1 00:00:00,240 --> 00:00:07,500 In this video, let's try to implement filter and post filter annotations to achieve better level security 2 00:00:07,650 --> 00:00:10,020 inside our application for the same. 3 00:00:10,170 --> 00:00:17,250 If we can remember, we have a contact us page insider application where anyone can go ahead without 4 00:00:17,250 --> 00:00:22,600 logging in and submit their contact request details to the bank staff. 5 00:00:22,890 --> 00:00:26,310 So this is the controller where we have written previously. 6 00:00:26,520 --> 00:00:33,210 As you can see, there is a method of contact and query details which will eventually save the details 7 00:00:33,210 --> 00:00:36,780 to the database and will return a service request to the. 8 00:00:37,530 --> 00:00:38,010 Here. 9 00:00:38,250 --> 00:00:41,670 I just wanted to apply pre filtering conditions. 10 00:00:41,700 --> 00:00:46,340 Again, this is nothing to do with the attribution because this is the open page. 11 00:00:46,470 --> 00:00:53,550 I just want to show you these annotations like preauthorization pre filter, post or transpose filter, 12 00:00:53,730 --> 00:00:55,270 all this kind of annotations. 13 00:00:55,290 --> 00:01:02,880 You don't have to type with only attribution authentication, but you can tie it to any of the requirements 14 00:01:02,880 --> 00:01:03,620 that you have. 15 00:01:03,660 --> 00:01:11,700 So here you can see if someone sent me a request from the UAE or if there is no page at all inside my 16 00:01:11,700 --> 00:01:18,810 application, if someone is invoking my API through the backend, nonviable applications in such scenarios, 17 00:01:18,930 --> 00:01:27,900 I want to have a check using pre filter where if a user entered contact name as best, that means someone 18 00:01:27,900 --> 00:01:34,400 is trying to do testing on my application, which I don't want to sell the details into my database. 19 00:01:34,590 --> 00:01:40,340 So for the same, I have made this configuration changes like using pre filter, this filter object. 20 00:01:40,350 --> 00:01:44,300 Is this the object that my code will refer? 21 00:01:44,490 --> 00:01:46,250 And inside this contact object? 22 00:01:46,260 --> 00:01:47,460 We have a contact name. 23 00:01:47,640 --> 00:01:55,020 If someone sent a value which is equal to test, then this matter will not be invoked and eventually 24 00:01:55,020 --> 00:02:01,830 an exception will be thrown to the UI application or any backend that is invoking this method. 25 00:02:02,190 --> 00:02:03,780 So now we made the changes. 26 00:02:04,140 --> 00:02:06,800 Let's try to restart our application. 27 00:02:07,230 --> 00:02:09,030 I came to the UI here. 28 00:02:09,030 --> 00:02:13,590 We can go to the contact us page and we don't need any login credentials for that. 29 00:02:13,860 --> 00:02:17,530 I'm entering value as test in the name. 30 00:02:17,550 --> 00:02:21,690 This is the value that we are testing in the backend and email. 31 00:02:21,690 --> 00:02:28,560 I enter something test read e-mail, dot com subject will be hello. 32 00:02:28,950 --> 00:02:30,030 Message will be. 33 00:02:30,510 --> 00:02:33,350 This is a test message. 34 00:02:33,630 --> 00:02:35,820 So now I'm clicking send message. 35 00:02:36,180 --> 00:02:40,410 I should not get successful message from the backend. 36 00:02:40,650 --> 00:02:43,470 As you can see on clicking send message. 37 00:02:43,470 --> 00:02:46,380 Nothing is happening and you can check in the console. 38 00:02:46,380 --> 00:02:49,590 I'm getting five hundred error because this is not an address. 39 00:02:49,920 --> 00:02:52,080 That's the reason we are not getting four zero three. 40 00:02:52,410 --> 00:02:54,020 Instead we're getting five hundred error. 41 00:02:54,240 --> 00:03:00,420 If this is an API which is authorized users only can access, then in that scenario we should have got 42 00:03:00,570 --> 00:03:01,710 four zero three ever. 43 00:03:02,010 --> 00:03:09,870 So this way we can stop the execution of a method based upon the parameters that we are using by leveraging 44 00:03:09,870 --> 00:03:11,160 pre filter annotation. 