• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Is join table needed or we can do without?

 
Ranch Hand
Posts: 1021
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi experts,

Finally, I am trying my hand on a JWT implementation but I have lots of questions in my mind and I would appreciate helps from this forum again.

Basically, I am following this tutorial :


https://bezkoder.com/spring-boot-jwt-authentication/

Now, under the User class, the author is using a @JoinTable

I would like to know if I can just bring in the role from my other class to User table instead of doing a Join here.

The author uses Integer id in all the POJO classes, so in my database, is it ok not to use Id for User table but UserId which differ from the Id in the POJO ?

Furthermore, I would like to know when a userId and passwords are stored inside the table for JWT authentication, the passwords do I need a encryption library to encrypt it before inserting into the db ?

Tks for your guidance in advance.

 
Saloon Keeper
Posts: 15510
363
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
First of all, why are you following this tutorial? I'm not saying you shouldn't, but you need to make sure that you're doing it for the right reasons:

Do you want to implement an identity provider, so that users from other applications can authenticate themselves through your service? Then this tutorial is for you.

Do you want to consume the services of an identity provider, so that user of your application can log in with your application? Then you should look for another tutorial.


tangara goh wrote:I would like to know if I can just bring in the role from my other class to User table instead of doing a Join here.


Users <-> Roles is usually a many-to-many relationship. To store a many-to-many relationship in a relational database, you always need a join table. If you don't specify a join table in your entity explicitly, Spring will generate one anyway, possibly with table and column names that you don't want.


The author uses Integer id in all the POJO classes, so in my database, is it ok not to use Id for User table but UserId which differ from the Id in the POJO ?


You can name the primary key property whatever you like, and it can also have a type other than Integer or Long. The important thing is that you annotate it with @Id.


Furthermore, I would like to know when a userId and passwords are stored inside the table for JWT authentication, the passwords do I need a encryption library to encrypt it before inserting into the db ?


NEVER HANDLE PASSWORDS YOURSELF.

ALWAYS DEPEND ON YOUR APPLICATION FRAMEWORK.

Look at the Spring Boot Server diagram again:



Notice how the AuthenticationManager uses the UserDetailsService and a PasswordEncoder. When your application tries to authenticate a user, the AuthenticationManager will use the PasswordEncoder to transform the user's credentials, and then it will retrieve the authenticated user from the database using the UserDetailsService.

When a user updates their credentials, the AuthController will perform the request through the AuthenticationManager.

The thing to take away from this is that you will NEVER perform any operations on the credentials yourself. You let the AuthenticationManager handle everything for you. If you want to change the way the credentials are transformed, you simply plug in a different PasswordEncoder implementation.
 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There's a reason why Roles and User credentials are not stored in the same table.

A user can be assigned multiple roles, from 0 to every role defined for the webapp. It's not a 1-to-1 deal, it's one-to-many.
 
Stephan van Hulst
Saloon Keeper
Posts: 15510
363
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:one-to-many.


Many to many. A user can have many roles, and a role can be filled by many users.
 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:

Tim Holloway wrote:one-to-many.


Many to many. A user can have many roles, and a role can be filled by many users.

True.

I stand corrected.
 
tangara goh
Ranch Hand
Posts: 1021
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi guys,

Thank you for your kind pointers.

@Stephan van Hulst, could you point me to a tutorial that is most suitable for my use case with roles and status and error Message.  I have seen various tutorials on line but some are not using ResponseEntity in the Controller and uses a @api response like this one :

https://github.com/murraco/spring-boot-jwt/blob/master/src/main/java/murraco/controller/UserController.java

I am just lost which way I should do this assessment, cos I really need to get a job.

Tks for your help in advance.
 
Stephan van Hulst
Saloon Keeper
Posts: 15510
363
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I can't suggest anything if I don't know what your application is supposed to do. Please tell us your functional requirements, and what you're stuck on.
 
tangara goh
Ranch Hand
Posts: 1021
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:I can't suggest anything if I don't know what your application is supposed to do. Please tell us your functional requirements, and what you're stuck on.



I am required to come up with a User API Service :
1) Authenticate user - using UserId and password
 The response : authentication result, roles - Manager, admin etc and errorMessage

2) Check user status with given Userid

3)Deativate a user given UserId
 
Stephan van Hulst
Saloon Keeper
Posts: 15510
363
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So you ARE implementing an identity provider. Then you can continue with the tutorial, as I mentioned in my first reply.
 
tangara goh
Ranch Hand
Posts: 1021
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:So you ARE implementing an identity provider. Then you can continue with the tutorial, as I mentioned in my first reply.



