CSA Pop Quiz - Shaurya Goel

[STG-7]

Total: ( 0.95 + 0.80 + 0.90 + 0.90 ) / 4 = 3.55 / 4.0

Question 1 - Score: 0.95

Describe server_name definition and proxy_pass definition in your revrese_proxy configuration file

In the provided Nginx configuration, the server_name definition specifies that the server block applies to requests with the domain name "kasm1.nighthawkcodingsociety.com." The proxy_pass definition within the location / block forwards these requests to the Kasm workspace, which is running on https://localhost:8443, effectively acting as a reverse proxy for handling the specified domain.

Question 2 - Score: 0.80

Show JWT login process, split the browses screen and after login, go into a page that requires authentication and produces a cookie, that cookie can go into an io

JWT Login Process:

• User provides credentials:
• User enters their email and password in the login form on the front-end.
• Front-end initiates authentication request
• Front-end sends a POST request to the /authenticate endpoint on the back-end (Spring Boot application) with the user's credentials.
• Back-end processes authentication
• The Spring Boot back-end validates the user's credentials and, upon successful authentication, generates a JWT token.
• Front-end stores JWT securely

• The front-end securely stores the JWT token, often in an HTTP-only cookie or a secure storage mechanism. Code (explained with Mr. Mort)

     @Override
  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
  
      final Cookie[] cookies = request.getCookies();
      String username = null;
      String jwtToken = null;
      // Try to get cookie with name jwt
      if ((cookies == null) || (cookies.length == 0)) {
          logger.warn("No cookies");
      } else {
          for (Cookie cookie: cookies) {
              if (cookie.getName().equals("jwt")) {
                  jwtToken = cookie.getValue();
              }
          }
          if (jwtToken == null) {
              logger.warn("No jwt cookie");
          } else {
              try {
                  // Get username from the token if jwt cookie exists
                  username = jwtTokenUtil.getUsernameFromToken(jwtToken);
              } catch (IllegalArgumentException e) {
                  System.out.println("Unable to get JWT Token");
              } catch (ExpiredJwtException e) {
                  System.out.println("JWT Token has expired");
              } catch (Exception e) {
                  System.out.println("An error occurred");
              }
          }
      }
      // If no cookies have name jwt return warning
  
      // Once we get the token validate it.
      if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
  
          UserDetails userDetails = this.personDetailsService.loadUserByUsername(username);
  
          // if token is valid configure Spring Security to manually set
          // authentication
          if (jwtTokenUtil.validateToken(jwtToken, userDetails)) {
  
              UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
              usernamePasswordAuthenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
              // After setting the Authentication in the context, we specify
              // that the current user is authenticated. So it passes the
              // Spring Security Configurations successfully.
              SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
          }
      }
      chain.doFilter(request, response);
  }
  }

Question 3 - Score: 0.90

explain security config rules that are required for access in spring boot project, provide request matcher show commit, request matcher show authentication requirement

// Request Matchers and Authentication Rules
.authorizeHttpRequests(auth -> auth
    .requestMatchers("/authenticate").permitAll()
    .requestMatchers("/mvc/person/update/**", "/mvc/person/delete/**").authenticated()
    .requestMatchers("/api/person/**").authenticated()
)

• .requestMatchers("/authenticate").permitAll(): This configuration allows unauthenticated access to the "/authenticate" endpoint. Requests to this endpoint do not require users to be authenticated and can be accessed freely. /mvc/person/update/ and /mvc/person/delete/ Endpoints:

• .requestMatchers("/mvc/person/update/", "/mvc/person/delete/").authenticated(): These configurations specify that requests to endpoints matching the patterns "/mvc/person/update/" and "/mvc/person/delete/" require authentication. Users must be authenticated to access these protected endpoints. /api/person/** Endpoints:

• .requestMatchers("/api/person/").authenticated(): Requests to endpoints matching the pattern "/api/person/" also require authentication. Similar to the previous case, only authenticated users are allowed to access these protected API endpoints.

Question 4 - Score: 0.90

explain a pojo and changes to a pojo, show a pojo in vscode editor, highlight somehting you changed, show pojo result and data via postman

A POJO, is

• a Java class
• encapsulates data and behavior without requiring any special frameworks or inheritance from specific base classes

Changes to a POJO involve

• modifications to its fields, methods, or annotations, typically to accommodate evolving application requirements or to integrate with specific frameworks or libraries.