Himai Minh

A few years ago, I was not too familiar with Spring. I took some online introduction to Spring Framework courses.
I read Getting Started with Spring Framework : covers Spring 5 by J Sharma and Ashish Sarin.
Although Spring 6 is in use now, this book still helps.

The works thread is not split.
Usually, one worker thread does its task. The virtual thread waits for it. A second worker thread does it task. The virtual thread waits for it as well.
The first worker thread is free to do other tasks while the second worker thread is doing its task.
So, only the virtual thread is blocking, but not the work threads blocking.

For example,  
private void dotasks(){
         //platform thread 1 does this behind the scene
           p1();
       //virtual thread sleeps  
        Thread.sleep(10000);
     //platform thread 2 does this behind the scene
    //platform thread 1 is now free to do other tasks behind the scene
       p2();
}

Reference : https://medium.com/@viraj_63415/reactive-programming-in-java-good-time-to-die-79f243dc1275
Take  a look at the second diagram of the above article.
Or, watch the same author's video for more explanation : https://www.youtube.com/watch?v=axNA-gr3hDg

The main advantage of using virtual thread is to have the virtual thread to block, not to have the platform threads to block.

I mean @Autowired is an annotation in Spring for dependency injection.
@Inject is from a Java library to do dependency injection as well.

Hi, Rob,
Do we need to add a finally block to close the connection each time?

I heard we are not recommended to use milestone versions because those versions are not stable.
Have you try those stable versions without the milestone?

Do you put @Autowired to UserRepository?

Does this package org.springframework.transaction.annotation exist in your classpath in your project?
If not, try to reimport the dependencies from your POM.

Does this help: https://stackoverflow.com/questions/70920113/the-following-method-did-not-exist-com-mongodb-connection-clustersettings-getde ?
Does add this help ? Try to put any available version for the mongodb driver core.
<dependency>
       <groupId>org.mongodb</groupId>
       <artifactId>mongodb-driver-core</artifactId>
       <version> ... </version>
   </dependency>

Your username should be root. I don't know your password.

How about trying any different Spring Boot version?

Does this help:
https://stackoverflow.com/questions/74146917/spring-security-the-request-was-rejected-because-the-url-contained-a-potential  ?

Does this discussion help:
https://github.com/spring-projects/spring-security/issues/14636  ?

Also, my next test is to use  @PreAuthorize("hasAuthority('USER')") for the get endpoint instead of @RolesAllowed.
It now works.

So far, I made some changes to your code:
public class JwtTokenProvider { public String createAccessToken(long id, String username, Role role){        Claims claims = Jwts.claims().subject(username)                .add("id",id)                .add("scope","read")  //use read instead of access                .add("role",role.name())                .build();          return Jwts.builder()                .header()                .add("type","JWT")   //use type instead of typ                .and()               ....    }

import jakarta.annotation.security.RolesAllowed; @RestController @RequestMapping("/endpoints") public class EndPoints {    //use RolesAllowed instead of @PreAuthorize    @GetMapping("/user")   @RolesAllowed({"USER"})    public String ordinaryUsersOnly(){        return "Ordinary users only";    }

In application.properties, use this property instead of create-drop to recreate the table every time I start the application:
spring.jpa.hibernate.ddl-auto=validate
I use port 8080 instead of 6666
I use Postman to do the following:
1. I first send a POST request at  localhost:8080/auth/register.
I submit these info in JSON
{
       
        "firstname" : "John",
         "lastname": "Smith",
         "username" : "jsmith3",
         "password": "smith3",
         "email" : "[email protected]"
       
   }
2. I then send a POST request at localhost:8080/auth/login
{       "username" : "jsmith3",
         "password": "smith3"
}
I got the access token
3. I create another GET request at localhost:8080/endpoints/user
Under the Authorization panel, copy and paste the token in the Bearer Token field.
4. So far, I get access to the endpoint

Does this article help:
https://www.baeldung.com/security-none-filters-none-access-permitAll ?

Section 5 of the article says this:

Also note that, if an <http> element doesn’t specify a pattern, then by default, that maps to the universal match pattern – “/**” – so again, this element
needs to be last. If the order of the elements is not correct, the creation of the security filter chain will fail:

One more additional note to my previous post.
Can you try to create a second user , maybe called John and a password for John?
Then, you, as Obert user,  log in and log out.
Then, you log in as John. See if John can be authenticated.