're doing is we are generating a key so this will be gener as soon as you create the object for this and maybe you can also create the you can also create a new key every time you request for it so again that's the option you have but what what we are doing is we are generating a key this one and that is what we are using here now we are not doing hardcoded value so it will I hope it will work so let's go back to the code go back to postman and now hit this once again and this time you it says okay so this is working okay so we have generated a key now what are the values for the key so the username is if you see authorization okay not authorization the body the username is naen so it should create a token the subject should be naen so let me copy this how do I verify that it's very simple you go to the website which is JWT doio and here you can just simply paste this and you can see we got the subject as nen uh you got the I a as this okay the date for this ending is not proper so we have to change that so anything here oh oh okay okay so I'm multiplying it I should add it okay so we have to basically add the time not multiply it and that's why it was giving you some invalid value let's verify that once again and go back here click on send server is not ready yet so is now let's copy this new token and very verify it from this website again paste and you can see now it works so we got subject as nen we got I as this this is a current time and then this is the expir you can see this is 3 minutes 2 minutes whatever the time is okay so that's the calculation you can make maybe I missed out with some calculation that's not important importance you can set this it's say invite signature because we are not saying that we you have used 64 encoded and now it says signature verified so yeah that's how you generate a token so we have done with the one big step of generating a token now just to show you what we have done simple stuff uh basically we are saying generate token we are specifying some claims uh which you are adding it here and then uh you are saying that you also want to sign it and for signing we need a key and we are generating a key here okay so maybe you can generate a key so maybe you can write this code in this method even that works and you can just do that so there are multiple ways of doing this and that's how you generate a key now this works but then what's the next step see the next step is very simple when you go to postman once you got the key I mean once you got the token I should be able to copy this and now for the other request let's say I want to get all the students now when you want to send the students I don't want to pass username password because I got the token right you're logged in and once you log in you don't have to pass username password every time you got the token so that means instead of using basic o I want to use the better token and in this I want to pass the token which I generated okay so I want to login through the token not with the Lo username password every time and when I click on send it's not working now I want this to work that means when you send this token on the server side we have to take this token verify the token or validate the token and then say hey user I know who you are you can access the resources so till this point we will were able to create the token the JWT token so just to show you how it was looking so if you go back here and if you click on login so we are passing the details if you can see the body we are sending the login details which is Navina and and at rate 1 to3 when you click on send the request goes to the server and then on the server side it verifies the username password and if the username is password is correct in that case it generates a token which you can see here and of course using this token I want to do other activities example example I've done the login once right and I got the token and now let's say from the application if I want to access any resource example if I want to fetch students and I don't want to pass the username password now so in the earlier scenario we were sending the username password but now we don't want to do that we want to send a token which is a better token and here we should be able to paste it and we are doing that but when you click on send this is not working and we want to make it work so generating token done but we have to validate the token and give give the access to the user that's what you have to do in this video okay u in fact this token is also valid we have checked that on jw. we got the details we got the claims and we got other details so things are working out it's just that now we have to validate token and we have to make this work now how we are going to do that so of course there are multiple steps involved the first thing you have to do is when you send a request to the server by default see one there's one thing uh I wanted to point it out if you go to security config we have mentioned that for this two request the register and for login you you don't have to check for authentication so basically they are permitted but for the all the other request it will be authenticated that means when you request for the students it will be authenticated and by default the authentication we follow is user password authentication so by default that filter comes to picture now if you remember we have talked about filters right so in Spring Security we have multiple filters one of the filter is user password authentication filter this is a filter which gets activated and then it checks for username password now what we are saying is hey you know I don't want this filter to be activated first before this filter I mean I want to make this filter which is U as your second filter and the first filter should be your JWT filter now this will check for the token right now once you verify token as a first filter then it will send the request to the uh UPA filter by saying hey I have verified and this is a user already logged in so I'm confirming that so you can just continue with the other work so this is what we want to do so that means we have to add a filter before the user password authentication filter and the way you can do that is very simple it's not actually you know