This is not a bug, just a slight oversight in the directions and perhaps some naivety on my part. The image merely implies posting the required parameters appearing to be {username, email, role, password} I was seeing the error
JSON parse error: Cannot construct instance of `java.util.HashSet` . . . to deserialize from String value ('ROLE_ADMIN')<EOL>
Then it occurred to me surely a user can have all the roles so it must require an array
Your tutorial was so easy and amazing. i don't need a lot of time to implement your tutorial.
But how about make dynamically role with create Role CRUD and set user to that role with some privillage?
cookies are maintaining token information and username and password informatino,
So, principal user details are obtained from the cookie information
a clever user can easily manipulate the cookie information and claim as another user
also can edit authorities information in the cookie and can claim additional accesses.
Also, multiple users can have same role.
role specific accesses keep restrictions on the columns in a table
row wise filterin is supposed to be handled by Prncipal details.
Although the word Principal is used many places but functionally it is just retrieving this information from cookies instead of token.
Also, authentication server is not implemented as an independent spring boot application and keeping the controller web accesses in a separate application
generic authorities like read_all add_all etc are not handled altogether compromising on usability of the application.
it slows down drastically when number of users are more than 100 and
number of controller classes and number of authorities more than 500.
Usually for micro controller architecture this count is high and no efficiency considerations are addressed
It seems, requires lots of changes and require a new solution altogether to address all above issues
I did the tutorial on this link to Spring Boot 3. Everything is fine with register and auth. I got the cookie but when I tried access /api/test/mod I got 401 ever. I tried with postman, exactly like the tutorial and with python lib requests.
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeHttpRequests().requestMatchers("/api/auth/**").permitAll()
.requestMatchers("/api/test/**").permitAll()
.requestMatchers(h2ConsolePath + "/**").permitAll()
.anyRequest().authenticated();
// fix H2 database console: Refused to display ' in a frame because it set 'X-Frame-Options' to 'deny'
http.headers().frameOptions().sameOrigin();
http.authenticationProvider(authenticationProvider());
http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
return http.build();
}
And I get this error, even though I permitted the h2-console: {"path":"/h2-ui","error":"Unauthorized","message":"Full authentication is required to access this resource","status":401}
I also get 401 response when I want to signup via postman.