But, how do I authenticate against a UserId and not UserName ?

I have been searching for a tutorial to implement loadUserById to no avail....

So far I have attempted to change the loadUserByName in the original code to use loadUserById but it is not being accepted ...



I got this error :


The type UserDetailsServiceImpl must implement the inherited abstract method UserDetailsService.loadUserById(String)



from this class:






[code=java
- Line breakpoint:WebSecurityConfig [line: 45] - configure(AuthenticationManagerBuilder)
- The method userDetailsService(T) in the type AuthenticationManagerBuilder is not applicable for the arguments
(UserDetailsImpl)
code]

I hope someone can give me some hints how to have SpringBoot to recognise the new method in my interface ..cos doing an @override also doesn't help.



Tks.
 
Stephan van Hulst
Saloon Keeper
Posts: 15510
363
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

tangara goh wrote:But, how do I authenticate against a UserId and not UserName ?


What do you mean? You authenticate the user based on the credentials they enter, regardless of whether you call it the user ID or user name. If you're referring to the ID that is used as the primary key for the user in the database, you should NOT authenticate against that, because it's for internal bookkeeping only.

The point of the loadUserByUsername() method is that Spring Security can plug in the name that the user provided (regardless of whether YOU call it an ID or a name) and that you can pull the correct user out of the database based on what the user entered.


I have been searching for a tutorial to implement loadUserById to no avail....


Hint: there isn't a way. That's not how UserDetailsService works. Why is this so important to you anyway? Just follow the tutorial, make sure that you understand how to do a user management service, and then find out how to fix the specifics. Tutorials will rarely be useful for specific use cases. That's what Spring's user manuals are for.


So far I have attempted to change the loadUserByName in the original code to use loadUserById but it is not being accepted ...

...

I hope someone can give me some hints how to have SpringBoot to recognise the new method in my interface ..cos doing an @override also doesn't help.


This highlights that you have a fundamental misunderstanding about the Java language itself. To be able to understand Spring, you MUST understand how service contracts work.

You can not change interfaces provided by other developers. The @Override annotation also doesn't change the meaning of the code. The only thing that @Override does is warn you when you made a mistake in typing the signature of a method whose implementation you meant to override.
 
tangara goh
Ranch Hand
Posts: 1021
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have changed my code implementation to one that uses Java, since JWT was not mentioned in the assessment paper

Basically, I hope to get some review on the code :



The thing is that I am not sure if I need to include session management and if so how can I ride on the security core api of Spring boot in this case?

 
Stephan van Hulst
Saloon Keeper
Posts: 15510
363
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You are sending user credentials over a GET request. NEVER send sensitive data over GET requests! GET payloads are not encrypted and will appear as plain text in a network analyzer.

You are doing absolutely nothing useful with the provided ID and password, as far as I can tell. Why do you need all those parameters anyway, if you're just grabbing the current User that Spring manages for you?

Why is the code full of print statements?
 
tangara goh
Ranch Hand
Posts: 1021
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:You are sending user credentials over a GET request. NEVER send sensitive data over GET requests! GET payloads are not encrypted and will appear as plain text in a network analyzer.

You are doing absolutely nothing useful with the provided ID and password, as far as I can tell. Why do you need all those parameters anyway, if you're just grabbing the current User that Spring manages for you?

Why is the code full of print statements?



Tks Stephan.
It is hard to determine if one should use GET or POST since it is not indicated.
I thought since we are comparing something in the database it should be a GET.  But, with a form added, it could be a POST except this one is without front-end.

Why do I need ID and password ? Because I would need to return a error message if it is invalid... Are you saying I should you ResponseBody as parameter ?

I just do a print for checking....but of course now I have not settle my database due to various bugs in MYSQL and I need to switch db....

Can't really tell what went wrong till the db is set up or is there any other way to tell the output ?

 
Stephan van Hulst
Saloon Keeper
Posts: 15510
363
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

tangara goh wrote:It is hard to determine if one should use GET or POST since it is not indicated.
I thought since we are comparing something in the database it should be a GET.  But, with a form added, it could be a POST except this one is without front-end.


GET is for when you only want to retrieve information from the web service, without changing the web service's application state. The problem with your method was not that it was a GET request. The problem was that you're sending user credentials along with the request.

