Spring Boot & AWS Cognito: Migrating from Manual to Managed Auth (Live Demo)

Authentication is one of the biggest architectural bottlenecks in any new application. Do you roll your own security and take on the liability, or do you lock yourself into a managed cloud provider? I wanted to understand the bare-metal mechanics behind that choice. In this live technical demo, I break down a dedicated, standalone project built to implement both approaches from scratch to compare the engineering trade-offs. If you are tired of wrestling with legacy Spring Security configurations and want to understand how enterprise systems offload identity management, this video is for you. 🔗 Resources & Links: • Repo : https://github.com/jamesiit/spring-se... • Slide Deck & Architecture Diagrams: https://james-cognito.s3.ap-south-1.a... • LinkedIn post: https://www.linkedin.com/posts/jamesm... 🛠️ What We Cover: 🔒 Phase 1: General Web Security & The Manual Architecture We start by exploring the OWASP Top 10, the differences between stateful session cookies and stateless architectures, and how CSRF vulnerabilities exploit stateful systems. From there, we dive into the "Manual Trench" by building the entire auth flow from scratch using Java Spring Boot. We look at custom SecurityFilterChain rules, physically instantiating BCrypt cryptographic engines, and the sheer developer overhead of minting and signing your own JSON Web Tokens alongside implementing Asynchronous OTP Delivery via SMTP. ☁️ Phase 2: The Managed Cloud Migration to AWS Cognito Once the manual version is established, we rip out the boilerplate and migrate to AWS. • The Frontend: Connecting React natively to the Cognito User Pool via AWS Amplify. • The Backend: Stripping Spring Boot down to act strictly as a stateless Resource Server. • The Cryptography: Shifting to Asymmetric Encryption: Securely downloading JWKS public keys so our backend can mathematically verify tokens signed by AWS. ⏳ Video Chapters: 00:00:00 Introduction: Managed vs. Manual Authentication 00:03:00 General Web Security and the OWASP Top 10 00:05:07 The Problem with Stateful Sessions and CSRF 00:07:38 Understanding CORS and Preflight Requests 00:09:47 Stateful vs. Stateless Architecture 00:11:15 OAuth 2.0 Standard and Third-Party Delegation 00:13:42 Deep Dive: Manual Spring Security Architecture 00:15:10 Request Lifecycle: Filters and the Servlet Container 00:20:24 Secure Password Hashing with BCrypt 00:28:46 JSON Web Token (JWT) in Spring Boot 00:39:18 Implementing Asynchronous OTP Delivery via SMTP 00:52:13 The Security Liability of Manual Configuration 00:54:50 Live Code Diff: Ripping out Boilerplate 00:56:52 Asymmetric Cryptography and JWKS Explained 00:59:33 Transitioning to AWS Cognito for Managed Authentication 01:06:35 Adding a User Pool 01:15:47 Integrating the AWS Amplify SDK in React 01:21:49 Full-Stack JWT Verification Flow 01:23:59 Configuring Spring Boot as an OAuth2 Resource Server 01:28:27 Live Audience Demo: End-to-End Authentication Flow 👇 Let's Connect: LinkedIn:   / jamesmotha   #softwareengineering #java #springboot #aws #awscognito #reactJS #cloudcomputing #systemarchitecture #cybersecurity #websecurity