How does SpringBoot get current user from ReactJS?
I trying to understand the codes of Full-stack web-application at https://github.com/callicoder/spring-security-react-ant-design-polls-app but I do not understand how does spring-boot know which current user is logging in.
this is ReactJS (front-end) code that calls the api.
export function getUserCreatedPolls(username, page, size) {
page = page || 0;
size = size || POLL_LIST_SIZE;
return request({
url: API_BASE_URL + "/users/" + username + "/polls?page=" + page + "&size=" + size,
method: 'GET'
});
}
And, this is spring-boot(back-end) code that receives variables from front-end
@GetMapping("/users/{username}/polls")
public PagedResponse<PollResponse> getPollsCreatedBy(@PathVariable(value = "username") String username,
@CurrentUser UserPrincipal currentUser,
@RequestParam(value = "page", defaultValue = AppConstants.DEFAULT_PAGE_NUMBER) int page,
@RequestParam(value = "size", defaultValue = AppConstants.DEFAULT_PAGE_SIZE) int size) {
return pollService.getPollsCreatedBy(username, currentUser, page, size);
}
- how does spring-boot get {UserPrincipal currentUser} from front-end?
- how does ReactJs sent {UserPrincipal currentUser} to back-end?
Solution
- It's a spring boot oauth jwt provider + resource server and ReactJs as the consumer
- ReactJs can consume the server resources ( rest api ) by sending and HTTP request, but it should first get an authorization for that (Token)
- The server will send JWT token after a success login
- then when reacteJs send an HTTP request, it actually inject extra information to the HTTP request which is the authorization token
- when the server get this request and before it reach the controller, the request pass throw a chain of filter ( spring security filter chain ) , look at this filter class method in the code link , after a success user authentication calling the SecurityContextHolder class to fill the security context with the current authenticated user ( User Principle ), and finally when the request reach the controller, our security context is filled up
@CurrentUser UserPrincipal currentUser, when you added UserPrincipal currentUser parameter to spring Controller methods, it will fill the object from the context automatically, you can do it by your self by calling the SecurityContextHolder class and get the current authenticated User... // Get The Jwt token from the HTTP Request String jwt = getJwtFromRequest(request); // Check The validation of JWT - if true the user is trusted if (StringUtils.hasText(jwt) && tokenProvider.validateToken(jwt)) { Long userId = tokenProvider.getUserIdFromJWT(jwt); /* Note that you could also encode the user's username and roles inside JWT claims and create the UserDetails object by parsing those claims from the JWT. That would avoid the following database hit. It's completely up to you. */ // Get the user object UserDetails userDetails = customUserDetailsService.loadUserById(userId); UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()); authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request)); // Fill the security context with this user SecurityContextHolder.getContext().setAuthentication(authentication); ...
- Message Source with Spring Boot
- Compatible versions of bucket4j - NoSuchMethodError: 'void io.github.bucket4j.distributed.proxy.ClientSideConfig<init>(...)'
- Spring beans are not injected in flyway java based migration
- Spring React and Sessions.. how to keep session
- RestTemplate: Is there a way to protect jvm agains huge response size?
- JUnit testing got initializationError with java.lang.Exception: No tests found matching
- How to make Spring @ConditionalOnProperty check by if a property is present without value
- After adding "mariadb-java-client" maven dependency I get error "java.lang.NoClassDefFoundError: org.slf4j.Logger"
- No String-argument constructor/factory method to deserialize from String value ('')
- Spring Boot and Log4J database appender problems
- How do I check if a JWT token is valid in Spring Boot
- Spring Boot Prometheus Push Gateway: Metrics missing label
- Spring - RestClient - Http to POJO when information is only in headers?
- Spring security http only cookies authorization problem
- Spring: How to redirect back to the form after authenticating its POST request?
- Hibernate: How to keep PostgreSQL enum type up-to-date with Java enum?
- Spring Validator: Could not autowire. No beans of 'Validator' type found
- Adding a new HandlerInterceptor causes many existing tests to fail — how to fix or isolate it?
- spring-boot-starter-aop jar is missing with Spring Boot 4.0.0
- is @Transactional(isolation = Isolation.REPEATABLE_READ) enough for safe incrementing?
- Why SpringMVC Request method 'GET' not supported?
- Is it possible to inspect method invocations on a JDBI DAO using aspect-oriented programming?
- Spring Data Couchbase @JsonAnySetter / @JsonAnyGetter support
- Where should I store development credentials on a Spring Boot project?
- Annotation @ConditionalOnMissingBean not matching in test
- Spring Boot 4 tests not creating session cookie (springSessionRepositoryFilter missing from filter chain)
- How to mock JWT authentication in a Spring Boot Unit Test?
- Using Spring mockMvc to test optional path variables
- Spring : @Transactional @Scheduled method throws TransactionException
- Unable to store Enum in batch way with spring-jdbc NamedParameterJdbcTemplate