Why do I need ID and password ? Because I would need to return a error message if it is invalid...


You don't send a user name and password with every request. You send them only once per user session, when you log in. Logging in always happens through a POST request. After you've logged in, Spring authenticates the user automatically from the user session. You don't have to (and shouldn't) perform your own authentication in the controller.

Are you saying I should you ResponseBody as parameter ?


No, I didn't say this at all.

Can't really tell what went wrong till the db is set up or is there any other way to tell the output ?


I have no idea what you mean. What problem are you having? Why do you need to switch databases?
 
tangara goh
Ranch Hand
Posts: 1021
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator


Why do I need ID and password ? Because I would need to return a error message if it is invalid...


You don't send a user name and password with every request. You send them only once per user session, when you log in. Logging in always happens through a POST request. After you've logged in, Spring authenticates the user automatically from the user session. You don't have to (and shouldn't) perform your own authentication in the controller.

Thanks for your valuable feedback.
I just want to be sure that I got you correctly.  So, if I change it to a POST Request, the rest of the code is ok right?
So, there is no session needed right cos it is not like after logging in, the user will be redirected to another page ...
 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
HTTP, unlike, say,, time-sharing computer accounts, is a disconnected protocol. That is, the client connects to the server, submits a request, gets a response back, and closes the connection (disconnects(. This process completes over and over again.

Thus, in order to know who's who on each connection, you have to provide some sort of identity token, since you cannot assume identity from the connection itself.

There are two ways to provide this token. One is container-managed, one is user-supplied. As a general rule, I recommend using container-managed tokens.

The container-managed token is jsessionid and it is passed back and forth on each HTTP Request/Response cycle. It is VERY important NOT to cache this token, because the server can AND WILL change the jsessionid between requests.

The jsessionid token (name/value pair) is transported in one of two ways. Either via a cookie or via URL rewriting. Cookies are more reliable. They are handled automatically by the server and by standard Java HTTP protocol classes. URL rewriting is more fragile, since you have to explicitly include the jsessionid on each submitted URL.

Regardless, what the jsessionid value actually is is simply a hash code into the server's table of HttpSession objects. Thus, an incoming request can be matched to the logged-in user identity and their session-scope attributes. This hash code is simply a matching mechanism and thus is basically a "random number", so nothing about the user's identity or working state is carried in it.

Also, as a side note, only when using container-managed security, then and only then can you make use of the JEE API security functions. Any other security framework has to use its own methods.

Container-managed security also has the advantage of being able to block many attacks before they have a chance to chew holes in the application logic.

But what if you aren't using JEE container security? There are cases where you can't, and ReST is a classic example. Since ReST does not create use use HttpSession - and that includes the JEE userid and security roles (which are part of the session) - then you have to assert your identity manually. You can do this in a one-shot mode, including the userid/password in a POST request, but if you are going to make repeated requests user the same identity it's better to do what the container does - accept credentials once, return a security token, then use the token for subsequent requests. That way you only expose your identity once, and once logged off, the token cannot be used as a direct attack vector at a later time.
 
Stephan van Hulst
Saloon Keeper
Posts: 15510
363
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

tangara goh wrote:So, if I change it to a POST Request, the rest of the code is ok right?


No. Sending your user name and password with every request is NOT okay. Every time a user has to send their credentials over the network is another opportunity for somebody to intercept them. If you don't use session management, you must exchange the credentials for access tokens.

Why are you so bent on getting rid of user sessions? I don't understand your final goal.
 
tangara goh
Ranch Hand
Posts: 1021
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
@Tim,

if I go along with your suggestion, I would have to follow Tomcat session management API if I am using Tomcat as a server.

After reading you guys explanations, I have research abit and it seems that there are Spring sessions using Spring core with reddis, Spring with jdbc session etc,
I am drowning in a seas of information.

So far I hadn't seen container management session example with Spring Boot.

Is the jdbc sesesion per Spring guide the one you are referring to ?

https://docs.spring.io/spring-session/docs/current/reference/html5/#samples -

https://docs.spring.io/spring-session/docs/current/reference/html5/guides/boot-jdbc.html


 
Stephan van Hulst
Saloon Keeper
Posts: 15510
363
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You need to settle on a framework first. Do you want to use Spring or do you want to use Java EE? Both are valid options. Many people have chosen Spring in the past because it was easier and nicer to use than Java EE, but personally I'm a huge fan of Java EE, which in my eyes has become the better framework since Java EE 8.