this this video is also very lengthy so just be with me and there a lot of things going on and if you watch it with me and if you write the code with me it will make much more sense so the first thing you do is before you build you know I'm in the security config and we are working with security filter chain basically we're working with Filter chain and before you say build what you do is you add a filter before the user authentication filter right so you will say add filter before so you can add filter any time you can add filter uh you can add filter at particular point you can add filter after or before so I want to add before the user authentication filter so I will do that uh the first parameter is actual filter so let's say I want to say this is a JWT filter so that's the object we have to pass the second one is the class the filter class so I will say usern name password authentication filter now this is what we have to specify so what I'm doing is I'm saying that hey you know before you hit this particular filter use this filter but what is this filter we have to work with with this so in that case you will go up here and create the object of private J WT filter J filter so this is what so we have created the object here I mean we are doing Auto wire and then that object will be used here okay but the problem is and it says that uh this jwd filter is not able to find it so it's very simple you can just simply say control space let's import the package oh it says no suggestion that means in your library of Spring Security we don't have this filter by default and that's where you get the opportunity to create a new filter I know I'm using some positive words here opportunity yeah we have to get another class to make it work so let's do it you know anyway we are doing this only once so I will just click here and say hey create a class and what I want to do that maybe in the same package config logically it should be in a separate package called filter package but config works for this example I will click on okay and we got this new class now I want this to behave like a filter okay how do we make something behave like a filter what you do is you extend those properties right so if I want to be rich I want to get adopted by some billar right so here I want to extend I want to make this a child class of some parent class which has a filter capability so one of the filter we are going to use here is I mean that's one one of the class we're going to extend is once per request filter I know very nice name to give to a filter or a class this is called once per request filter see the reason is every time you send a request you want a filter to get activated and in the filter chain you want this filter to be executed only once so for every request you want this filter to be executed only once and that's why you're saying once per request filter now it is giving you some error I was not expecting but let's see this once per filter is actually an abstract class which means there might be some abstract methods which we have to implement and if you scroll down down down all the methods are def finded but one method is there yeah there's always one so one method is there which is called do filter internal which is abstract method that means if you want this to work we need to we need to we need to we need to implement it so let's click on Implement and okay so this is a filter we have to work with now if you go back to our sessions on Spring web we have talked about HTTP seret behind the scene everything is of it right and it gives you two objects to work with request object to work with the data in the request of the user response object if you want to add something to the response and here I just want to work with a request so let's use request but what I want to do that's a big question see it's actually very simple see on the client side you are sending a request right for for the students and with that request you are sending a token as well now this token when you receive on the server side you will not get to the Token as this just the token what you will receive is can I type here no I can't type here uh maybe I will type in body so what I receive from this server not a good place to type right okay so I will just go back here and I will write a comment so from the client side what you will get is better that's the first word and then you will get the token I think token is this yeah so this is what you get from the client side so it starts with better and then a space and then it starts with the actual token this is what you get from the client side right now what you have to do is you have to get this token and you have to cut that better part you just have to focus on this part get this token and viate it so simple right okay not that simple I mean breaking out is simple viting is difficult so let's be with me so how will I get this thing the entire stuff and actually it's a part of request so it sends the data this better and the token in the request object object in the headers so what I can do is I can get the headers so I will say security I will say or header so header will have lot of things I don't want everything so from the request I just want a header which talks about authorization this is the only header I need it will have lot of headers but I just want authorization and once you got this Au header this will have this token but I want only the last part so I will save this token somewhere in the token and by default I will keep it null I want the username as well because somewhere we have to work with the username because you will generate a token you will verify the token with the help of username and now let's get started so first thing I want to check is do we have any authorization header so let's check that so if there is a o header which is not equal to null in that case you have to continue so that's the first thing you want to check you you want to make sure that this is not null and you have to also verify do we have a better token so again I will check Au header so it starts with it should start with better so you can even say B but to be on safe side I will say it should start with better in case if it is starting with that I will set the Tok to and I want to fetch