Authentication:user have to login with credentials and after authentication user can access to

our system(checking validity of user check).

It means whether user can access our system or not.
It occur before authorization.

Authorization:it means whether user can access this functionality or resources in given system
according to their privileges or roles.(checking role and provide functionality according to their
roles and right.
it happen after user authentication.
Dependency:
<dependency>

<groupId>org.springframework.security</groupId>

<artifactId>spring-security-test</artifactId>

<scope>test</scope>

</dependency>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-security</artifactId>

</dependency>

after adding dependency spring boot will provide default security with default login page having
username:user
password :auto generated in IDE console

Customized configuration:
spring.security.user.name=umang
spring.security.user.password=umang

Request goes to authentication filer (it is series of filter) .it find out which type of authentication
is present and create a object of that authentication filter .then this object send to authentication
manager(interface) and check authentication by authentication provider then this object stored
in security context

Default authentication filter is BasicAuthenticationFilter

By default spring security provide security for all method .Now according to our requirements we
need to provide security to some method. So we have to make Configuration and have to
override default method which provide default security.

@Configuration
@EnableWebSecurity
public class SpringSecurityConfiguration {

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

http.csrf().disable().authorizeRequests().antMatchers("/balance").authenticated().antMatchers("/
statement")

.authenticated().antMatchers("/myloan").authenticated().antMatchers("/home").permitAll()

.antMatchers("/contact").permitAll().and().httpBasic().and().formLogin();
return http.build();
}
}

http.formLogin();//whenever request comes from browser so request will be authenticated through default
login page ,login page will display.this authentication work when request come from browser.
http.httpBasic();// whenever request comes from postman so request will be authenticated by
passing the username and password in headers select authorization basic auth in postman.this
authentication works when request comes other than browser.

How to Authenticated multiple user

Three ways to authenticate user

LDAP (Lightweight Directory Access Protocol)

Ldap is used whenever in house api is used in organization.it means company employees want to
access company api so here ldap authentication is used.

Director server will have the username password of the employee.when ever request comes from
company employee so it will check in directory server whether this request come from company
employees and valid request will move forward.

It is used for in house authentication

IN MEMORY AUTH
It is used when our user is limited and multiple.so user credential configure inside project.

HOW MANY WAYS WE CAN CONFIGURE USER CREDENTIALS IN SPRING BOOT SECURITY

Password should be encode within project

@Bean
public UserDetailsService users() {
UserDetails user = User.builder()
.username("umang")
.password("{bcrypt}
$2a$16$hRQC2gQ5wiQvrpQQl8VGhexla2JMKyy.9BAgDaAF.M6oMGZ2JdwW6")
.roles("USER")
.build();
UserDetails admin = User.builder()
.username("rajan")
.password("{bcrypt}
$2a$16$RN6AXHp1PPRg9kaiUX6msu7l5iMkrv7cr5IpigVsxVtj2PfeUEsqG")
.roles("USER", "ADMIN")
.build();
return new InMemoryUserDetailsManager(user, admin);
}

Method to encode password

public String bycryptPasswordEncoder(String password) {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(16);
String result = encoder.encode(password);
System.err.println(encoder.matches(password, result));
return result;
}

public String argon2PasswordEncoder(String password) {

Argon2PasswordEncoder encoder = new Argon2PasswordEncoder();
String result = encoder.encode(password);
System.err.println(encoder.matches(password, result));
return result;
}

public String pbkdf2PasswordEncoder(String password) {

Pbkdf2PasswordEncoder encoder = new Pbkdf2PasswordEncoder();
String result = encoder.encode(password);
System.err.println(encoder.matches(password, result));
return result;
}
public String scryptPasswordEncoder(String password) {
SCryptPasswordEncoder encoder = new SCryptPasswordEncoder();
String result = encoder.encode(password);
System.err.println(encoder.matches(password, result));
return result;
}

UserDetailsService interface use PasswordEncoder so by default it expect password should be

encode using various id (example bycrypt,argon2) and if we dont want to encode so do
forcefully. Otherwise error will come There is no PasswordEncoder mapped for the id "null"

@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
Now we can store the password without encoding
UserDetails user = User.builder()
.username("umang")
.password("umang")
.roles("USER")
.build();
JDBC AUTH
It is used when our api is globally used by user .So user credentials will be stored in database.

JWT(JSON WEB TOKEN)

https://jwt.io/introduction
Jwt token is token base security like otp

WORK FLOW OF JWT TOKEN

Client send request to server sending username and password.Server will authenticate the
credentials if request is valid server will generate jwt token and send toke to client in response.
Then client want to access secure resource it will send request to server with token.Server will
validate the token if it is valid send correct response to client otherwise send error response to
client.

Similar way oauth work(open authorization like we can login the website without
registering the website through third party app like gmail ,github and facebook)
Open authorization
Create a jwt token and sign with private key of rapipay in signature section of jwt token
And sent to a third party vendor and now the vendor will verify this token that it comes from
rapipay though his public key and it will give the bearer token to rapipay and now rapipay can
access other api through this bearer token. This bearer token has expiry time.