Anyway, if you've already followed various Spring tutorials, I wouldn't suddenly jump back to Java EE. If you choose to continue with Spring, you aught to use Spring Security to handle your user authentication.
 
tangara goh
Ranch Hand
Posts: 1021
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:

Anyway, if you've already followed various Spring tutorials, I wouldn't suddenly jump back to Java EE. If you choose to continue with Spring, you aught to use Spring Security to handle your user authentication.



I like both frameworks(Security wise I have not done JWT using JEE though) but I am new to SpringBoot.

So, if I were to use Spring Boot, do I need to follow the standard ubiquitous Filter, Authentication Manager, WebConfig that comes together when one is authenticating user ? Can I do basica authentication without Authentication Manager involved ?

Hope you could give me some hints.

Tks.
 
Stephan van Hulst
Saloon Keeper
Posts: 15510
363
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Again, it all depends on your goals.

Who are your users? How are they going to access your application? Does your application provide a front-end, or only a web API? If your application provides a front-end, is it an SPA or does it consist of multiple pages?
 
tangara goh
Ranch Hand
Posts: 1021
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:Again, it all depends on your goals.

Who are your users? How are they going to access your application? Does your application provide a front-end, or only a web API? If your application provides a front-end, is it an SPA or does it consist of multiple pages?



I am only required to do backends.  No front end is involved.
How are they going to access the app is not specified so I will opt for database access.

 
Stephan van Hulst
Saloon Keeper
Posts: 15510
363
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

tangara goh wrote:How are they going to access the app is not specified so I will opt for database access.


This is a non-sequitur. Application access has nothing to do with databases. I meant whether users will access your application through their browser, through a desktop or mobile application, through a REST client, stuff like that.

I am only required to do backends.  No front end is involved.


Okay, this means that your application is likely accessed through a web API, which means that instead of user sessions, it's better to use access tokens.

Seeing as your application IS the identity provider (as opposed to, uses a third-party identity provider), your application is responsible for implementing a protocol that authenticates users and authorizes clients, such as OpenID Connect. This is HARD, and not a great first project for somebody who hasn't worked with token-based authorization in the first place.

Alternatively, you can choose to outsource authentication to an SSO platform like Facebook, and then simply let your application act as a resource server (where the resources are user profiles). This is much easier, but it will muddy the waters because your application will not really be doing any user management.

Honestly, it would have been much better if your first application was a resource server for something other than user profiles. Can't you start with something easier, like an application that keeps track of a user's shopping list or something like that?
 
tangara goh
Ranch Hand
Posts: 1021
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Stephan,

I just want to make sure I get you correctly and I want to be sure I have feed you with the right infor.

Here's the exact spec written:

User API Services

--------------------
You are expected to design the types of HTTP request method (GET, POST, PUT AND DELETE ) for each operation as well as the API Path

All user data must be stored in the database. NO UI is requied, but you are expected to demonstrate the output from the operations.  Handling of errors are expected as well.

So the first operation
------------------------

Authenticate a user.  If the user is of active status and the credentials match, return user id and roles.  Otherwise the result with an error message.

Request input from Client
----------------------------
userId and password from user


Response from Server
--------------------------
Authentication result,
Roles of user
Error Message like invalid Id or User is Inactive

Do let me know if it is really a identity provider rest api ....

Tk.s
 
Stephan van Hulst
Saloon Keeper
Posts: 15510
363
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The assignment describes an identity provider, but with a pretty poor and insecure API.

Anyway, if you want to do exactly what the assignment says, you can, as long as you keep in mind that this is not how web services work in the real world.

  • Modify your API so you don't pass the user ID and password in the URL. Credentials must be passed through the request body. This also means your request must be a POST request.
  • Change the URL to something that makes sense, for example /login or /auth.
  • The assignment doesn't say that the client needs to pass status and role, you remove those parameters.
  • Don't use the user field in your controller action. The user field is provided by Spring. If you're hacking your own authentication, you shouldn't use it.*


  • * In a real world application, you would rely on the user field provided by Spring, and not write your own authentication.
     
    tangara goh
    Ranch Hand
    Posts: 1021
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Tks Stephan for the clarification.  So, indeed it is a oidc kind of web services except that the requirement shows that it is not a full fledged one.

