Syed's Blogs

 OAuth2.0. is the authorization protocol used for authorization not authentication. Case: User wants to access some resources (Client to server communication)  - Step 1: hit url abc.xyz.com (this url is protected and any resources in it requires auth) - Step 2 (Authentication part done by spring security not oauth2): URL triggers login page to first validate who the user is. - Step 3: User authenticates and return the access code to the client (which is requesting resource). - Step 4: Now client have the access code, client will hit authorization server with the access code, and authorization server return access token. - Step 5: Now client have the access token, it takes the token to the resource server to get the resource. WHY NEED ACCESS CODE AND WHY NOT DIRECTLY ACCESS TOKEN???  - As the user is anom

  What is CORS CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls which origins (domains) are allowed to read responses from your server. Origin = protocol + domain + port https://app.com ≠ https://api.com ≠ http://app.com Why CORS was developed Browsers enforce the Same-Origin Policy (SOP) : A script from one origin cannot read data from another origin. Problem SOP caused: Legit frontend ( app.com ) couldn’t call backend ( api.com ) and read responses. CORS solution: Let the server explicitly whitelist trusted origins . How CORS works Simple request Browser sends: Origin: https://app.com Server responds: Access-Control-Allow-Origin: https://app.com → Browser allows frontend JS to read the response Preflight request (for complex requests) Browser first sends: OPTIONS /api Origin: https://app.com Access-Control-Request-Method: POST Server replies: Access-Control-Allow-Origin: https://app.com Access-Contro...

  CSRF (Cross-Site Request Forgery) A browser-based attack where a malicious site tricks a user’s browser into sending a request (with cookies automatically attached) to your application. When CSRF is enabled (default in Spring Security) Spring expects a CSRF token on every state-changing request (POST, PUT, DELETE). Token is generated server-side and must be sent back (header/form field). Protects against attacks that rely on browser + cookies . Meaning: Only requests coming from your legitimate frontend (which has the token) are accepted. What “disable CSRF” means http . csrf () . disable (); Spring stops validating CSRF tokens . Any request is accepted without CSRF token verification . Impact: You lose protection against browser-based CSRF attacks. But only matters if your app uses cookies/session authentication . Why it’s commonly disabled in REST APIs Because REST APIs typically: Are stateless Use Authorization headers (JWT/Bearer tokens...

 Cascade.ALL is used to apply all operations on the children table which are getting applied on parent Operation includes - Delete -  If parent is deleted then all children will be deleted. - Persist - If parent is persisted then all children will be persisted. - Update/Merge - If parent is updated then all changes in each children will be updated. - Reload -  If you reload parent from DB, all children will be reloaded. - Detach -  If parent is detached from the hibernate session all children will also be detached. ⚠️ The Danger Zone CascadeType.ALL is powerful but can be risky:  - Accidental Deletes: If you delete a Department, you might delete 500 Employees you didn't mean to.      - Performance: If you have a massive list, a simple update to the Parent might trigger checks/updates on every single Child. - Global Impact: It is usually better for Composition (where the child can't exist without the parent, like an Invoice and InvoiceItems). ⚠️ Wh...

🧠 Step 1 — What Spring really creates You write: @ Service public class OrderService { @ Transactional public void placeOrder () { } @ CacheEvict ( value = "productCache" , key = "#productId" ) public void updateProduct ( int productId ) { } } ❗ What actually exists at runtime Spring creates two objects : 1. Real Object: OrderService 2. Proxy Object: OrderService$$SpringProxy 👉 Important When you do: @ Autowired OrderService orderService ; 👉 You are getting: OrderService$$SpringProxy NOT your real class. 🧩 Step 2 — What’s inside the proxy? The proxy wraps your method calls like this: public class OrderServiceProxy { private OrderService target ; public void updateProduct ( int productId ) { // 🔥 Cache logic injected here evictCache ( "productCache" , productId ); target . updateProduct ( productId ); } public void placeOrder () { startTra...