I am trying to build my first website using Spring boot + ReactJS and MySQL.
It's essentially a gym website where users can create an account, sign in and then choose a membership + checkout etc.
What I have done so far is:
Spring Boot REST Api for creating a new customer + other CRUD features.
React Front End Registration form with Spring boot server validation, the form posts the data to the REST api using axios.
I have a design in figma of the website and I've been working on that in the meanwhile because honestly, i am stuck.
Some problems I'm facing:
Spring Security, I have used JSP before and it was easier for me to get the hang of it since it is server sided and I just had controller methods etc. Now that I'm using react I have no idea how the security function would work with Spring Boot.
Since the front and back end are served on different ports, how would my Spring configure
method look like? (The class that extends WebSecurityConfigurerAdapter).
How do I restrict access to URL's on the front end using React Router? Since Spring Boot and React router are both on different ends I am struggling to understand how that works? What about the API endpoints being accessible as well.
Authentication + Authorization, I've looked up tutorials and I've pretty much only seen Authentication by the use of JWT tokens when working with Spring Boot + React, is there no other option other than JWT? (For me it looks really confusing so I'd like to know if there's a valid alternative or not) - if not , why JWT?
I know Spring Security on its own is a complicated framework and I've read a alot about it, though some concepts do confuse me. (UserDetailsService vs UserDetails, Types of Authentication Managers you get)
In general, the integration of Spring Boot with a SPA such as react, if someone could explain the flow of how it functions on both the front and back end.
Not long ago i had similar problems like u. I would suggest to check out this tutorial: https://youtu.be/VVn9OG9nfH0
It should answer all of your questions.
Related
So I have a Spring Boot app, with an Angular Front-end. My plan is to embed Tomcat in the Spring Boot app for routing, reverse proxies, etc. What I want to happen is the user types in the URL, the Spring Boot tomcat server figures out if there is a domain linked to that request and so on, however if the user types in the specified IP and Port it brings up the Admin Panel which is the Angular CLI application which already has injections, and Authentication and session control. I don't want people being routed to the Admin Panel unless that condition is filled. I would like the http request to go to the tomcat server and if the condition is met then it pulls up the Angular App. However, I am not quite sure how one would go about this, is it possible to call the Angular app from the Spring application?
Update:
After hearing some feedback I made a diagram to help explain what I am looking for:
Routing Diagram, so in this a client or user would type in "https://example.com/" in their browser, it would first go to angular being the frontend, angular realizes it does not have the example.com resource so it requests just example.com/ from the backend, which knows where the resource is and then injects the html file back into the front end. The only time in which a user would be greeted with the login page I have constructed is if they have typed in the primary IP address of the server, which I would probably end up injecting by some variable from the backend as the front end wouldn't know what the IP is... thats a different issue I would have to solve. Is there a better way to do this? Should I be using React.js instead of angular? so far my application structure is very similar to this github repository: https://github.com/liliumbosniacum/spring-security-angular I have modified it and fixed some of the code and am looking into better ways but this was my starting point. I really hope this clarifies, I am looking for if there is a better way to do this or if this is not how it should be done how should it be done? like just an explanation with a diagram on what a better way would be? and Is Angular the Right front end for me?
What I understand from your problem is that you want your Spring boot app to route requests to views created by your Angular program and need some authentication features.
For me, I'd rather divide the project into frontend and backend and use JWT tokens, but for your situations you can have a look on this official Spring documentation. It's a detailed post that integrates Spring boot and Angular, and it also deals with Spring security.
I'm making a challenge that I need to do a credit analysis and use some architectural concepts, which I was in doubt about "API's". It needs to be developed in spring boot which I already did. The conditions of the challenge are:
Frontend / Backend.
Api concept backend containing swagger documentation of endpoints.
API for registration and consultation of proposals.
Credit engine API that will review the proposal and make the credit limit decision.
I'm in doubt about steps 3 and 4 where API's are required. What does he mean by that? Do I need to create new Spring boot projects that communicate with each other? What is the best way to dealing with API's?
Thank you!
Your HTML form (e.g. registering proposal) will call API with all the form values as key=value pair, your API (Spring Controller) will accept those key=value and process it, apply your business logic, store to database, etc. You can go thru spring boot guides to get more idea, one of such guide for submitting form:
https://spring.io/guides/gs/handling-form-submission/
https://hellokoding.com/handling-form-submission-example-with-java-spring-boot-and-freemarker/
https://medium.com/#grokwich/spring-boot-thymeleaf-html-form-handling-762ef0d51327
Also you can go thru spring boot pet project, a sample showcase app developed with most of spring mvc capabilities.
Is it possible to forget the authentication, jwt login stuff and security for now and implement it later?
I choosed java for my restful service back-end for my game, but i'm having such a hard time setting up a simple login system with a mysql database, jwt authentication and spring boot. I followed a great tutorial, but it's only concerning Spring boot, not JWT security.
I would like to move forward and implement the security later if possible.
Right now i just gave up and i'm doing simple apis with just spring boot based on this architecture : https://github.com/djdjalas/SpringBootIn50/tree/master/src/main/java/com/yourname, i replaced the fake data with jdbc calls to the mysql database. Is it ok? Will it be hard to implement autentication later when i will have many services?
Thank you.
Spring Security itself is hard to understand and master in the way it should be done as it requires more understanding of the processes behind its configuration. Anyway, if you get familiar with it you won't have serious difficulties here. There will be no major changes to your code. You'll end up generally with one more configuration class/file and this is it.
Can't say anything about JWT but don't think it will be a problem either.
I need to make simple CRUD application with user registration and authentication using Spring boot, but I have some trouble figuring out how to do this right. I have created user table at RDMS and set up Redis for storing user sessions as explained here.
At Spring boot docs it's said that
If Spring Security is on the classpath then web applications will be
secure by default with ‘basic’ authentication on all HTTP endpoints.
But I defined several CrudRepository intefaces and after starting my application I can GET it's data using browser without authentication. I thought that it should work out of the box without additional tuning and therefore checked if Spring Security is on the classpath with gradlew dependencies command and it appears to be there:
Also default user password that should be displayed during application start up does not show up. So maybe I am missing something here?
Also I am not sure if that would be the best option for mobile app because it possibly uses short-living tokens. There are several other options, among which using a WebView and cookies (as was recommended by Google long ago), creating a custom authentication entry point, using approach that was used in Angular web app and finally stateless authentication with OAuth 2.0. Directly in opposite to author of Angular web app tutorial who claims
The main point to take on board here is that security is stateful. You
can’t have a secure, stateless application.
So how do we need to pass token? How long should it live? Do we need to make additional XSRF token or not? Should we use out of the box solution or implement own one? Can we make it stateless?
I was wondering if it's possible to integrate Spring Security 3 into a GAE application without having to bring the whole Spring + Spring MVC stack with it. Every example I've seen so far has Spring Beans and / or Spring MVC in it
What I want to do is basically implement generic authentication (basic register, login, logout, reset password, etc), include OpenID, Google Authentication, Facebook Authentication, etc all in one place - Spring Security does this quite nice.
Or alternatively, I would prefer to have as few libraries as possible and roll my own, does anyone have a link or some great resource on setting up an authentication service that allows logging in with Custom Login, Google, Facebook, etc without the use of Spring Security?
You can not use Spring MVC, but anyway you need spring core.
Answer to this question is highlighted in spring security FAQ:
http://docs.spring.io/spring-security/site/faq/faq.html#faq-what-dependencies
More detailed about dependesies you can find here:
http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#appendix-dependencies