Spring Security in Action
Laurentiu Spilca
  • MEAP began December 2019
  • Publication in Fall 2020 (estimated)
  • ISBN 9781617297731
  • 550 pages (estimated)
  • printed in black & white

If you want to get a thorough understanding of software security, and how it can be applied in a Spring application, this book is for you!

Matt Greene
While creating secure applications is critically important, it can also be tedious and time-consuming to stitch together the required collection of tools. For Java developers, the powerful Spring Security framework makes it easy for you to bake security into your software from the very beginning. Filled with code samples and practical examples, Spring Security in Action teaches you how to secure your apps from the most common threats, ranging from injection attacks to lackluster monitoring. In it, you’ll learn how to manage system users, configure secure endpoints, and use OAuth2 and OpenID Connect for authentication and authorization.

About the Technology

Your applications, along with the data they manage, are one of your organization’s most valuable assets. No company wants their applications easily cracked by malicious attackers or left vulnerable by avoidable errors. The specialized Spring Security framework reduces the time and manpower required to create reliable authorization, authentication, and other security features for your Java enterprise software. Thanks to Spring Security, you can easily bake security into your applications, from design right through to implementation.

About the book

Spring Security in Action shows you how to use Spring Security to create applications you can be confident will withstand even the most dedicated attacks. Starting with essential “secure by design” principles, you’ll learn common software vulnerabilities and how to avoid them right from the design stage. Through hands-on projects, including a web application and a microservices architecture, you’ll learn to manage system users, configure secure endpoints, and use, OAuth2 and OpenID Connect for authentication and authorization. As you go, you’ll learn how to adapt Spring Security to different architectures, such as configuring Spring Security for Reactive applications and container-based applications orchestrated with Kubernetes. When you’re done, you’ll have a complete understanding of how to use Spring Security to protect your Java enterprise applications from common threats and attacks.
Table of Contents detailed table of contents

