1
00:00:00,210 --> 00:00:05,620
In this video, let's try to see actually how to configure authorities for any application.

2
00:00:05,760 --> 00:00:11,640
So there are many ways how we can configure authorities in cyberspace security framework, a few of

3
00:00:11,640 --> 00:00:19,020
them using the methods like has authority, has any authority access method, so has authority method

4
00:00:19,020 --> 00:00:25,230
will accept a single authority value for which the user will be validated.

5
00:00:25,410 --> 00:00:32,220
Whether he or she has that authority, then only they will be allowed to access that endpoint.

6
00:00:32,220 --> 00:00:40,610
Whereas has any endpoint means you can pass multiple values like we right delete.

7
00:00:40,860 --> 00:00:47,790
And if the user has any of those authorities configure for them, then they will be allowed to access

8
00:00:47,790 --> 00:00:48,600
the endpoint.

9
00:00:48,600 --> 00:00:55,770
At the same time, if we have a very complex condition where you can configure using simple approach,

10
00:00:55,770 --> 00:01:03,180
like has authority, has any authority, we can leverage access method which will accept expression

11
00:01:03,420 --> 00:01:06,180
based upon string expression language.

12
00:01:06,540 --> 00:01:13,140
It provides you unlimited possibilities, like any complex scenarios that I want to have a scenario

13
00:01:13,380 --> 00:01:20,700
where a user who has delayed access but not right access should be able to access this.

14
00:01:20,880 --> 00:01:29,010
But then in such scenarios, we can use access method and leverage logical operators as well, like

15
00:01:29,010 --> 00:01:33,380
our own, not for our authorization configurations.

16
00:01:33,600 --> 00:01:40,170
So let's try to go to the court and do some simple configuration and performing testing around it to

17
00:01:40,170 --> 00:01:43,800
understand the things around authority in a more clear manner.

18
00:01:44,220 --> 00:01:49,800
This is the previous configuration that we have done for all the years that we have.

19
00:01:49,920 --> 00:01:52,050
We protect the users.

20
00:01:52,050 --> 00:01:59,160
My account, my balance, my lords, my cards use the various notices and contract is permitted for

21
00:01:59,160 --> 00:02:01,160
everyone without authentication.

22
00:02:01,260 --> 00:02:06,290
So when there is no authentication, there is no authorization that we can confirm.

23
00:02:06,480 --> 00:02:11,190
Due to that reason, we can't configure authorization for open.

24
00:02:11,190 --> 00:02:19,030
You are URLs like notices and contact, but we can perform or configure authorization for the security

25
00:02:19,130 --> 00:02:21,450
URLs like my account.

26
00:02:21,450 --> 00:02:30,540
My balance here, instead of an indicator like authenticated, indicates any person who is authenticator

27
00:02:30,810 --> 00:02:32,040
can access this.

28
00:02:32,040 --> 00:02:37,050
You are, but I don't want to access to be all the users.

29
00:02:37,200 --> 00:02:44,970
I want to have a look only for particular users who has specific authority for such scenarios.

30
00:02:45,120 --> 00:02:51,900
I can remove this authenticator, which is free form of accessing the URL for all the authenticated

31
00:02:51,900 --> 00:02:52,560
users.

32
00:02:52,770 --> 00:02:57,540
Instead, I will use has authority here.

33
00:02:57,780 --> 00:03:04,340
I can say someone who has obtained authority can access my account.

34
00:03:04,680 --> 00:03:14,670
Similarly, I can mention my balance can be accessed by someone who has authority of free for my loans.

35
00:03:14,880 --> 00:03:19,470
I would say delete the names, are you not?

36
00:03:19,500 --> 00:03:21,300
We like we have to follow this.

37
00:03:21,810 --> 00:03:22,950
This is a string.

38
00:03:23,340 --> 00:03:26,040
We can configure any value that we want.

39
00:03:26,280 --> 00:03:33,220
And at the same time, my card, I'm saying could be access to everyone who authenticated success.

40
00:03:33,660 --> 00:03:40,620
Now how configure the authorization in order to validate first for a particular user, we should configure

41
00:03:40,620 --> 00:03:42,630
authorities inside database.

42
00:03:42,840 --> 00:03:46,530
Let's try to go to the database and understand how we can do this.

43
00:03:46,830 --> 00:03:53,670
Previously, we have a customer table where we have customer details like email, password and his role.

44
00:03:53,880 --> 00:03:58,740
But here you can see we can only configure one role or one authority.

45
00:03:59,490 --> 00:04:06,480
But we want to have a scenario where a single user can have multiple authorities and tools for such

46
00:04:06,480 --> 00:04:07,140
scenarios.

47
00:04:07,380 --> 00:04:13,260
We can go with a single table, but we should create one more table where we can store.

48
00:04:13,260 --> 00:04:16,560
All our authorities often use it for that purpose.

49
00:04:16,709 --> 00:04:24,840
I have created a table call authorities and insert a few records for the customer happy and the customer

50
00:04:24,840 --> 00:04:32,580
happy has authorities called, write and read and authorities and customer has a foreign key relationship

51
00:04:32,580 --> 00:04:34,140
using customer ID.

52
00:04:34,830 --> 00:04:39,150
So now we configure in the database but a single customer.

53
00:04:39,450 --> 00:04:44,040
We have many authorities configure the scripts associated to this table.

54
00:04:44,040 --> 00:04:50,100
Creation records in session, I hope mentioned in script start a school inside the workspace.

55
00:04:50,400 --> 00:04:52,680
Now we have been database configuration.

56
00:04:52,800 --> 00:04:57,180
How what a configuration for that we have to do some changes.

57
00:04:57,420 --> 00:04:59,300
So inside our customer entity.

