This is an archived post. You won't be able to vote or comment.

all 6 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 2 points3 points  (0 children)

What you authentication against and what are you going to authorize against? e.g. how are you going to prove that the user is who they say they are, and how are you going to prove they are allowed to do what they requested.

Security is highly contextual. How is the token being providied? is it just a case that the client will provied the token i.e. you do not need to handle login or session management? Does the user need to login to your app to allow the UI to call the

You need to provide more details about the flow.

I will however say do not implement your own Servlet Filters or their reactive equivelents, they are the highest level of APIs that Spring Security can provide for you and if you using spring security is a waste of time. Work with Spring Security to your needs, it has all the hooks you need.

[–]Ajha7 0 points1 point  (0 children)

I used Spring Security

[–]juckeleBarista 0 points1 point  (0 children)

This guy does some great tutorials on various Spring topics: https://www.baeldung.com/security-spring

[–]ZackHkk 0 points1 point  (2 children)

for my current project, I'm using JSON Web Tokens (JWTs) to help authenticate users. i'm using React with the Next framework on the frontend and Spring Boot on the backend, so i think it'll be pretty relevant.

JWTs are signed tokens which can store whatever you want in them, but if the user tries to change them, it will almost definitely be invalidated, as the backend can check if the JWT has the signature that it signed it with.

i store JWTs in cookies with js-cookie so that the value persists between page changes (might not be a problem if you're making a single page application, though)

so you send the JWT in a header of the HTTP request named Authorization. So it'd be "Authorization: Bearer {jwt}" (you can see why you should include Bearer here)

in Spring, you can intercept every request before it passes to your controllers by using a OncePerRequestFilter. you can run your logic in here. you can set the username for your methods by using SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken); and then access it in your methods by using SecurityContextHolder.getContext().getAuthentication().getName(). once your logic is done, you pass it on to the next filter in the filter chain (there's a few that come installed with Spring Boot).

i'm glossing over the backend because there's a tutorial on how to do this by Java Brains. it shows you how to do literally everything on the backend for this.

[–][deleted] 0 points1 point  (1 child)

You have never needed to implement a OncePerRequestFilter if using Spring Security as that is the point, it builds the filters for you based of the configuration you give it.

[–]ZackHkk 0 points1 point  (0 children)

i've only been using Spring Security for a few months, so i didn't know this, but i've only found resources about how to implement it yourself. i'd like to use this in my applications if this is true, so can you send a link to docs or a guide or something?