    BTW, they have indicated result, roles and errorMessage as field and the type as authentication result, roles of a user and error message respectively,
    does it mean that I have to store the result like 200ok, 401 into the database which is quite a strange practice to me and the error Message as well which will only make sense if it is accompanied by DateTimeStamp but for this case it is not indicated.

    Base on the first operation, does session management still needed ?

    In any case, I have found out from all those ubiquitous tutorials and come out something like that :



    Thanks for your help in advance.
     
    Stephan van Hulst
    Saloon Keeper
    Posts: 15510
    363
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    tangara goh wrote:BTW, they have indicated result, roles and errorMessage as field


    Fields of what? I see no such specification.

    does it mean that I have to store the result like 200ok, 401 into the database which is quite a strange practice to me and the error Message as well which will only make sense if it is accompanied by DateTimeStamp but for this case it is not indicated.


    No. Where did you get this from? The authentication request should store absolutely nothing in this case. The assignment doesn't say you should store anything.

    The database must already contain a user name and a key derived from the password per user. It also contains a table of roles, and a join table of roles per user.

    The authentication request simply checks that a user with the specified ID exists, and that a key derived from the provided password matches the key in the database. If both are true, return a HTTP status code 200 result with the ID of the user and the user's roles. If the user doesn't exist or the password is invalid, return a HTTP status code 401 result with an error message. The error message must be something like "Invalid user name or password", and NEVER anything more specific than that. If you tell the client the specific nature of the problem ("user doesn't exist", "password invalid", "user is inactive", etc.) that is a security leak!

    Base on the first operation, does session management still needed ?


    Session management comes into play when more than one request is made. How can we tell you that you need session management if we don't know whether your application is going to have more endpoints? Stop worrying about this. Focus on the first assignment and do just that.

    In any case, I have found out from all those ubiquitous tutorials and come out something like that :


    Look, you really need to make a choice. Are you going to do your own authentication, or are you going to use Spring Security to do your authentication? Stop mixing the two. Either rely on Spring and configure it properly and then use the user field in the controller, or disable Spring Security and write your own authentication code.
     
    tangara goh
    Ranch Hand
    Posts: 1021
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    Stephan van Hulst wrote:The assignment describes an identity provider, but with a pretty poor and insecure API.

    Anyway, if you want to do exactly what the assignment says, you can, as long as you keep in mind that this is not how web services work in the real world.

  • Don't use the user field in your controller action. The user field is provided by Spring. If you're hacking your own authentication, you shouldn't use it.*


  • * In a real world application, you would rely on the user field provided by Spring, and not write your own authentication.



    Hi, Stephan,

    I am using my own User class but extending Spring user class, does that mean that I just use Java coding to check the userId and password will do and pass in to SpringBoot's Authentication API : import org.springframework.security.core.Authentication ?

    Hope you could advise me.

    Another thing is I am stuck as to how do I test the end point using Postman ?

    I am not sure which Authorisation I should use under post man Authorisation tab.... furthermore, the console did not print out that I am inside the end point....

    Seems that my end point is not doing correctly...maybe I can't mix Java with Spring Authentication ?


     
    Stephan van Hulst
    Saloon Keeper
    Posts: 15510
    363
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    tangara goh wrote:I am using my own User class but extending Spring user class, does that mean that I just use Java coding to check the userId and password will do and pass in to SpringBoot's Authentication API


    Again, you need to make a choice. If you choose to do your own authentication, you can still use your custom User class, but you may not rely on the user field injected into the controller by Spring, because then you'll be relying on Spring's authentication mechanism. If you want to use Spring's authentication mechanism, you can use the user field directly, and you don't have to write any additional authentication code. You only have to configure Spring Security with the authentication and authorization mechanisms that you want to use.

    Another thing is I am stuck as to how do I test the end point using Postman ?

    I am not sure which Authorisation I should use under post man Authorisation tab....


    It depends on the authentication mechanism that you chose.

    furthermore, the console did not print out that I am inside the end point....

    Seems that my end point is not doing correctly...maybe I can't mix Java with Spring Authentication ?


    If you chose Spring Security and configured your controller action to require an authorized user, then your action won't be hit if the user isn't authenticated, if the user isn't authorized, or if your request can not be mapped to the action in the first place.

    If you chose to do your own authentication and authorization, you need to disable Spring authentication/authorization on the action you're trying to hit.
     
    Consider Paul's rocket mass heater.
    reply
      Bookmark Topic Watch Topic
    • New Topic