the token now and fetching token is very easy you will say Au header dot uh you want you don't want the entire string right you just want this particular token here so I want to skip these letters now what are this letters so I will start with index of zero so this is b0 1 2 3 4 five and then six the space is also there right so I want to start from seven so it should start the subring from Seven index number seven and I want to get the username from the token so I will say username equal to now how will you get the uh username from the token because token is encoded right so you can see this you have to find username from this as a human also you can't do that so we have to do something for the program to work but I will make sure that I do that in the service so I will use Service uh object and we don't have the service auto autowired here so I will say autowired private JWT service service okay so I will use this and in this I will make sure that I have an object I have a method called EXT ract username maybe I don't have username so from where exactly it will extract the to extract the username from the token and you can see there's a red here because we don't have this method in the service yet so what I will do is I will say okay uh create this method of uh extract token and at this point I will just return empty we'll code it later so this is empty so so that you will not get any error and you can see there's no error here now once you got this two now we have to verify so once you got the details you got the token now you got username so I will check if so the username should not be equal to null that's the first thing I want to check and I also want to make sure that there's no it's not already authenticated so if the object is already authenticated why you have to verify all those things so I will say security context holder dot get context. get authentication and this should be null so if it is not null then I don't want to continue because it's already auth authenticated so I will just continue with this so this should be null if these two are matching see ultimately what we have to do is we have to validate token see we into filter now right so see if this filter is Success then we'll forward it to the user pass Authentication filtered right now how do you specify that is this is Success the first thing you have to do is you have to validate the token if the token is valid valid in that case you will create the authentication object and that's what you have to do here so to do that I want to verify right so I will say JWT service dot in this particular class I want a method which will validate the token because all the things we are doing in the JW service right so let's do that so there should be a method called validate token and you have to pass the token now when you're validating you have to check two things one in the token the token should be valid and second the username which is it is mentioning it should be part of a database right and to refer to database I will pass the object of user details and we have to create this object somewhere now where should I create the object I can do that here so I can say user details we have to import the package us it details and then I can actually Auto if you keep it on top but I think it will create a cyclic redundency so what you can do is you can get the hold on the application context object so I will say autowire and application context Contex text remember when we were learning about spring framework we have used this application context to get the bean so here also I will say context. get bean of type user details. class but the problem is it will give you a empty object I don't want empty object what I want is I want the object of user details which will have the user data now if you go back to my details service in this you have this method called load user by username and this will give you the object of user details that means if I ask for the object of my user details service dot class and from this object if I can get load by username and if I pass the username here it will fire database and it will get me the username right and not just username it will give me the entire user D object okay so that's what we are doing here but if you can see in JW service we don't have this method so I will just create one so the method name is valed token and at this point I will return true okay let's go back to the filter now if the token is valid in that case remember we have the next filter we have to make it work so the next filter is next next filter will work with the username password authentication filter but I want to pass a token there so I will create a token and I will say new username password authentication token now this token asks you for three things one is a principle next is the credentials and third is authorities so user principles we already have which is the object of user details which will have all the details about the user credentials I don't want to mention so I will keep it null authorities I have is so I will get it from user details. get authorities okay that is that that is what it was asking and we are getting is it a warning variable token is already defined in the scope where exactly I'm using token okay so I will use something else okay token token we already have it here right so this should be or token if it makes it happy now or token knows about the user but or token has no idea about the request object right so this request object will have a lot of data and we are just creating this object and we are passing it so this object should also know about the uh request object so you will say set details and to specify that you have to use web authentication details Source sometime you have to just remember the class names and stuff it's it becomes very complex you just get get into it and with this object you will say build details and you will pass the request object and now once you have this OD token ready is just you have to set this in the context so this particular thing which is authentication should not be there by default and that's what we are taking for null now once it is verified you have to set the authentication so you will say security context holder dot now instead of saying get