58
00:05:00,080 --> 00:05:06,220
That one too many mapping between customers and authorities entity, and that's where you can see here,

59
00:05:06,470 --> 00:05:12,850
one too many, I'm mapping by a variable customer in the authority entity and which state should be

60
00:05:12,850 --> 00:05:18,800
eager, so eager, which means so whenever I'm trying to load customer details, I want to load the

61
00:05:19,020 --> 00:05:21,810
authority details as well by the chip.

62
00:05:21,990 --> 00:05:27,500
And since it's a multiple values, we can have that where we are having a set and Jason ignore this

63
00:05:27,500 --> 00:05:33,080
will make sure that we are not passing a product is detailed to the Frankton so that people who are

64
00:05:33,080 --> 00:05:37,510
using the front end will not know what a thought is a particular user has.

65
00:05:37,610 --> 00:05:39,140
This is for security concerns.

66
00:05:39,170 --> 00:05:42,690
Similarly, we can go and check the authority in detail.

67
00:05:42,710 --> 00:05:49,940
So here we have a table defined our priorities and we have a name where we define a positive name for

68
00:05:49,940 --> 00:05:58,280
each and every record and we configure many to one, like multiple authorities can be mapped to a single

69
00:05:58,280 --> 00:05:58,760
customer.

70
00:05:58,790 --> 00:06:04,940
That's why we have mentioned many to one, and the joint column is customarily between both authority

71
00:06:04,940 --> 00:06:05,780
and customer.

72
00:06:06,020 --> 00:06:08,800
With this, we have done JPA configuration also.

73
00:06:09,050 --> 00:06:12,500
Now, let's try to go to our authentication provider here.

74
00:06:12,500 --> 00:06:20,240
Right now we are using the roll column mentioned inside our customer table, but now we change it to

75
00:06:20,240 --> 00:06:29,630
a different able call authorities for the same reason we should get prole, we should call get authorities

76
00:06:29,810 --> 00:06:30,020
to.

77
00:06:30,020 --> 00:06:36,440
What we can do is how created a helper method granted to authorities which will accept the set of authorities

78
00:06:36,440 --> 00:06:39,340
and convert them into a list of granted a certificate.

79
00:06:39,380 --> 00:06:48,980
What I will do here is I can call, get granter authorities and pass and after my dog get the first

80
00:06:48,980 --> 00:06:53,300
customer ID card and passes through these details.

81
00:06:53,480 --> 00:06:57,800
And now we don't need these two statements here with this.

82
00:06:57,830 --> 00:07:04,100
You can see here we will take the authorities from the database and we try to see by each record, by

83
00:07:04,100 --> 00:07:10,850
record and created and simply granted authority by passing the authority, which is of timestream.

84
00:07:11,240 --> 00:07:16,010
So now my spring security also hold the authorities details.

85
00:07:16,400 --> 00:07:23,060
When someone tried to access this end point, it will try to validate whether the particular user has

86
00:07:23,360 --> 00:07:24,800
this authority or not.

87
00:07:25,220 --> 00:07:34,580
So in these examples, you can see a user happy who has rules, read and write stuff up that we can

88
00:07:34,580 --> 00:07:43,430
mention as right now the user happy, who has authority to read and write, can access this to End Point

89
00:07:43,550 --> 00:07:51,890
and my cards as well, and users as well, because my cards and users are allowed for any user authenticated

90
00:07:51,890 --> 00:07:59,840
user, whereas my account, my balance, my loans are allowed only based upon authority and IP does

91
00:07:59,840 --> 00:08:01,460
not have the authority to delete.

92
00:08:01,760 --> 00:08:05,100
He should not be able to access my loans.

93
00:08:05,140 --> 00:08:08,750
But so let's try to test that typing this over.

94
00:08:09,900 --> 00:08:17,190
You server also started successfully, it may try to launch it under the credentials, kicking, signing,

95
00:08:17,460 --> 00:08:23,070
but now I'm clicking on OK, I should be able to access yes.

96
00:08:23,610 --> 00:08:31,140
I go back and clicking on my account, my balance, and I should be able to access I'm able to access

97
00:08:31,140 --> 00:08:31,350
it.

98
00:08:31,680 --> 00:08:36,679
But coming loans I should have an authority to access.

99
00:08:36,690 --> 00:08:43,590
But since I don't have in this scenario, I should get another four zero three, which indicates I'm

100
00:08:43,590 --> 00:08:45,930
not authorized to use this feature.

101
00:08:46,350 --> 00:08:51,890
Clicking on launch and you can see nothing is coming and you can go and play in the console.

102
00:08:52,260 --> 00:09:00,300
We get a response from someone saying that four zero three, which indicates that this user is not authorized

103
00:09:00,300 --> 00:09:02,100
to access Mylan's.

104
00:09:02,100 --> 00:09:09,540
But with this, we understand how to configure authorities and how to validate it.

105
00:09:09,970 --> 00:09:20,310
Here you can see a single user has multiple priorities like I read delete, but you can use rules to

106
00:09:20,310 --> 00:09:29,430
club all sorts of priorities and create a rule indicating all touch privileges that the user can have

107
00:09:29,880 --> 00:09:31,410
a mean role.

108
00:09:31,410 --> 00:09:34,290
Admin can read delete.

109
00:09:34,470 --> 00:09:41,070
Right, whereas a role user should be able to retrieve that data.

110
00:09:41,430 --> 00:09:48,510
If we have such a requirement where I want to group all my privileges or authorities under rules, then

111
00:09:48,510 --> 00:09:54,630
we also have role based authentication and authorization in bring security.

112
00:09:54,810 --> 00:09:57,840
Let's try to understand how we can do that in the next room.

113
00:09:58,060 --> 00:09:58,520
Thank you.

114
00:09:58,530 --> 00:09:58,910
And by.