DEV Community: YEJIN LEE

Definition of Jwt and Use

YEJIN LEE — Mon, 16 Dec 2024 02:13:40 +0000

Jwt(Json Web Token)is an open standard for securely transmitting information between parties as a Json object.

Structure of Jwt

Jwt consist of three parts.

Header : Contain metadata about the token, such as the algorithm used for signing.
Payload : Include the actual data you want to share.
Signature : A cryptographic "seal" that ensures the data hasn't been tempered with.

These three parts are combined into a single, encoded String that is sent between the client and the server.

Why use Jwt

Authentication : After a user logs in, the server generates a Jwt and send it to client. The client stores this token and send it back with every request to prove, "I'm authenticated user!"
Authorization : The Jwt can include roles, So the server can easily check what the user is allowed to do.

How Jwt works

1- The user logs in with their credentials (username, pw etc..)
2- The server creates 'Refresh Token' and 'Access Token' and then send both token to client.

Refresh Token: A short lived token (ex) 15min)
Access Token: A long lived token (ex) 7 days)

3- The client stores
the Access Token (ex) RAM mememory, HttpOnly cookie)
and Refresh Token. (ex) HttpOnly cookie)

To store token in localStorage or SessionStorage isn't recommended, Because they are vulnerable to XSS(Cross-Site Scripting) attack.

4- The client sends the access token with every request to the server (Authorization header as Bearer )

5- The server verifies the token and processes the request.

6- Once the access token expires, the client can't use it anymore protected resources, So we should be issued access token by using refresh token.

7- If the refresh token expires, the user should log in again with their credentials.

How to use

(Planned to be added)

Adding

XSS: XSS allows attackers to inject and excute malicious scripts in a user's browser.
CSRF: CSRF tricks an authentication user into performing unintended actions on the website where the user is already authenticated.

Custom Annotation

YEJIN LEE — Mon, 02 Dec 2024 10:25:55 +0000

What is the Custom Annotation?

An annotation is a form of metadata that provides additional information about a program. It can influence how the program is compiled, run, or processed by tools and frameworks.

(metadata: Describe or provide info about
program elements like classes, methods, variables..)

Literally, a custom annotation refers to creating your own annotaion in Java!

How can we make Custom Anotation?

1 - Defining

@Retention(RetentionPolicy.RUNTIME) 
@Target(ElementType.METHOD)
public @interface MyAnnotation {
    String value() default "default value";
    int count() default 1;
}

I'll explain KeyComponent like @Retention, @Target later

2 - Using
Applying the Annotation that you made.

public class MyService {
   @MyAnnotation(value = "Hello! 안녕예진!", count = 3) <- !!
   public void myMethod() {
      System.out.println("Excuting myMethod");
   }
}

Accessing Annotation Values.

public class AnnotationProcessor {
   public static void main(String[] args) throws Exception {
     Method method = MyService.class.getMethod("myMethod");

     if (method.isAnnotationPresent(MyAnnotation.class)) {
       MyAnnotation annotation = method.getAnnotation(MyAnnotation.class)

     //Print annotation values
     System.out.println("value: " + annotation.value());
     System.out.println("Count: " + annotation.count());
    }
  }
}

Key Components of Annotations

@Retention

specifies how long the annotation is retained!

RetentionPolicy.SOURCE :
Discarded during compliation.
RetentionPolicy.CLASS :
Retained in the class file but not available at runtime.
RetentionPolicy.RUNTIME :
Available at runtime via reflection.

@Target

specifies where the annotation can be applied.

ElementType.TYPE : Classes, interfaces, or enums.
ElementType.METHOD : Methods.
ElementType.FIELD : Fileds.

Others include PARAMETER, CONSTRUCTOR, etc.

Attributes

Attributes in annotation are defined like methods inside the @interface.
All attributes in a custom annotation require a value unless a default is provided using default keyword.
All attributes must have a return type (String,int ..)
All attributes can't have parameters.

When I can use Custom Anotation.

There is a lot. I'll show you one.

1 - Defining

@Constraint(validateBy = NameValidator.class) 
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.FIELD)
public @interface ValidName {
    String message() dafault "Not found username";
    Class<?>[] groups() default {};
    Class<? extends Payload>[] pay() default {};
}

@Constraint is an annotation used in the Bean Validation API. It is applied to define custom validation annotations.
(validateBy = NameValidator.class) means that
the NameValidator class contains the logic to validate the annotated element.