authentication you will say set authentication and you will pass the a token object so by doing this you are adding the token in the chain and once it is ready you will simply pass the request or the filter so now you will say filter chain. do filter so continue with the filter because this is one filter go for the next filter once it is done and by doing this you will pass to objects request and response and done so filter work is done so the jwd filter it will validate a token it will create the authentication object it will pass it next so now it will we not we don't have to pass the username password now if you're thinking this is done uh not exactly what is missing now is this if you go back to your J service we do have two methods which are empty you need to make sure that this is completed now of course we can type the entire code here but then when you want when you got a token and when you want to extract the username it's not a simple process we have to decode it we have to fetch the claims from that we have to fetch the username for while any token we have to do M lot of steps you have to check for the expiration time uh you have to check if the account is not I mean lot of things are involved right so we can do that here but I what I want to do is I just want to copy paste so that we can save some time so basically this is the thing we do so I will explain the code to you don't worry okay so this is the code which you have to work with so if you can see if you go up this is what we have done before but now we are saying that you have to extract the username now to extract the username it's not just extracting a username right first you have to get the claims because username is a part of the claim and that's what you can see here so we we creting a method called extract claims in which you are passing the claims and you're passing the token now in this extract claim basically it will fetch the claim it will extract all the claim and that's what we are doing here extracting the claim with the help of signing key because you have to also use the key to do that and uh we are fetching it here in the claims and that's what you are returning it here so from that you will get the username so you can see from the claim we getting the subject and if you go down we are also we also have a another call validating but for validity of course you have to check if the token is expired or not and that's what we are doing here so it's checking if the expiration time is before this then it will give you false otherwise it will give you true and I mean of course it will return true if it is expired then we have to check if it should not be expired and this is how you're extracting the expiration time so basically what you're doing is you are fetching the claims I pasted this code because it's more redundant code and you'll be doing it only once that's why you pasted it important point to observe there are few changes from the last time I did this so first of all let me just import claims that's one and import this function type and one more change they have done some changes in the new version so the code is for the older version uh for the new version they have made some changes the first thing they did is if you go to Passa Builder there's no Passa Builder so jws has a it's a class and it has a meod called passer and then this passer has a method so if you can see earlier we used to use set signin key but now we have to use something called it's verify with so instead of signin key we have to say verify with uh but it takes the type of secret key not the key because get key gives you key so what I can do is I can just change the type of it and this should work so I will use secret key here so that it will not give issue here so remember this we have to make one change uh in the get key you have to return secret key now depend upon which version you're using so if you're using the uh version which I'm using then you have to make this changes so anything before this works perfectly for the earlier code but since I'm using 0.12 and anything after that you have to make these changes so go back here to the the JW service okay there's also change in the past claim so I will first of all do enter here so show past claim they they made some good changes so now it is signed claims because it makes sense because it is already signed instead of body they now call it as a payload and how will you know all these things if you go to the method documentation you will see what they have replaced it with again that code will work it's just that it's good to go for the new versions a new code don't go for deicated methods and that's it that's should work and where you will find this code you will you can check the description uh you will find the link for the GitHub repository if not there let us know we'll put it there and now after making these changes I hope this will work and if it it works I will tell you the entire flow what we are doing I hope nothing is null nowhere okay cool so this got restarted and we got an error it says okay I think no filter we are using Auto but this itself is not a component that's what it says Okay so let's make this component just restart and there's no error let's go back to postman first of all let's do the login so I will click on this and okay we got the token though there's no problem with the token I will just copy this and now when you are sending a request for the students you don't have to pass of course the body is not import body is important maybe you're getting the you're getting it right so we don't have to pass the data uh in the authorization we have to pass the token we are not passing username password now click on send it worked you can see it says okay so what is happening behind the scene let's go with the flow again the first thing you're doing is you are generating a token now who is responsible to generate token if you go back to your security config we are saying that the authentication manager now this time we have a hold on it and we are creating something of login form so if you see user controller we got something called login and inside this login we are doing verify and in verify we are using this filter to achieve that so once we got this we are generating