Spring Security - Lesson 6 - Multiple Authentication Providers Part 1

It is the best spring Security you could ever have for free and with an amazing instructor, he did a lot of effort to do this for free. I have learned so much by just watching your lesson

nabilnader

Fantastic lesson. Thank you so much for doing this. You can't imagine how much I appreciate it.

SoundMasterMike

⭐ Timestamps ⭐



- 0:30 Implementing Multi Factor Authentication(Basic & OTP Authentication)
- 26:50 Configuring Authentication Manager explicitly
- 50:00 Configuring Authentication Provides and Filters
- 58:00 Returning a token after Authentication

cooool

Laurentiu, thanks a lot for all your time, fantastic explanation, BEST of the BEST Spring Security Videos ...

tvsnath

Amazing lesson!! Please continue. I was looking for so long this course. Thank you very much!

manuelpineda

I actually have a question. It may seem silly but I don't know why it is knocking my head again and again. Why we actually create userdetail service in the presence of database, because if we inject a repository into an authentication provider we can actually achieve the same thing for example to load user .Can you please demonstrate this .. btw thanks for your awesome content❤

AliHassan-bzsk

Now I can type Authentication faster than my own name!
Looking forward to the new series : )

grigorybashev

The fantastic way i understand all the concepts clearly ..thank you soo much for your effort

varundwivedi

awesome blossom :) got much more clarity about spring security. Please create a stream on micro-services.

sushantkadav

Thanks again for the nice session, happy i could create the full example on my side.

momedalhouma

Hey, Laur. I was going to ask you - in your ProjectConfig Class, is there a reason why you don't use @EnableWebSecurity? Or does @Configuration is enough? I have seen multiple courses/articles/whatnot which use both @Configuration and @EnableWebSecurity, some only use @EnableWebSecurity without the @Configuration. Was wondering if @Configuration does the job for this particular example and you don't need @EnableWebSecurity and maybe tell me if we must always use @EnableWebSecurity and @Configuration together or just one or the other. Thanks, keep going, I love the content!

mihaicosminmavrodin

Very cool 👍👍👍👍, watched like a movie, thank you.

TheGuroguro

Hey. I have an angular application with spring boot as the backend. The application was able to generate an excel file from the database data using JExcel library. The application was just working fine until I added spring security and the application can't export data to excel file format but it works when I remove spring security. What could be the problem.

webeltech

I am using Spring 2.7.1 and Spring Security 5.7.2 and this Awesome tutorial still works you just have to make a few changes

These changes will also help you avoid / get rid of any circular dependency issues. We have to use the new CustomDsl way to configure our project and add in our providers, authentication manager and then our filter.

First of all here is the changes of the filter
public class UsernamePasswordAuthFilter extends OncePerRequestFilter {

private final AuthenticationManager authenticationManager;
private final OtpRepository otpRepository;

public authenticationManager, OtpRepository otpRepository) {
this.authenticationManager = authenticationManager;
this.otpRepository = otpRepository;
}


@Override
protected void request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {

// Step 1 username and password
// Step 2 username and otp

var username =
var password =
var otp = request.getHeader("otp");

if (otp != null) {
// step 2
Authentication a = new OtpAuthentication(username, otp);

a =

// generate a token
response.setHeader("Authorization",

} else {
// step 1
Authentication a = new UsernamePasswordAuthentication(username, password);

a =

// we generate an OTP

String code = String.valueOf(new Random().nextInt(9999) + 1000);

Otp otpEntity = new Otp();


otpEntity.setOtp(code);



}
}

@Override
protected boolean request) throws ServletException {
return
}
}

its now a regular POJO and not a Spring Bean since we will add is dependencies our selves . Up next the CustomDsL

public class MyCustomDsl extends AbstractHttpConfigurer<MyCustomDsl, HttpSecurity> {

public static MyCustomDsl customDsl() {
return new MyCustomDsl();
}

@Override
public void configure(HttpSecurity http) throws Exception {
ApplicationContext context =

UsernamePasswordAuthProvider usernamePasswordAuthProvider =
OtpAuthProvider otpAuthProvider =
OtpRepository otpRepository =

AuthenticationManager authenticationManager =



http.addFilterAt(new UsernamePasswordAuthFilter(authenticationManager, otpRepository),
}
}

we get what we want form the Application Context and put everything together. Finally here is how our ProjectConfig is

@EnableWebSecurity
public class ProjectSecurityConfig {

@Bean
public PasswordEncoder passwordEncoder() {
return
}

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

return http.build();
}
}

with these changes everything works as expected. tested both username password and then username and otp.

Here is the GitHub link if you want to see the full example its under the branch part_1 ill update the changes of part 2 of this tutorial in the branch part_2.

starlite

I noticed that in your examples you do not use the @EnableWebSecurity annotation. In various other resources this annotation is used. Can you explain this usage or non-usage?

drakezen

Hello, I know that there's been some time since this tutorial was uploaded so I hope you still watch out this comment :D. I faced a problem regarding the circular dependency between ProjectConfig and both auth provider and auth filter, I have fixed this using constructor autowiring with @Lazy annotation.. I don't know how recommended it is. Also, I think that the problem is for both passwordEncoder which is defined in the Spring context in ProjectConfig and for authenticationManager. PasswordEncoder is used in AuthProvider and AuthManager is used in AuthFilter and both AuthProvider and AuthFilter are used in ProjectConfig... I am wondering if I missed something. Thanks!

bogdananton

thanks a lot for these tutorials
I have one question. I can't understand the purpose of OncePerRequestFilter class except that it saves us from some casting.
why this class named this, , I mean every filter in the filter chain is called one time till it hits our end point why we need a guarantee that the filter must be called one time?

hamedalipour

Can you explain what's the point of this two-stage authentication? After the 1st stage the client has everything to retrieve the token, so why not to pass the token in the 1st step? (what is the purpose of introducing another step?). Thanks in advance and thanks for this top quality content!

michal

I really like your playlist Sir, but I have one question should we do OTP and usernamepassword requests handling from 2 seperate filters or this is the industry standard to handle both from one filter ?

mritunjayyadav

Hi,
Great content, hands down :)
Is there any specific reason we are not saving the authentication instance in SecurityContext in the custom filter implemented?

niketkumar