Code - github.com/ali-bouali/spring-boot-3-jwt-security 👉🏿 Subscribe to @BoualiAli channel - www.youtube.com/@BoualiAli

Table of content 00:00 Intro 01:55 How JWT security works 07:26Create a new spring boot 3.0 project 09:28 Add Data source 12:28 Connect to the database 17:12 Create user class 20:05 Transform the User to an entity 25:22 Extend the user to UserDeatils object 33:32 Create the user repository 35:50 Create the JWT authentication filter 40:58 Checking the JWT token 44:32 Create the JWT service 47:56 Add the JJWT dependencies 49:59 What is a JWT token 53:06 Extract claims from JWT 55:23 Implement the getSignInKey method 01:00:07 Extract a single claim from JWT 01:01:51 Extract the username from the token 01:02:52 Generate the JWT token 01:08:15 Check if the token is valid 01:11:22 Check the user existence in the database (JwtAuthFilter) 01:15:13 Implement the UserDetailsService 01:19:38 Update the SecurityContextHolder and finalise the filter 01:23:53 Add the security configuration 01:32:51 Create the authentication provider bean 01:36:41 Create the authentication manager bean 01:38:14 Create the authentication controller 01:40:55 Create the authentication response class 01:41:47 Create the register request object 01:42:50 Create the authentication request class 01:43:22 Create the authentication service 01:45:37 Implement the register method 01:49:28 Implement the authenticate method 01:52:17 Update the security configuration whitelist 01:53:35 Create a demo controller 01:54:55 Test the changes

I watch alot of your videos but the long ones I have never stuck to this one I stuck though the whole video and followed along every step of the way and understood everything I am so glad you done it as I followed ur example now going to be able to implement it in my own project!

Absolutely what I've been looking for. Just the right amount of high level explainations for someone who's just getting into Spring. Thank you for the amazing content.

I just started watching you, but I'm already glad I'm doing it with your style of lessons, it's awesome! Thank you so much! Hello from Ukraine!

This tutorial is the one I have been looking for. I spent hours looking for a way to implement spring security, however, most of the spring security tutorials that I found are outdated. Luckily, I stumble on this amazing work, my man here explained everything in depth and comprehensible. Thanks for the tutorial and keep up the good work!!

Yesterday, I watched your previous video about Spring Security and realized that some functions are deprecated in the latest Spring Security. And I'm astonished that you uploaded an updated video today. I'm planning to build a blog website for my own and review Spring Security as well, so this video is excellent for many other developers who love Spring and for me. Keep up your great job, and wish you much luck. Happy new year🤩!

Assalomy aleykum. I'm from Kyrgyzstan and I'm sixteen. Currently I'm learning Java backend, this is the 6th month. I started watching your videos 4th months ago. And at the time we were learning Spring Boot + Security+JWT your videos are really useful and at the latest version so I appreciate you and your videos. Keep going. Good luck.

I was almost giving up on understanding Spring Security but now I feel like I have an eagle's eye view of what's what based on this and a number of other tutorials from other channels. Keep doing the good work.

I watched this video when it was released 10 months ago, and I didn't quite understand the concept, but watching it again 10 months later and understanding a lot more than last time makes me think I'm doing great progress! Thank you for the amazing content, keep up the good work!

You never disappoint. Of all spring security tutorials this is the one that make sense for me. Also, usage of lombok and an actual database (not in-memory one) is a plus.

You're amazing dude! You saved my diploma project with your work. Everything worked on the first try and taking the time to update this guide is just... great of you. If you are ever in Sofia let me buy you a beer. :D

This course is awesome, thank you. More detailed and clearer than the previous one.

Great tutorial. To the point and everything is explained. Easy to follow. Great job!!

Such a helpful, important video. Just got new into creating websites with Spring and it's such the best video seen so far! Can really recommend it to everyone.

Quality content. Thank you very much! Your channel is one of the best on KZfaq for learning Java and Spring.

Hey AmigosCode, I congratulate you for this tutorial, for those who see the negative side of the Internet, this is a sign of generosity, and we must be grateful for that, thanks and regards!!!

I could tell this channel would be a good one to add after watching just one of your videos last year. You make your videos around more niche but interesting (advanced) topics but do so in a way that feels more like you’re hearing it explained by a friend rather than finding yourself lost in abstractions or just bored by the nitty gritty details. Look forward to all the interesting topics that I’m sure will be coming up. Cheers man!

This is unique, definitely what I was looking for, I appreciate the time you spend doing this course

Absolutely perfect lecture for Spring boot 3.0+ and Spring Security 5 with JWT. I am non-native english speaker, but My teacher who called Amigoscode teach me SOOOOO kindly. P.E.R.F.E.C.T Thanks to your lec, I will lean more about Spring Echo system.

