1. JWT Signup and/or Login Process:
    • JSON Web Tokens (JWT) are commonly used for authentication. The process typically involves a user signing up or logging in by providing credentials.
    • The server validates the credentials and generates a JWT.
    • The client stores the JWT and includes it in the headers of subsequent requests for authentication.
  2. POJO (Plain Old Java Object) and Changes:
    • POJO is a Java object without any special restrictions. It’s used to represent data.
    • Changes to a POJO involve modifying its attributes or adding/removing methods based on the requirements.
  3. Security Configuration Rules:
    • Security rules may include access control, encryption, and authentication mechanisms.
    • Access rules can be defined in the server configurations, specifying who can access which resources.
  4. Docker and Updating Applications:
    • Docker is a containerization platform. It allows packaging applications and their dependencies into containers.
    • To update a Docker application, you create a new container image with the updated code, and then deploy it.
  5. Route 53 and Domain Setup:
    • Amazon Route 53 is a scalable Domain Name System (DNS) web service.
    • The process involves registering a domain, configuring DNS settings, and pointing the domain to the appropriate resources (like an API server).
  6. API Access Code and Error Handling (403 Redirect):
    • API access code involves making HTTP requests using a programming language (e.g., JavaScript with fetch).
    • Error handling typically includes checking HTTP status codes. A 403 status might require redirecting the user to a login page.
  7. Managing CORS Policies through Nginx and Java:
    • CORS (Cross-Origin Resource Sharing) policies control which domains can access resources from your server.
    • In Nginx, you can set up CORS headers to allow or restrict cross-origin requests.
    • In Java, you may also need to configure CORS handling in your application.
  8. Reverse Proxy (server_name to proxy_pass):
    • A reverse proxy (like Nginx) forwards requests from clients to servers.
    • server_name in Nginx specifies which server block should handle a request based on the domain.
    • proxy_pass is used to pass requests to a specified backend server.

1: JWT Sign In/Login

  1. Login Request
    1. Send with credentials to a endpoint to authenticate - provide username and password
  2. APIController receives request. AuthManager Checks to see if the credentials are genuine
    1. If so, it wil generate a JWT token and send it back as a cookie to put into the cookies section of a browser
    2. If not, there is no current redirect, but you could redirect a person to a different endpoint, either to sign up, or to redo their authentication
    3. THE client will include that cookie in all subsequent requests
  3. JwtRequestFilter then will get any further requests, get the HWT, read the header, payload, and signature (payload contains all the actual information/claims) and validate th token
    1. If authenticated, moves forward with the claims
    2. If not authenticated, it’ll send a 403 err

  4. Cookies: You can store the JWT in a cookie and send it back to the server with each request. This is a simple and widely-supported option, but it has some limitations. For example, you can’t access cookies from JavaScript on a different domain, and some users may have cookies disabled in their browser settings.

  5. Local storage: You can store the JWT in the browser’s local storage (localStorage) or session storage (sessionStorage). This option allows you to access the JWT from JavaScript on the same domain, but it is vulnerable to cross-site scripting (XSS) attacks, where an attacker can inject malicious code into your application and steal the JWT from the storage.

  6. HttpOnly cookie: You can store the JWT in an HttpOnly cookie, which is a cookie that can only be accessed by the server and not by client-side JavaScript. This option provides some protection against XSS attacks, but it is still vulnerable to other types of attacks, such as cross-site request forgery (CSRF). Explain a POJO and changes to a POJO

2: POJO

A POJO is a class that has no extensions, and requires no specific gnomencalture to its mehtods. Some properties include:

  1. No argument constructor, and all argument constructor
  2. Getter/Setter function
  3. Additional Business logic methods
  4. Serializable, POJOs can be serialized
  5. JavaBean
  6. POJOs can be ported from sprig to other containers with little modification.

3: Security Configuration

Security Filter Chain

Allows you to authorize requests only for certain pages, or to permit all for certain parts. thing /authenticate having .perimitAll() and update .authenticated() or give some auth with hasAuthority("Teacher")

You can also customize CORS by using the following commands to help write to headers

.addHeaderWriter(new StaticHeadersWriter("Access-Control-Allow-Credentials", "true"))
					.addHeaderWriter(new StaticHeadersWriter("Access-Control-Allow-ExposedHeaders", "*", "Authorization"))
					.addHeaderWriter(new StaticHeadersWriter("Access-Control-Allow-Headers", "Content-Type", "Authorization", "x-csrf-token"))
					.addHeaderWriter(new StaticHeadersWriter("Access-Control-Allow-MaxAge", "600"))
					.addHeaderWriter(new StaticHeadersWriter("Access-Control-Allow-Methods", "POST", "GET", "OPTIONS", "HEAD"))

4: Updating Docker

Use the following script

sudo docker-compose kill # kill all processes on the build
git pull # pull updates
sudo docker-compose build --no-cache # Build without saving stuff to cache
sudo docker-compose up -d # set the compose to up; deploy

Cool troubleshooting commands

5: Route 53