Spring Security JWT: How to secure your Spring Boot REST APIs with JSON Web Tokens

THANK YOU THANK YOU!!!!

Hey Dan, quick question. I notice your .pem files are not pushed on the GitHub repository but you also did not gitignore them. How did you prevent pushing them to GitHub? And how do you deploy an app that relies on these files but does not have them on the repo.

Hi Dan, really a good video. One functionality which could be added is adding refresh token feature, thanks

Thanks for asymmetric rsakeys knowledge you've shared.

Great Explanation

awesome

I super like your video, I have learned a lot form it

Hey Dan, great work, I have just one question that this oAuth2ResourceServer() takes one Customizer but the jwt() referened by method reference is not having void return type as of thr customize() of Customizer..and we are not getting compile time error...how it is possible?

Very good video, if anybody haven't mentioned yet, it would be good to replace inMemory user with UserDetailsService on data base. Additionally securing rest api with roles. Video would be a bit longer than 1hours, but woud cover topic from A to Z

Thanks a lot Dan!

First, thank you for such a comprehensive explanation of the new spring security. I'm going to take minor issue with it because, as with just about every tutorial I've seen for spring boot security, the user logon and Jwt generation is in the same sever as the Jwt consumer for endpoint security. This would never happen in the wild and creates confusion as to which SecurityConfig configurations are needed for each.

Is anyone else getting a "There is no PasswordEncoder mapped for the id 'null'" Exception early in the video? Right after creating the SecurityConfig class and its first two methods.

Hi Sir, I'm novice in spring security, can you please tell me where is the logic behind to refresh token if it's expired?

wonderful tutorial, thank toy very much 😊

Hii Dan,

I love ur tutorials.. my question is how can i create a seperate authentication servuce using jwt. And then use that is a seperate client service to secure endpoint? Thanks..

Thank you Dan. I meant A LOT!
Would you consider to create a video for those like me with a title "How to read Spring documentation and connect things together"? Lol. Thanks again!

Great video! You make it so easy to grasp the concept.
A quick question. How would you secure the APIs using JWT if the application is using (username & password)
in some cases and also biometrics authentication in other cases.

Issue with JUnit when testing for the repository directly (without going through the controller)

No converter found capable of converting from type [java.lang.String] to type [java.security.interfaces.RSAPublicKey]

Amazing !!!! Great video, Thanks 👌

Sir, I was working on a project and while surfing the web for JWT, I came to know that JWTs are not safe when used on frontend applications on browser. They are open to XSS attacks. Also, disabling csrf() is not recommended when used with browsers (like ReactJS+Spring Boot). I don't fully understand what's wrong and what we should do. Please help!

Thanks for a great tutorial. The article is very useful and helpful.

Thanks for sharing about JWT

Excellent video! Need to test spring security with Ping Federate.

Everything works great!

Great video my start to spring security wouldn't have been great without this. A big salute.

Great video! Thanks a lot! I just have one question though: In Postman, you use bearer token as authorization type. The dropdown also offers "JWT token". Why did you not choose this option and took "bearer token" instead?

great video very useful

That is for access token.
How about refresh token?

Dan, thanks for great video!
Can anyone help? How to send response back if request was with invalid credentials? I've added custom entry point, so if the user provided no auth token he gets custom json with error message, but how to handle such exceptions as UsernameNotFoundException and BadCredentialsExceptions?

Very good take there.

Sir, how did you automatically generate the tests? Was it the Copilot?

First off awesome video Dan. I have seen no code/logic on the resource server side to validate token. Is this optional on resource server end or its a must.

I really appreciated this video. Wishes your channel get bigger n bigger.

Thanks Dan. it was crystal clear

Hi dan, thank you so much for the video, it really helped me.
Just one thing, i'm getting an error with the second unit test "rootWhenAuthenticatedReturnAllUsers". I've done the same thing that you have but i'm getting a 403. Can you or anybody help me?

Add Role & Permissions with RoleHeirarchy with spring security 6, Spring Boot 3

Awesome tutorial as always. I have quick one... When using assymetric encryption do we use the private key to encrypt the data or the public key? With the little knowledge I have on encryption, I'm pretty sure we use the public key for encryption and the private key for decryption.

I am a nodejs and Golang API. I found this tutorial very help for my current work using Spring-boot.
One thing about Spring-boot is that, when you use Spring-Boot with higher version some errors like this shows up:
This error occurs in the NimbusJwtDecoder.validateJwt method of the org.springframework.security.oauth2.jwt.NimbusJwtDecoder class. The NimbusJwtDecoder class is used to decode JSON Web Tokens (JWTs) and is part of the Spring Security OAuth 2.0 framework.

Perfect video. Thank you, Dan! Like+Sub

Great video! Thanks!
Could you explain: you have showed the project creation with the spring starter io source. But, after project was created, you show 2 pom files - problem in that the spring.starter actually created only one single pom. How to I have to understand and follow your solution? And the main issue - I have implemented all steps and this solution doesn't work: yes, I received token, but this token doesn't work for other requests - I have receiving 401 error for all following requests. Now I try to understand the difference - and the difference only in the pom files between your and my code. But you are not explained them

Why my comments were deleted?

can u explain how to do this but with session cookies instead?

Also to use the authorization as a micro service and export it, import it in multiple application across the company portfolio for a aligned one platform!

Thank you Dan! Great work!