1
00:00:00,210 --> 00:00:07,830
In this video, let's try to understand how our passports will be validated by spring security by default.

2
00:00:08,039 --> 00:00:11,260
So this is a diagram that you can try to understand.

3
00:00:11,520 --> 00:00:17,850
First, the user and his credentials, like admin's my user name and one, two, three, four is my

4
00:00:17,850 --> 00:00:18,390
password.

5
00:00:18,750 --> 00:00:26,850
As soon as the user enter login, spring takes the user name and call load by user name to the database,

6
00:00:27,060 --> 00:00:31,350
and it will try to get all the user details, including the password.

7
00:00:31,440 --> 00:00:37,200
Once it receives the passwords from the database, it will try to compare what is a password that I

8
00:00:37,200 --> 00:00:43,360
have received from the user and is it the same or is it equal in the database as well?

9
00:00:43,590 --> 00:00:48,570
If both are matches, it will allow further processing of the request.

10
00:00:48,810 --> 00:00:54,750
If not, it will through and for zero one unauthorized error which indicate login felt.

11
00:00:55,140 --> 00:01:00,280
This approach may look good for us, but it has a lot of issues since.

12
00:01:00,780 --> 00:01:07,500
The very first issue that I can see is you are storing user details like password, which is a very

13
00:01:07,500 --> 00:01:14,790
sensitive data inside your database without any encryption encoding or hash.

14
00:01:15,210 --> 00:01:22,320
So that means you may say, like my website has thousands of users and millions of users and I am storing

15
00:01:22,320 --> 00:01:29,730
all their credentials inside my database table and no one can access the table except the application.

16
00:01:29,880 --> 00:01:35,520
But still, there might be certain people who can access the table, whatever restrictions that you

17
00:01:35,520 --> 00:01:41,820
can put, like your DBS can see the passwords inside your table because you're storing them in plain

18
00:01:41,820 --> 00:01:48,570
text and anyone can see my credentials and they can log into my bank application and they can perform

19
00:01:48,570 --> 00:01:52,190
whatever operations they need because they know my username and password.

20
00:01:52,320 --> 00:01:53,140
That's one issue.

21
00:01:53,340 --> 00:02:01,000
The other issue is you are sending passwords in plain text or the network, like from my client browser

22
00:02:01,050 --> 00:02:02,610
to your server back.

23
00:02:02,610 --> 00:02:09,840
And so that means you are exposing the most sensitive data inside your application, which is password

24
00:02:10,080 --> 00:02:14,010
or the network, which result in two types of issues.

25
00:02:14,020 --> 00:02:22,460
One is integrity issues where your database administrators can look into the passwords and confidentiality.

26
00:02:22,620 --> 00:02:28,530
Your application is not maintained confidentiality and it is taking the password in plain text and it

27
00:02:28,530 --> 00:02:31,800
is communicating with the network, using the plain text.

28
00:02:32,130 --> 00:02:38,280
If someone tried to intercept my request, they can see what is my password without any effort.

29
00:02:38,460 --> 00:02:44,940
So this is the default behavior provided by spring security and this is no harm following it.

30
00:02:44,940 --> 00:02:53,160
If your application is only specific to lawyer environments like development, safety and security environment,

31
00:02:53,340 --> 00:03:00,720
or your application does not have any valuable information storing inside it, and even your customers

32
00:03:00,720 --> 00:03:03,420
are fine if someone knows the password.

33
00:03:03,420 --> 00:03:07,110
So only in such scenarios should follow this method.

34
00:03:07,290 --> 00:03:15,480
But we can always say 99 percent of our applications will not need this approach because it lacks a

35
00:03:15,480 --> 00:03:22,490
lot of security measures and it clearly exposes your passwords like anything to your database administrators

36
00:03:22,500 --> 00:03:24,030
or to the network.

37
00:03:24,210 --> 00:03:32,430
So to avoid this, we should try to encrypt or hash your password, or maybe if your application is

38
00:03:32,610 --> 00:03:37,180
small enough where you are, users are fine to lost the password.

39
00:03:37,200 --> 00:03:39,780
At least you should try to encode your password.

40
00:03:39,990 --> 00:03:46,320
So we're speaking here a lot about encoding, hashing, encryption, but what's the difference between

41
00:03:46,320 --> 00:03:48,390
the what scenario, how to use them?

42
00:03:48,570 --> 00:03:53,380
So let's try to look in detail one by one about them in the next.

43
00:03:53,400 --> 00:03:54,690
We thank you and.