45 00:03:11,550 --> 00:03:13,950 Now let's try to implement post filter annotation. 46 00:03:13,950 --> 00:03:22,530 Also, I just replaced this pre with the post because I have a requirement where I should accept anything 47 00:03:22,530 --> 00:03:29,640 that coming from the front end or someone is calling my API and I should save all those details inside 48 00:03:29,640 --> 00:03:30,510 my database. 49 00:03:30,780 --> 00:03:37,320 But if someone sent a contact name with the test, I should not send any service request. 50 00:03:37,320 --> 00:03:40,170 No details to them because I know they are just testing. 51 00:03:40,290 --> 00:03:42,780 I don't want to do a service request no. 52 00:03:42,780 --> 00:03:43,160 To them. 53 00:03:43,470 --> 00:03:50,340 So in such scenarios we can use force filter, which means our method business logic will be executed, 54 00:03:50,520 --> 00:03:56,250 but user will not get the return details that my method is giving back to them. 55 00:03:56,400 --> 00:03:59,370 So in order to do that, let's try to restart this application. 56 00:03:59,370 --> 00:04:00,900 And I'm keeping a breakpoint here. 57 00:04:01,050 --> 00:04:07,350 And I can assure you that the contact details will be eventually sent to the database and to an exception 58 00:04:07,350 --> 00:04:09,780 coming from the post filter annotation. 59 00:04:09,990 --> 00:04:14,580 The records that sale into the database will not be rolled back, as we discussed previously. 60 00:04:14,730 --> 00:04:17,880 So you can see here now we have to contact details. 61 00:04:18,300 --> 00:04:24,000 Now, I'll go to the you will be going to the contact us page and bring the same details test. 62 00:04:24,210 --> 00:04:28,700 And trying to start the right email subject is hello, everybody. 63 00:04:28,710 --> 00:04:32,760 Is this is a simple text message. 64 00:04:32,940 --> 00:04:36,870 I'm clicking send and the breakpoint will stop here. 65 00:04:37,200 --> 00:04:41,460 That means the framework is not stopping the method invocation. 66 00:04:41,580 --> 00:04:48,420 It will let the details sale into the database, but you will not get any response. 67 00:04:48,780 --> 00:04:55,610 The reason five hundred, which was triggered by the backend due to the configuration configurations 68 00:04:55,620 --> 00:04:59,850 that we may let's try to go and see in the back end whether our message. 69 00:04:59,950 --> 00:05:07,930 Disabled are not executing the query, as you can see here, my mother is so into the database, even 70 00:05:07,930 --> 00:05:14,830 though there isn't 500 exhibition game that the card has not been rolled back because spring framework 71 00:05:15,040 --> 00:05:19,950 will treat these exceptions as a security related exceptions only. 72 00:05:20,230 --> 00:05:25,800 That's why it will never roll back the transactions that happen inside that matter. 73 00:05:26,140 --> 00:05:28,960 So due to this reason, please be very careful. 74 00:05:28,960 --> 00:05:35,050 While using post filter and pre filter will always give an assurance that your business logic will never 75 00:05:35,050 --> 00:05:41,920 get executed if the authorization rules or any other rules that you configure are not met. 76 00:05:42,130 --> 00:05:50,560 I hope this makes sense to you and how we can apply filtering attribution on top of your methods inside 77 00:05:50,560 --> 00:05:58,000 any layer of your web application or non web application compared to our traditional way of implementing 78 00:05:58,000 --> 00:05:59,830 to where parts are. 79 00:05:59,830 --> 00:06:07,330 NVC parts with this will close this section by discussing summary of what we discussed in this section 80 00:06:07,330 --> 00:06:08,290 in the next review. 81 00:06:08,320 --> 00:06:08,820 Thank you. 82 00:06:08,830 --> 00:06:09,270 And by.