a token so once it is verified the user is verified we are generating a token right now in this token generation what we are doing is we are doing all those step building a token with the help of claims we are signing it wa it's here we are signing it we have subject issue date expiration after doing all those things what you get is the token right now next time when you send a request you are sending a token now since we are sending a next new request and in that request you are not passing username password in that case you have to mention hey you know don't go for username password go with the jwd filter now what we doing in filter is in the filter B basically we are saying that first of all get the token from the user or the request check if the token is not empty or token starts with the better if it is there get the username get the token get the data from the database based on what username is you are passing and verify if the it is matching or not if it is matching of course you have to write a token if it is matching you have to create a new authentication object and you have to set that in the context once it is done you through because in for the next filter you have specified that I do have the authentication but there's one problem in the validate token we have to actually validate token and to do that you have to extract the username to extract the username we have to extract the claims and to extract the claims lot of steps are involved right so yeah that's what we have done in the entire flow and by doing this uh all this thing have been done now you know what is sping security now you know how to generate a token how do you verify the token now you can make your application secured let's see how can you get the Google or GitHub or any the login in your website see what happens is when you build application of course you want to secure it and one way to secure it is through the login forms and normally what you do is when you say you are allowing your user to log in so that we can provide them the resource you have to verify the username password from the database and we have done that before right now what I'm doing is let's say you build an application and then with the username password you also want an option of someone can log in through their Google account or their GitHub account it will be easier for users to log in and most of the time when I want to access any resource or any application I prefer to log in through Google Now Google already knows lot of lot about me right they have all my information and I can use that and they already have my username password so what if this application can ask Google hey you know this person is claiming to be naven can you just confirm that he's naven so that's how you basically verify and to achieve that what you can do is on your page you can have a Google login or GitHub login option and to do that we'll build a very simple project let's not work with the older projects let's create a small project with a small resource and let's see how do you provide the Google or GitHub access to it so the first thing I will do is I will create a new project and to do that I will go to start. spring.io if you have ultimate version of in idea or spring or STS you can use that so here I want to create a project and I will say make sure that this is mavin a Java project and the spring boot version latest is 3.3.2 depend upon when you are watching this you can just change it and the group ID will mention is com. Tesco the project name I will make sure as O2 now why it is O2 because if you want to provide this option of using someone else authorization server to verify uh we can use a protocol called o and the version is o 2 so we'll use that so we'll say spring o to demo and the packaging will be Jarred the Java was 21 on this machine let's add dependency So when you say o you can actually create your own O2 server using spring but since we want to use some other service like Google or GitHub we'll use a client there but be before we add that we also have to make make sure that we also get spring web and the o to client now of course you might be saying we also need a Spring Security right because it's a login thing the thing is the o to client itself will give you all the spring security dependencies so we just need to the spring web and over to client and click on generate this will give you a project which you have to unzip it and open your ID so unzipping done let me go back to my ID this is the earlier project which we were doing for jwd will not touch it I will click on open and let's open this new project click on open and okay first of all I will just stop this server just click on new window um disconnect okay sometime you know when you disconnect or terminate it will not free up the port I think it's with terminate so let's see I hope the port number 88 is available otherwise we'll change it so the first thing I want to verify if this is working so I will just run this application to see what goes wrong uh we have not done the mapping yet no resource created let's run this and see what goes wrong the moment you run this it will give you some errors okay first of all it says the AG Z port number is busy okay that's the mistake right so for the older one I should have stopped it um do have the option it's closed okay so what I can do is I I start my machine that's the solution I found if you have other solution let me know I can just change the port number I will say server. Port equal to 80 I will say 8,000 let's use port number 8,000 let's run this and this time it should not give you this eror of 8080 bsy because we're using a different port number let's see okay so it says stormcat started at Port number 8,000 I'm happy okay now let's create some resource in fact even before you go for the resource let me just go to the page of uh okay not this port number this was the earlier project it's 8,000 enter and it is giving you a login form go back to Spring Security right when you add Spring Security modules it will give the login form right but hey I don't want a login form I want buttons here for the Google or GitHub I don't have it and even if you pass the username password you don't know the username and password right or maybe maybe