1
00:00:00,210 --> 00:00:06,510
In this video, let's try to lose some pants on on preauthorization and post authorization annotations

2
00:00:06,510 --> 00:00:08,810
in order to achieve a level security.

3
00:00:08,830 --> 00:00:15,360
So for the same first, I just wanted to tell you, we have my launch pad, which can be accessed by

4
00:00:15,360 --> 00:00:17,780
a user who has a role route.

5
00:00:17,880 --> 00:00:22,550
But in our application, we don't have any role with the name route.

6
00:00:22,560 --> 00:00:24,440
We have only user and been.

7
00:00:24,510 --> 00:00:30,170
So for that reason, this part is always not accessible for our login user.

8
00:00:30,180 --> 00:00:37,810
So let's try to test that once I'm going to my UI application and third login credentials able to login.

9
00:00:37,830 --> 00:00:43,080
Now I'm clicking loans and you can see I'm not getting any response.

10
00:00:43,200 --> 00:00:46,710
The reason for Biran like four zero three ever know.

11
00:00:46,710 --> 00:00:54,930
What I will do is I will make this launch pad to be accessible by any authenticated user by replacing

12
00:00:54,930 --> 00:00:57,610
this hash and roll with authenticator.

13
00:00:57,930 --> 00:01:05,370
So with this change, after I restarted my application, I should be able to access the loans page Azrael

14
00:01:05,610 --> 00:01:07,230
let our application stack.

15
00:01:07,380 --> 00:01:14,010
Once our application is started, we can go to our other login page and our credentials now inside our

16
00:01:14,010 --> 00:01:14,670
application.

17
00:01:14,670 --> 00:01:21,930
If you click on loans, you will get a response from the backend because I don't have a role route since

18
00:01:22,080 --> 00:01:28,090
now I open this part, my loans to any authenticated user, I'm able to access it now.

19
00:01:28,410 --> 00:01:36,780
So now for this long speech, let's try to put some meter level security by using preorders and post

20
00:01:36,780 --> 00:01:37,850
authorization for that.

21
00:01:37,860 --> 00:01:41,640
First, I have to go to my configuration class.

22
00:01:41,670 --> 00:01:43,890
On top of this configuration class.

23
00:01:44,130 --> 00:01:47,740
I have to keep an annotation enabled global matters.

24
00:01:47,760 --> 00:01:55,620
Security by passing three parameters pre post enabled will help me to enable the annotations of creators

25
00:01:55,620 --> 00:02:04,940
and post authorize securer enable is for Ateret secure and GSR 250 enabled is for a direct all alone,

26
00:02:05,100 --> 00:02:10,979
but now will use only preadolescent post outraced because in the same manner we can also upload secured

27
00:02:10,979 --> 00:02:16,830
under rules allowed by and rule allowed has limitations that they can't leverage.

28
00:02:16,830 --> 00:02:20,040
Spring expression language just like preauthorization post.

29
00:02:20,430 --> 00:02:24,590
So due to that reason I'm giving a demo using preadolescent post posteriors.

30
00:02:24,720 --> 00:02:29,910
So now I have enabled the global method security by using this annotation.

31
00:02:30,060 --> 00:02:36,510
And if you can observe, we have not made any changes inside our Bombed-out XML because this comes from

32
00:02:36,510 --> 00:02:42,090
the spring security based package itself when you don't have to import any other dependencies.

33
00:02:42,090 --> 00:02:46,890
Now, I'll go to the Materne loan repository again.

34
00:02:46,890 --> 00:02:53,580
You can keep this metal level security on any layer like repository layer control and layer our service

35
00:02:53,580 --> 00:02:53,910
layer.

36
00:02:54,120 --> 00:03:00,900
So in this scenario, just keeping on my repository layer by using three annotation.

37
00:03:00,900 --> 00:03:07,510
And here, since we have rules defined inside our application, but not the authorities I'm using has

38
00:03:07,510 --> 00:03:07,920
a role.

39
00:03:08,310 --> 00:03:16,050
And I will mention if someone has ruled role, then they should be able to invoke this method, otherwise

40
00:03:16,350 --> 00:03:18,410
they should not be able to invoke it.

41
00:03:18,420 --> 00:03:20,220
So we have made these changes.

42
00:03:20,220 --> 00:03:22,710
Let's try to restart our application.

43
00:03:22,950 --> 00:03:30,690
And Lockard from the UI, if I try to log in again previously, we are able to see the launch page because

44
00:03:30,690 --> 00:03:32,490
there is no restrictions on the rules.

45
00:03:32,730 --> 00:03:39,780
But now I have kept my third level security using proprietaries annotation, so I'm trying to login

46
00:03:40,260 --> 00:03:41,900
and clicking one, two, three, four, five.

47
00:03:41,910 --> 00:03:42,660
As a password.

48
00:03:42,810 --> 00:03:45,510
I'm able to login into the application.

49
00:03:45,630 --> 00:03:52,260
Now, if I click on loans tab, I will not get any response with the same error four zero three.