What's going on with SpringSecurity? "HttpSecurity" is also marked for removal... All tutorials become obsolete after a few months.

Really clear tutorial! Showing the architecture and explaining how the JWT validation mechanism works helped understanding the implementation!

This was a really awesome tutorial. I've been reading the spring docs for days but this put everything together in such a great way, thanks!!!

Прекрасное и внятное объяснение данной темы! Огромная благодарность автору👍👍👍

This is an amazing course. It helped me to crack the interview. Thank you so much!

I would like to take the time to thank you and say that I appreciate you for your content. It's wholesome and helps me a lot!

An amazing tutorial! A definite must see for those who need to learn how authentication/authorization works in spring boot!

First of all, thank you so much for the hard work and commitment in doing this video. I would like to know if you have another video using angular to consume this backend api with roles and permissions especially

"But there is one extra step we need to do. Easy peeezzy" ..😅 I just finished watching and implementing this. Feels like i just got back from the gym. Learn from the experts . Awesome tutorial. Keep up the good work.

Hi there. I really appreciate your effort in doing this valuable course on Spring Security. Even though I consider you have not considered validating if the user already exists to avoid registering the same user more than once. Thanks so much Ali!!

I was so thankful for this video literally I was struggling with jwt you made everything crisp and clear💯

Hi Ali, I found your tutorial very useful and using this I was able to add JWT to my project. I would like to know how can I write test cases for this code, could you make a tutorial regarding the same. Thanks again !

First comment of ever on youtube, but that course is just excellent. I have never had such a clear course in my training center.

Many thanks, this awesome video helped me fix a problem I've been having with spring security for over a week. You guys are amazing!!!

Hi alibou, can you make the frontend part of your JWT code, with react or angular, preferably react, your tutorial was very helpful to me, but i would like a frontend to understand it better

Hi, this is a great course and I just need a small help. The url for the encryption key generator which you've specificied in this video isn't accessible. Can you please provide any other link? Thanks in advance :)

Thanks for the Video and Ali Bouali for the repo!

I'm so happy for this notification 😍 I was waiting for this.

Thank you very much for sharing your knowledge with all of us. I wanted to ask you if you have any video in which you link everything you shared here, but including Swagger? I ask you why I was testing your code but if I try to add swagger to it, it always returns 403 because JwtAuthenticationFilter is executed and automatically if you don't have the required headers, it doesn't let you continue, so in the case of swagger is it really necessary to do that filter?

Thanks, this video is really cool and usefult! But one moment is a littble bit unclear: what will we need to do when token expires?

The length of the different steps through it and the calm, exactly explanation was very helpful and make a lot of fun...thanks a lot...

Amazing video, you explained it all very well. Thanks for making a Spring Security video with an updated version😁

Great video! It was very helpful. Works like a charm. Is there also a updated version of creating refresh tokens?

Mashaalloh brother, my long-awaited lesson 👍

This tutorial is so clearly. I have a difficult time to understand JWT flow in Spring Boot. And you explain in one video. It's so crazy. You have a good explaination way. Thank you so much bro.

Thanks for this awesome video. Just in time, as i was trying to figure out Spring Security for my app and was kind of lost between different tutorials. Cannot wait for video on how to get frontend right for this app. Cheers 🤗

In the JwtAuthenticationFilter class, changing "Authentication" to "Authorization" in the line "final String authHeader = request.getHeader("Authentication")" is necessary for proper functioning of the DemoController class. Original code: final String authHeader = request.getHeader("Authentication"); Corrected code: final String authHeader = request.getHeader("Authorization");

Great course.. But I would love it more if you have implemented the refresh token and blacklisting the previous one

You are the best man, Ive been writing frontend for a year, this accelerated my java skill 100%

I can not tell how much I appreciate your content! Keep up the good work!

32:00 Well.. What if I want users to have multiple roles? I save my roles in a database (as part of making them dynamic, so I can make more roles if I need to, after deploying the app), and the connection between User and Role is ManyToMany. I think by default that is the desired implementation of roles. How can I make my example work with this getAuthorities method? (Also notice, getAuthorities is plural, meaning it's expected to have multiple authorities)

Hi @amigoscode & @boualiali I love your content on Spring security 6. Also please can you update some code or provide some resources for logout functionality. As you guys are implanting only authenticate and sign in

Great explanation, had to go through it twice but at the end understood it completely... Thank you

Thank a lot Ali and Nelson. Impation to see the next one about refresh token Good job guys ☝

Thank you for the lesson! How to make the same theme idea?

even for register endpoint status is showing forbidden please help!

man your understanding of java is just awesome I love your content!!!