2 - Using
Applying the Annotation that you made.


public class NameValidator implements ConstraintValidator<ValidName, String> {
   @Override
   public boolean isValid(String value, ConstraintValidatorContext context) {
      return value != ull && value.matches("^[가-힣a-zA-Z]+$"); //permit only Kor or Eng
   }
}

public class UserRequest{
   @ValidName
   private String name;
}

By using annotations, it became possible to use only Korean and English for names.

Like these, It must improve your code readability and be reusable logic!

Multi Threading

YEJIN LEE — Mon, 02 Dec 2024 04:22:19 +0000

What is the Multi Thread?
A thread is the smallest unit of execution, and multithreading improves performance by enabling taskes to run simultaneously.

(sharing code, data, files)

It refers to the ability of a processor to execute multiple threads concurrently within a single process!

On a single-core CPU, threads are executed one at a time, switching so quickly that it apprears they run simultaneously.

For example, Google Chrome uses multithreading when handling multiple tabs and rendering web pages. Each tab is a separate process.

Page Rendering

You're scrolling a web page(Main Thread)
At the same time, a background thread is processing a large Json file fetched from an API.(Worker Thread)
The web page remains smooth and responsive because the heavy computation is offloaded to a worker thread.

Tabs and Isolation

You open two tabs, one playing a YouTube and the other loading a news website.
The video tab uses thread for video decoding, audio playback, and rendering, while the news tabs uses threads to load and display content!
Even if the news tab's scripts are slow, the video playback in the other tab remains unaffected.

but, It can also make problem..
DisAdvantages of Multithreading

1 - Race condition occurs when two or more threads attempt to modify shared data at the same time, leading to unpredictable results.

let's imagine two threads accessing a bank account balance.
if both thread read the balance at the same time, modify it without proper synchronization, the final balance could be incorrect ㅜ.ㅜ

2 - Deadlock happens when two or more threads are waiting for each other to release resources, resulting in a standstill.
This causes the threads to be stuck indefinitely, as no one can continue.

Thread A locks resource 1 and waits for resource 2,
while Thread B locks resource 2 and waits for resource 1.
Both threads are now blocked, causing a deadlock.

3 - Context Switching is the process where the CPU switches from executing one thread to another. When threre are many threads, the CPU spends a significant amount of time saving and loading states, which leads to performance degradation!

How can I use MultiThreading in server engineering?

A server needs to handle many incoming requests from multiple clients. the server can handle multiple client requests at the same time. Each request is assigned to a separate thread or thread pool, allowing them to be processed concurrently. without it, each request would have to be processed sequentially, which could significantly slow down response.

Session Login

YEJIN LEE — Sun, 24 Nov 2024 06:04:18 +0000

In a project conducted as a Springboot class, I was assign to make Session Login code. This project just require a simple CRUD with theme like bookstore, checkList and blog etc.. So I worked on the project with light heart, but I had a problem solving the error code for 10 hours.. Let me explain about session first!

Session

: It is temporary connection between a client and a server that allows the server to remember the client's state across multiple requests.
It ensures that the interation feels continuous, even though HTTP itself is stateless.(The server treats every request as new without remembering anyting about the client)

Session ID: A unique ID for each session created by the server. It is usually stored in a cookie on the client's browser.
Lifecycle: A session starts when a user connects to the server(ex) login) and ends when they logout, the session times out, or the sever terminates it.

If I use session when making login,

user connects to the server
publish SessionID
stock in a cookie
every subsequent request, the browser automatically includes the sessionID stored in the cookie
the server checks the sessionID against its session storage to confirm the user is authenticated and retreieves the associated user data.
excute the corresponding logic based on whether the session ID is valid.
If the user logout or remains inactive for too long, the session expires.

Problem Solving

When I look a log, I realized that the request was not coming to the desired controller of the url due to SecurityConfig.

CSRF(Cross-Site Request Forgery) :
It is security issue where a malicious site tricks a logged-in user in making unauthorized requests to another trusted site.

Why API Requests Fail Without CSRF Token

Spring Security expects the CSRF token to be sent with state-changing HTTP methods (ex) POST, PUT..). If the token is missing, the server rejects the request with 403 Forbidden

Why SSR View Requests Work Fine

In SSR (Server-Side Rendering), CSRF tokens are automatically included in HTML forms or cookies. When users submit a form, the token is sent with the request, allowing it to pass CSRF validation.

Since GET requests for HTML views are typically non-state-chainging, they don't require CSRF tokens.

Issue with Postman API Requests

When testing with Postman, the API request may not include the CSRF token. Since Postman doesn't automatically handle CSRF tokens like a browser does.
This is why the request didn't map correctly..ㅜ.ㅜ

Fortunately, I found the error on my own and fixed it! It was valuable experience as I realized the shortcomings of relying only on JWT token based login.