you will get it in your console but if you scroll you don't even have a password here okay no problem what I will do is I will create a simple resource which I want to access so first of all which those resource I want to access I will create a class and this will be my hello controller and I will make this as a rest client so I will say rest controller I mean not a client rest controller and let's create a method which will do something so I will say public string I know we are using the same method every time but it works right and here I will say this is get mapping this will be mapping for the homepage request or maybe I can specify some URL or maybe homepage works and here I will say return welcome to telesco I'll give a comma and I will say tesco.com no harm in uh product marketing okay what do you call this there's a word for this right when you pitch in a product inside the script uh I forgot what it called doesn't matter okay come back so we are we are saying t.com and this should work so let's relaunch it and actually it will not work the reason being uh we it will still ask you for the login form right and we don't want a login form so if I go back and hit the homepage it will again give you login form now how do you stop default configuration so one way to do that is you have to do the spring config okay and still if you want to see the homepage what I will do is I will just go back to my pal file and I can disable it so I can disable the spring o or to client uh yeah so what it will do is it will also disable the Spring Security configuration so let's go back to the browser and say refresh or not for the login form I will say enter okay still giving me login form oh I forgot to do one important thing you have to reload your mavin before you do that uh let's restart go back to the browser I don't want a login form now enter okay it's not ready yeah so you can see it says welcome Tois cisco.com so we are happy and now uh let's enable it again let's reload the mavin changes I want to pass the security so we have done that before so if you want to pass the default security what you can do is you can create your own config file and I will name this as security config and on top of this you will say this is configuration and also enable web security and then you have to just change one method basically you have to create one bean and I want a bean of security filter chain so I'll say public I want the method which will change the behavior of security filter chain uh I will have a default name security filter chain and this should take an object of HTP security I will say HTTP this might throw an exception the method I'm going to do so I want to basically return HTTP do build so this build will return the object of security filter chain and this might to an exception so I will just say add those exception okay now if you want to change the configuration in fact we have done this before right what you have to basically do is with the object of HTTP you have to add certain things in the previous sections we have talked about how do you disable the csrf how do you work with u a custom login authentication but this time we don't want to do all those stuff we just want a Google login right so what you can do is you can use HTTP DOT first of all I want to make sure that all the request should be authenticated so I will say authorize request if you don't do this it will bypass security and you will be able to access resource I don't want to buy a security I want to restrict it so I will say au. any request will be authenticated by default is permit but I want to make it authenticated Now by doing this it will restrict you to accessing resource but with the Restriction I also want to to give them the access of loging through Google service HTP dot or maybe I can simply use the Builder pattern uh I will just enter this and instead of having a semicolon here so now we'll say dot and there's option of O O2 and we have to specify we are going for a login and login with the customizer dot with defaults and that's it it's so simple right now by doing this you are making sure that you are specifying that hey I want to use O2 for the login and this should work and it will not you know why because we are o to login right but in this world Google is not the only o provider there are lot of different servers using which you can do that maybe you can create your own servers how I mean nowh we are specifying that we have to use Google login and that's what it is complaining about if you see it says parameters zero of method uh set filter chain blah blah blah uh web security configuration required the O2 registration U so that is not found so the repository is not there so that means we have to pass which login you want to go for okay and that you can do in the configuration so you can go to your application properties and this is where you can mention those properties so what are the properties of course you don't have to byard this you can just get it from Google so you can say spring. security dot we want to work with or2 and we are specifying the clients here and we have to do the registration that's what it was saying in the console and then we have to specify which server we are using so we are using Google here so for GitHub it will change to GitHub Dot and you have to specify two things one is the client ID and then you have to specify the client secret as well so client ID is something which people can see but client secret is only developers can see or people who are building this so I want the same thing but with the client secret so I will just copy paste here and I will say client secret this is like more like a password or maybe you can think about username password if that makes sense but the question is from where exactly I will get this client ID and client secret now these are the steps you have to do so what I will do is I will go back to my browser so search for Google Cloud console and go to this website and this is where you can get it so if you see there's option of API and services if you click here I want to create a new credal so this is the basically API services from Google Cloud uh and you need a developer account for that so make sure that in your personal account you have a developer