Free top class content! Thanks Nelson and Bouali!

how come I am getting a 403 error even after following the tut?

thank you very much for such a detailed guide! I thought it was impossible to find guides with the usage of recommended classes and methods until I found this video

I'll be honest, I hated the previous video for the audio lags and all that. But this one is pure gold! Damn, you have redeemed yourself😏

OMG, This type of content on youtube for freee ?? What a amazing course, loved the detailed explanation of each topics. Loved the way you're explaining each variable & method not just writing them & moving on ! Thanks a lot

Thanks for the video. It would be appreciated if various authentication-related functions such as reset password, find password, and authentication activation using e-mail were also performed.

I really like the tutorial in general! I do have one point of constructive criticism on it: JWT was created with the intent that you can check the validity of your token without persisting it. It should be along the lines of: - You create the token, which contains a small amount of information about the user it belongs to - Token gets send with future requests - When authenticating the token, you decrypt the payload and check if the information in the token is valid, by checking it against the original user in your db it was created for You might have confused the standard token with the refresh token from JWT, which should be persisted in the DB. If you are just going to persist the tokens in the DB, you might as wel create some general token system without JWT. But aside from that, I do think the tutorial is great!

BoualiAli is explaining so good. It is really easy to follow him. Very good work. Thanks for this Video :)

Love from India sir, Your way of delivering the concepts is absolutely marvelous. You made this complex topic a cakewalk. Lots of appreciations for your effort.❤❤❤

🎯 Key Takeaways for quick navigation: 00:00 🚀 *This video covers JWT authentication and authorization in Spring Boot 3.0 using Spring Security 6 and Postgres.* 00:54 🛡️ *Understanding Spring Security and JWT is crucial for securing APIs; the tutorial emphasizes their importance.* 01:29 🌐 *Source code for the implementation is available in the video description, enabling viewers to follow along and apply the concepts.* 03:37 🔒 *The JWT authentication mechanism involves an internal check, user details service call, and validation process based on the user's email extracted from the token.* 07:11 🛠️ *The tutorial guides through the implementation steps, including creating a Spring Boot project, configuring a Postgres database, and setting up the data source.* 28:33 🚀 *Spring Security 6 and Spring Boot 3.0 allow for customization of user details handling, including roles and authentication settings.* 29:02 🛡️ *Implementing user details involves overriding methods, and you can choose to extend the Spring Boot user class or create your own class.* 30:22 📝 *When dealing with roles, creating an enum and using `SimpleGrantedAuthority` simplifies the process, especially when users have a single role.* 37:24 🗝️ *Implementing JWT authentication involves creating a filter by extending `OncePerRequestFilter` and extracting the JWT token from the request header.* 47:03 🔑 *Understanding JWT structure: JWT tokens have three parts - header, payload, and signature; claims in the payload include registered, public, and private claims.* 56:44 🔐 *In JWT, a signing key is a secret used to digitally sign the token, ensuring the sender's authenticity and message integrity.* 57:36 🛠️ *The signing key, along with the algorithm specified in the JWT header, creates the signature. Key size and algorithm depend on security requirements.* 58:23 🧰 *To generate a signing key for JWT, online tools like keysgenerator.com can be used, with a minimum size of 256 bits for security.* 01:00:20 🤖 *Implementing `getSigningKey` method using the JJWT library involves decoding the secret key and creating an HmacSHA256 key for verification.* 01:04:32 🚀 *Implementing a method to generate JWT involves setting claims, subject, issue date, expiration date, and signing with a key and algorithm.* 01:26:41 🛠️ *Spring Security Configuration: Implementing security configuration in a Spring Boot 3.0 application involves creating a class annotated with `@Configuration` and `@EnableWebSecurity`, with a method that returns a `SecurityFilterChain` responsible for configuring HTTP security.* 01:29:17 🚦 *Whitelisting URLs: To implement whitelisting, where certain endpoints do not require authentication, configure security to permit specific requests and authenticate all others. This is achieved by specifying a list of patterns for permitted requests.* 01:31:34 🔐 *Stateless Session Management: Ensure stateless session management by configuring the session creation policy as `SessionCreationPolicy.STATELESS`. This ensures that the session remains stateless, and each request is authenticated independently.* 01:32:51 🔄 *Chaining Filters: Add a JWT authentication filter before the `UsernamePasswordAuthenticationFilter` to execute it before the default authentication filter. This ensures that JWT authentication is performed before checking username and password.* 01:41:10 ⚙️ *Controller and Endpoints: Implement authentication and registration endpoints in a controller class (`AuthenticationController`). Secure the endpoints by specifying them in the security configuration to ensure proper access control.* 01:58:47 🚧 *Secured Endpoint: Demonstrates accessing a secured endpoint (`/API/V1/democontroller`) without authorization results in a 403 Forbidden response.* 02:00:11 🔄 *Authentication Process: Shows the authentication process, indicating that attempting to authenticate a non-existing user results in a 403 Forbidden response.* 02:00:58 ✅ *Successful Registration: After registering a new user (`alibu` with email `alibu@atme.com` and password `1234`), successfully generates a JWT token as a response.* 02:01:49 📅 *JWT Token Payload: Examines the payload of the generated JWT token, including information such as the subject (user email), creation date, and expiration date.* 02:02:42 🔐 *Authentication with Correct Password: Illustrates successful authentication with the correct password, generating a JWT token as a response.* Made with HARPA AI