50
00:03:52,530 --> 00:03:59,670
So as you can see now, we made our application to have method level security instead of pad level security,

51
00:03:59,850 --> 00:04:01,560
especially for the loan speech.

52
00:04:02,040 --> 00:04:07,410
So in this way we can apply some method level security using preauthorization.

53
00:04:07,600 --> 00:04:13,890
Now let's try to do the same using post authorization annotation, whether I'll just replace the previous

54
00:04:13,890 --> 00:04:14,610
post.

55
00:04:14,610 --> 00:04:20,910
But instead of here, I will just keep it the controller layer so that you can understand in any layer

56
00:04:20,910 --> 00:04:24,540
we can keep this algo to launch controller.

57
00:04:24,780 --> 00:04:27,150
And I'm keeping on top of this matter.

58
00:04:27,480 --> 00:04:35,040
If someone has rolled route, then only they can be able to get the results from this method.

59
00:04:35,040 --> 00:04:36,900
Otherwise they will not get the results.

60
00:04:37,200 --> 00:04:39,780
But still the method will be executed.

61
00:04:39,960 --> 00:04:47,130
I can show you that by keeping a breakpoint now, I will restart my application and I'm entering my

62
00:04:47,130 --> 00:04:48,120
credentials again.

63
00:04:48,420 --> 00:04:49,290
I'm logged in.

64
00:04:49,290 --> 00:04:50,790
I'm clicking on launch.

65
00:04:50,940 --> 00:04:57,180
You can see a breakpoint has been stopped and there'll be a call will go to database and I'm able to

66
00:04:57,510 --> 00:04:59,820
get the loans details from the data.

67
00:05:00,470 --> 00:05:07,520
But the same details will not be passed to the UAE because the user does not have Ruparel.

68
00:05:08,380 --> 00:05:16,330
As you can see, my mattress executer, the users did not receive the results because he's not authorized

69
00:05:16,330 --> 00:05:22,930
to receive the results from the meter due to the alteration rules that we define using post Autrey's

70
00:05:22,930 --> 00:05:23,470
annotation.

71
00:05:23,950 --> 00:05:27,830
Due to that, he will get an error for zero three, which indicates forbidden.

72
00:05:28,090 --> 00:05:31,000
So in this way, we can also apply post alteration rules.

73
00:05:31,360 --> 00:05:38,500
But please do remember your logic defined inside the method will be executed and in the case of even

74
00:05:38,770 --> 00:05:41,530
exception, is ruled by the security framework.

75
00:05:41,890 --> 00:05:48,790
The database transactions will not be rolled back, which you have to always consider while using Pontchartrain's

76
00:05:48,790 --> 00:05:49,420
annotation.

77
00:05:49,640 --> 00:05:55,420
At the same time, you have a requirement similar to checking the authorities of the user.

78
00:05:55,660 --> 00:06:00,340
Then you can always rely on his rule, has authority, has any authority.

79
00:06:00,700 --> 00:06:07,510
But if you have a complex requirement where you want to validate based upon the data issued are based

80
00:06:07,510 --> 00:06:15,430
upon the data that is being sent, the color in altered scenarios we can always use has permissions

81
00:06:15,730 --> 00:06:19,120
inside your annotation, preauthorization and arrays.

82
00:06:19,360 --> 00:06:24,010
And this has permission by default will use spring expression language.

83
00:06:24,340 --> 00:06:30,280
And if we have some scenarios where even spring expression language, you are not able to achu and you

84
00:06:30,280 --> 00:06:38,890
want to write your own custom code in such scenarios, you have to implement permission evaluator inside

85
00:06:38,890 --> 00:06:40,760
your custom class that you are writing.

86
00:06:41,080 --> 00:06:45,880
So once you implement this interface, there are two methods, has permission with the same name or

87
00:06:45,940 --> 00:06:52,870
other methods which you can write and you can see here, these methods will get the authentication object

88
00:06:52,870 --> 00:06:54,340
of the current user logged in.

89
00:06:54,520 --> 00:07:01,030
And what is the return type object that your method is is returning along with the permission that you

90
00:07:01,030 --> 00:07:01,780
want to apply.

91
00:07:02,140 --> 00:07:10,420
So if we can write all your custom code inside this method, your spring framework will use this permission

92
00:07:10,420 --> 00:07:16,540
evaluator to consider your custom requirements, which is a complex scenario.

93
00:07:16,960 --> 00:07:23,740
But ideally, most of you authorities requirements, authorization requirements can be achieved using

94
00:07:23,740 --> 00:07:24,980
preauthorization post.

95
00:07:25,750 --> 00:07:29,290
I hope you understand what we have done in this lecture.

96
00:07:29,770 --> 00:07:35,950
In the next video, let's try to understand how to apply alteration rules using filtering.

97
00:07:36,370 --> 00:07:36,880
Thank you.

98
00:07:36,880 --> 00:07:38,500
And see you in the next lecture by.