account uh go to credentials and if you don't have a consent screen by default it will give you some issues so make sure that if you're doing this for the first time it will give you a consent screen just make sure that you complete it it's a form which you have to complete where to specify your app and stuff so do that and then you will see this option otherwise click on I mean if it is already there you can click on credentials and click on create credentials and then we are creating a oot client ID click on this now this will ask you for the application type now you can build like you can get your client ID for web application for the Android for the Chrome extension iOS and blah blah blah there are so many options here I want to go for the web application so I will choose that next I want to specify the name I will say test app if that works yeah test app and then we have to specify the authorized redirect URL or URI and here you have to mention HTTP colon Local Host colon 8880 this is your browser name or the whatever URL you have oh sorry not 80 it is 8,000 slash so if you say login slash or to slash code SLG gooogle now again you don't have this you can also get it from Google if you search and then you have to click on create so if you have your website already deployed you can use that URL instead of the Local Host colon 8,000 now once you do that it will give you two things it will give you client idea it will give you client secret so I will just copy this and put it somewhere so I will say client ID is this and then I have to specify the client uh secret and that is this so you can just copy this and make sure that you don't share this set with anyone you can see that on the screen is because once these gets over I will delete those two things I mean I will delete this particular API okay and now I can use these two things so I can just copy this client ID and go back to your uh IDE not database IDE and paste the client ID then you have to specify the the secret which is here I'll just copy this and paste it here that's it these are the two things you have to specify and once you do that let's restart the application and hopefully this will work this time it should not give you those error so you can see there's no error but let's verify if this is working so let's go back to our browser and Local Host 880 I will say enter and you can see it is giving the option of login directly normally it should give you an option of there should be a button okay not 880 okay there should be a button of Google and then should give you this I'm not sure why it is directly going this maybe I will just add one more so that you know when you have your own UI you can customize the way you want uh but yeah it gives you button and then when you click on it and let me know if it is happening with you as in the comments and you can choose your email account and you can log in now example if I choose my my personal email account it will say Okay I want to give the access continue and now I'm logged in and you can see we got welcome to disco.com now I don't have to log in again every time I go this it will use that token from given by Google and it will log in okay uh so that's one this is for the uh Google what about GitHub same thing for the GitHub also uh let's copy these two things and paste the only change you have to make here is GitHub and and GitHub okay now this client ID and secur K will not work we have to change this as well okay now from where you will get this of course the way we got it from Google there should be option of GitHub as well so if I go to GitHub this is my repository uh if you're not following yet do that do that and if I go back I have to log to my GitHub let's do that so basically I've also enabled the two fact authentication I can use authorization app or I can use a pass key from my Mac okay I'm logged in okay once you're logged in you can just go to this and click on settings and once you come on this page just scroll down at the last not this much last click on the developers setting and you can see there's option of oo apps already have one maybe you will see an option of there's no apps available you can click on new oo app and give a name I will again go for test app the home URL I'll mention is this I don't want to specify any description but you Ur the call back URL is important the same way we have done it for the Google we'll do it here so HTTP colon sl/ localhost colon 8000 SL login slash okay it's already giving me option here I'll just copy this so this is the same thing right the only thing is in Google it was Google it is now GitHub here and click on register that's it you got your details now where you will find the client ID oh that's very easy we got the client ID here I will just copy this and paste it in here and this secret okay so secret how will you get it now you can see there's it is not showing anything so I will click on generate a new client secret and I got it here and I'll paste it here that's it these are the two things you have to mention the client ID and the the client Secret by doing those things let's restart the application and let's go back to the browser again the same page enter okay now you can see we got two options the Google login or GitHub login we tried for Google let's try for GitHub now click on this it says since I'm already loged on GitHub it says authorize N Ready yes click on this and I'm logged in and now it says welcome to the lore so it's so easy to get uh the logins right and yeah that's how basically you login through your O2 clients it can you can use Google you can use GitHub maybe Facebook try out different platforms and let me know in the comments what other platforms you have used and also if you can share how you did it in the comments it will be helpful for those so that's it from this video where we have seen how do we use o to client in fact you can also create your own O2 servers in future maybe I will make videos on that not not in plan as of now but let me know I will try to creating to servers so that's it from this video so I hope you enjoyed the entire series on Spring Security and this is kind of the end of Spring Security at this point and see you in the upcoming sessions or upcoming videos bye-bye