#How to add default role to newly created user?

I am trying to add a role of USER to my newly created user but nothing seems to work

My current code throws this error
Incorrect integer value: 'USER' for column 'role' at row 1 I assume that I'm not adding the role correctly and thats why I'm getting this issue but I'm not sure how to handle the roles and set them since they are using GrantedAuthorities.

Here's a gist to my code.
https://gist.github.com/CydoEntis/b54aaf32fdec1269c6459a3234c05c4f

⌛ This post has been reserved for your question.

Hey @viscid sierra! Please use /close or the Close Post button above when you're finished. Please remember to follow the help guidelines. This post will be automatically closed after 300 minutes of inactivity.

TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.

Without even looking at the code, you can already see the issue from the error.
The “role” column expects an integer (i.e 0, 1, 2, etc) but you’ve provided it a string “USER”.

Nvm, looks like my issue is im saving the role as a number, but trying to pass a string.

yeah, so new question how can i save that as the string value?

More than this annotation is needed?

    @Enumerated(EnumType.STRING)
    private Role role;

The code looks fine at first glance. I assume you’ll need to update the table structure in your database.

My assumption is you were saving it as an ordinal originally and changed it at some point.

That's most likely it, I've been struggling hard with JWT authentication since every youtube tutorial I follow is using a different version of spring boot, or doing the implementation completely different. I'm all over the place at this point haha

Careful with youtube tutorials. They’re very convenient and I also look to them sometimes, but a lot of misinformation gets spread since videos are so easy to make. Moreover, peer reviewing only happens after it’s already been published and at that point the author can’t really make changes to the video.

Public codebases that have active communities around them are good to look at for examples, since the contributors are constantly reviewing each other’s code.

Also, books by reputable companies (not solo authors) they get rewritten and restructured and updated countless times before publishing.

Gotcha, yeah I tried to read this https://www.baeldung.com/spring-security-oauth-jwt but got lost, I start college May 1st so I'm hoping during classes I really learn this stuff. Just trying to familiarize myself with a lot of this stuff before I start my courses 😄

But u were right, the database column for roles just need to be a varchar and now everything works, and for the most part I understand the implementation of Jwt's now.

I don’t doubt you’ll be far ahead of your peers at this pace. Hopefully class doesn’t end up too boring.

Boring is fine with me as long as I'm passing classes and getting this degree so I can get a job in the field haha.

I have a question maybe you could answer tho. Since I am using JWT's do I have to enable .csrf()? or is this just used during session based authentication?

The answer here explains it better than I can: https://security.stackexchange.com/questions/177155/can-jwt-authentication-act-as-an-anti-csrf-mechanism

Regarding csrf attacks:

If I were to structure a link to a website that I knew would perform a desired action for me, I would just need to direct you to that website and the fact that you have a session cookie and are logged in would mean that the request is validated, even if I’m the one who sent you there.
Typical csrf protection entails (for one, never making changes on get requests) and also inserting a unique csrf token into the form of any page that you want a valid post request to be sent from. When validating a post request, you know that if that token is present and is valid, then the authenticated user sent that request from your webpage and not from some other untrusted source.

In other words, csrf protection is important for pre-validated requests. Such as when a user has a session cookie sitting in their browser that automatically validates every request.

The reason that SO answers says that headers aren’t a concern is because headers are provided every time for every request. An attacker would have to know it in order to send it with the request they want you to make, unlike a session cookie.

RIght, but with a JWT token you are sending the token every request and it has to check the secret that is only known by the server so then a csrf attack can't take place because there is no session cookie that can hijacked correct?

But according to what you sent me, i should implement that CSRF protection anyway, so thats just what Ill do.

💤 Post marked as dormant

This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.

You can still have a session cookie and also employ csrf protection. (In fact that’s the big purpose for it) It just means that, while a victim may be forced to attempt an undesired action while signed in and authenticated by their session cookie, the addition of the csrf protection results in their otherwise validated request ultimately being rejected and no harm being done. In other words, the attacker successfully gets through one layer (the session cookie) but is blocked by another (the csrf token) before the request can do anything.

The SO answer suggested both protections to future proof the program against someone unknowingly moving the JWT to a cookie not realizing that it was also serving as csrf protection. Which is a concern that doesn’t apply in your case I’m sure, but nothing wrong with future proofing.
It’s just important to know exactly what each protection does and doesn’t do, so that we don’t fall into the trap of habitually stamping arbitrary protections onto things without considering that it may not be sufficient or appropriate. Otherwise you may end up with a big “Swiss cheese model” of security.

💤 Post marked as dormant

This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.