Great tutorial video, thank you. However, in the securityFilterChain(HttpSecurity http) method of the SecurityConfiguration class, some methods of the HttpSecurity object have been @Deprecated(since = "6.1", forRemoval = true). I would be very happy if you could do a refactor work on this.

Thank you bro, the only video that explains almost everything out of all the ones I found. You really helped me, thank a lot again

I'm a new Java developer and I find the JWT implementation so confusing and complicated but, this video makes it much simpler to understand and implement. Thanks Amigo.

Thank you ! I`m try to realize this 2 weeks before i find you ! Love!

At 1:20:21, when I have the line " private final UserRepository repository;", I get this error: "The blank final field repository may not have been initialized" However, it is not showing up on your screen. Why is this?

bro why is this shit so complicated, I do auth in Nodejs in 20 minutes tops with two packages (jwt and bcrypt) . get email/username -> compare password to hashed password in DB -> give token. get token -> verify token against secret key -> get user id/email/username from payload. How hard is that??!!! why do I need a bunch of things in Spring boot.

thank you for such awesome content. Your way to teaching is so smooth that I was able to grasp everything you are doing. At the same time i was writing code by understanding it. Thank you.

The best tutorial of Spring Security. Thank's my friend!!

Original video: kzfaq.info/get/bejne/eLyUhJaa2tXal2Q.html

Thanks for the video. However, it is very sad that spring security does not provide us a built in feature to deal with jwt, and expect us to manually include 3 jwt-related external dependencies (with the version included). Hopefully in future, there is a spring boot starter that include these 3 dependencies, and appear in spring initializer website. Also hopefully spring security has built-in feature to automatically generate jwt for us and function to extract claim , without us having to write ourselves.

Thank you for the tutorial. All this stuff with spring security is looking much more complicated than in express framework for node js

Thanks Nelson, I was waiting for this course

Anyone else got the problem of constantly getting 403 when trying to access the demo-controller after generating the token. Token is looking good to me. Debugger shows he passes the JWT Filter and sets the authentication. Even failed using your cloned repo.

For those of you who have issues with deprecated methods, downgrade your spring version to 3.0.5 for this example to work.

This video was a great starting point to using the Spring Security package. Thank you 👍👍

Man, you have just saved at least a month of my life. You are the real hero. And I am not kidding. Thank you

The explanation of how JWT auth works is not correct. If for every request the DB is going to be accessed, the point of JWT is lost.

I've watched this tutorial from start to end. Thank you for this video ❤

just wow, highly professional, impeccably organized, and accompanied by clear and helpful explanations. big thanks for such outstanding work

Thank you very much !! You work is really helpful, interesting and unique!! I learned a lot!

Awesome video! I had to implement Spring Security in an application at my company without prior knowledge and I was able to do that in less than 2 days by using your video as a reference.

A good approach to implement the entire concept of JWT in coding level. Thank a lot.

That was Wonderful and so Helpful for me !

Thank you, a lot, it`s the best, clear and awesome guide i have ever seen😍

Thank you for so kindly and useful lesson!

Awesome course... Thank you. Need more related to JWT .

Wow! Thank you very much. May Allah repay you a hundredfold for the satisfaction I had after I finished listening to the video

thanks for your effort in this course. well explained and structured.

Awesome tutorial. Just perfect. Thanks for making this awesome tutorial

Thanks a lot for such wonderful content!! It is very helpful

The best class EVER! Thanks for sharing!

You rock, awesome masterclass, thank you very much!

this is the second tutorial I followed from your channel. it is really cool. Btw let me to give a feedback,,, When you are explaining things sometimes you missed some syntaxes to explain (like why do we use this and what does this do etc.) But fortunately you do it less frequently than most of the other programming youtubers do. In this video it happens mostly like after 01:30:00 hr. Anyways still this is a really understandable and cool stuff comparatively with other videos on the same topic. Thank you so much. Learnt a lot. Will stick with you channel.. God bless you..!