Hi guys. In this lesson we will talk about spring security, default configuration and customization. Spring security provides an authorization filter for request and responses. With spring security, we can define permitted and not permitted pets. Also, we can define these permissions according to roles. Also, we can define session and authorization types in spring security.
Let's understand these things with logon example. First of all, let's see the default configuration of spring security. You know that to log in a system first of all we should send our credentials like username and password from client side we can see With two different ways. First one is we can directly post it with form payload or pet parameters. Second one is, we can send it with using authorization header. To do it, we should send basic base 64 token.
This token should be constructed from username and password. Later, this will be center server site and sibling security, we'll catch it and check it to do it. Our first requirement is what the default login path is for spring security. Spring security logging API path is just login simply describes default login form arguments with forms Login property. Form login is a form login configured components and form login configured works with these default parameters. Firstly, the default login page and login process that is login.
Secondly, after login request, the login operation can be successful or failed. If login operation is successful, the response of login will return as successful. So, there is no other default path for successful result. If login operation is failed, the failure path will be login with error parameters. Third one is looking also related with logout. So default settings cessful logo pet is login with logout parameters.
These were formed login property. The other default configuration is HTTP basic. These means spring security will check your credentials with if the incoming HTTP request contains the authorization header or not. And it's very useful starts with basic. The other default configuration is HTTP session. You know that sessions store the date of authenticated users.
In spring security. The default configuration for session is Eve recurved. So spring security spring security will create this session when it needs the other default configuration is cross site request forgery. cross site request forgery is an attack that forces and end user to execute unwanted actions on its web application. To avoid it, sibling security uses cookie and HTTP flex. For example, spring security uses HTTP only flat with this, the browser not to display the cookie draw client side scripts.
Last one is low got the default logout pet is in spring security log out. After logout spring security will redirect it to log in with parameter logout. And the default HTTP method method is cost. Okay D versus default sibling security configurations. Now we will talk about our custom configurations and how can we customize it. First one is we can add cross origin resource sharing support.
Cross origin resource sharing minutes cross origin request. Cross origin means outside of the origin. So we can say that cross origin resource sharing allows service to specify who and which origins can access the assets on search. Cross origin resource sharing can be described on HTTP headers like access control l origin, or access control and low headers at settings. Okay, that's all about cross border associate. Second one is we can describe Public urs.
So these URLs can be reachable by everybody without authorization. Third one is we can describe URLs based on user roles. For example, blah blah pets can be reached by just admins, etc. The other one is we can define Logan's path. In spring security. The default logout path is logger, but we can change it with logon request matcher.
The other one is about login form. Above login form, we can change the login page login process URL successful login path or failed login page. The other one is we can change session policy. For example, we change Use stateless session. So in that case, each and every request needs to be re authenticated. We can use never session.
In that case, the framework will never create a session itself but it will use one of them if it already exists. Or we can use always session in that case session will always be created if one doesn't already exist. The other customization can be disable cross site request forgery. If you want to work with different ports, you cannot use cross site request forgery directly to use it usual describe proxy between ports. Okay, the customization can be like that. Final thing we will talk about at complete authentication progress in Sebring security.
First of all center requests from client side, for example, like login operation or list operation, that on server side this request will be cached by spring security filter. This filter can be basic authentication filters. Later spring security wheelchair authorization header on this request. authorization can be sent with basic header biller header or can be stored with session. Later, sibling security will pass authorization header and we'll find it username and roles informations then, with this data, spring security will create That authentication object in security context that it will check the request path with this authentication object. If it is permitted, we will return successful path otherwise we'll return failure paths.
Also with this response, we can reach authentication object. This authentication object contains authorities I mean roles of user principles, user details and credentials. As last thing, we should notice something after login and logout, did the fault successful pet VLB say because login pet is login and successful logout is login with logos parameters. So to do it for both Then we will check authentication object or principal object to separate them for logout principal will be now for login principal will be username. But we will also notice hunting here. For both case, we will return, ok HTTP status because both of them are successful operations.
Okay, that's all about sibling security configuration. Thank you