Part 1 First Steps

1 Security today

1.1 Spring Security - the what and the why

1.2 What is software security?

1.3 Why is security important?

1.4 Common security vulnerabilities in web applications

1.4.1 Vulnerabilities in authentication and authorization

1.4.2 What is session fixation?

1.4.3 What is cross-site scripting (XSS)?

1.4.4 What is cross-site request forgery (CSRF)?

1.4.5 Understanding injection vulnerabilities in web applications

1.4.6 Dealing with the exposure of sensitive data

1.4.7 What is the lack of method access control?

1.4.8 Using dependencies with known vulnerabilities

1.5 Security applied in various architectures

1.5.1 Designing a one-piece web application

1.5.2 Designing security for a backend/frontend separation

1.5.3 Understanding the OAuth2 flow

1.5.4 Using API keys, cryptographic signatures, and IP whitelisting to secure requests

1.6 What will you learn in this book?

1.7 Summary

2 Hello Spring Security

2.1 Starting with the first project

2.2 Which are the default configurations?

2.3 Overriding the default configurations

2.3.1 Overriding the UserDetailsService component

2.3.2 Overriding the endpoint authorization configuration

2.3.3 Setting the configuration in different ways

2.3.4 Overriding the AuthenticationProvider implementation

2.3.5 Using multiple configuration classes in your project

2.4 Summary

Part 2: Implementation

3 Managing users

3.1 Implementing authentication in Spring Security

3.2 Describing the user

3.2.1 Demystifying the definition of the UserDetails contract

3.2.2 Detailing on the GrantedAuthority contract

3.2.3 Writing the minimal implementation of the UserDetails

3.2.4 Using a builder to create instances of the UserDetails type

3.3 Instructing Spring Security on how to manage the users

3.3.1 Understanding the UserDetailsService contract

3.3.2 Implementing the UserDetailsService contract

3.3.3 Implementing the UserDetailsManager contract

3.4 Summary

4 Dealing with passwords

4.1 Understanding the PasswordEncoder contract

4.1.1 The definition of the PasswordEncoder contract

4.1.2 Implementing the PasswordEncoder contract

4.1.3 Choosing from the provided implementations of PasswordEncoder

4.1.4 Having multiple encoding strategies with DelegatingPasswordEncoder

4.2 More about the Spring Security Crypto Module

4.2.1 Using key generators

4.2.2 Using encryptors for encryption and decryption operations

4.3 Summary

5 Implementing authentication

5.1 Understanding the AuthenticationProvider

5.1.1 Representing the request during authentication

5.1.2 Implementing the custom authentication logic

5.1.3 Applying the custom authentication logic

5.2 Using the SecurityContext

5.2.1 Using a holding strategy for the security context

5.2.2 Using a holding strategy for asynchronous calls

5.2.3 Using a holding strategy for standalone applications

5.2.4 Forwarding the security context with a DelegatingSecurityContextRunnable

5.2.5 Forwarding the security context with DelegatingSecurityContextExecutorService

5.3 Understanding HTTP Basic and Form Login authentication methods

5.3.1 Using and configuring HTTP Basic

5.3.2 Implementing the authentication with the Form Login method

5.4 Summary

6 Hands-On: A small secured web application

6.1 Requirements and setup of the project

6.2 Implementing user management

6.3 Implementing the custom authentication logic

6.4 Implementing the main page

6.5 Running and testing the application

6.6 Summary

7 Configuring authorization: restricting access

7.1 Restricting access based on authorities and roles

7.1.1 Restricting access for all the endpoints based on the user authorities

7.1.2 Restricting access for all the endpoints based on the user roles

7.1.3 Restricting all the access to endpoints

7.2 Summary

8 Configuring authorization: applying restrictions

8.1 Using matcher methods to select endpoints

8.2 Selecting requests for authorization using MVC matchers

8.3 Selecting requests for authorization using ANT matchers

8.4 Selecting requests for authorization using regex matchers

8.5 Summary

9 Implementing filters

9.1 Implementing filters in the Spring Security architecture

9.2 Adding a filter before an existing one in the chain

9.3 Adding a filter after an existing one in the chain

9.4 Adding a filter at the location of another in the chain

9.5 Filter implementations provided by Spring Security

9.6 Summary

10 Applying CSRF protection and CORS

10.1 Applying CSRF protection in applications

10.1.1 How CSRF protection works in Spring Security

10.1.2 Using CSRF protection in practical scenarios

10.1.3 Customizing CSRF protection

10.2 Using Cross-Origin Resource Sharing (CORS)

10.2.1 How does CORS work?

10.2.2 Applying CORS policies with the @CorsOrigin annotation

10.2.3 Applying CORS using a CorsConfigurer

10.3 Summary

11 Hands-On: A separation of responsibilities

11.1 The scenario and requirements of the example

11.2 Implementing and using tokens

11.2.1 What is a token?

11.2.2 What is a JSON Web Token (JWT)?

11.3 Implementing the Authentication Server

11.4 Implementing the Business Logic Server

11.4.1 Implementing the Authentication objects

11.4.2 Implementing the proxy to the Authentication Server

11.4.3 Implementing the AuthenticationProvider objects

11.4.4 Implementing the filters

11.4.5 Writing the security configurations

11.4.6 Testing the whole system

11.5 Summary

12 How does OAuth 2 work?

12.1 The OAuth 2 framework

12.2 The components of the OAuth 2 authentication architecture

12.3 Implementation choices with OAuth 2

12.3.1 Implementing the authorization code grant type

12.3.2 Implementing the password grant type

12.3.3 Implementing the client credentials grant type

12.3.4 Using refresh tokens to obtain new access tokens

12.4 The sins of OAuth 2

12.5 Implementing a simple Single Sign-On application

12.5.1 Managing the authorization server

12.5.2 Starting the implementation

12.5.3 Implementing the ClientRegistration

12.5.4 Implementing a ClientRegistrationRepository

12.5.5 The pure magic of the Spring Boot configuration

12.5.6 Obtaining details about the authenticated user

12.5.7 Testing the application

12.6 Summary

13 OAuth 2 – Implementing the authorization server

13.1 Writing your own authorization server implementation

13.2 Defining user management

13.3 Registering clients with the Authorization Server

13.4 Using the password grant

13.5 Using the authorization code grant

13.6 Using the client credentials grant

13.7 Using the refresh token grant

13.8 Summary

14 OAuth 2 – Implementing the resource server

14.1 Implementing a resource server

14.2 Checking the token remotely

14.3 Implementing blackboarding with a JdbcTokenStore

14.4 A short comparison of the approaches

14.5 Summary

15 OAuth 2 – Using JWT and cryptographic signatures

15.1 Using tokens signed with symmetric keys with JWT

15.1.1 Using JSON Web Tokens

15.1.2 Implementing an Authorization Server which issues JWT

15.1.3 Implementing a Resource Server which uses JWT

15.2 Using tokens signed with asymmetric keys with JWT

15.2.1 Generating the key pair

15.2.2 Implementing an Authorization Server which uses the private key

15.2.3 Implementing a Resource Server which uses the public key

15.2.4 Using an endpoint to expose the public key

15.3 Adding custom details to the JWT

15.3.1 Configuring the Authorization Server to add custom details in the token

15.3.2 Configuring the Resource Server to read the custom details of a JWT

15.4 Summary

16 Global Method Security – Pre/Post Authorization

16.1 Enabling global method security

16.1.1 Understanding call authorization

16.1.2 Enabling global method security in your project

16.2 Applying pre-authorization for authorities and roles

16.3 Applying post-authorization

16.4 Implementing permissions for methods

16.5 Summary

17 Global Method Security: Pre/Post Filtering

17.1 Applying pre-filtering for method authorization

17.2 Applying post-filtering for method authorization

17.3 Using filtering in Spring Data repositories

17.4 Summary

18 Hands-On: An OAuth 2 application

18.1 The application’s scenario

18.2 Configuring Keycloak as an Authorization Server

18.2.1 Registering a client for our system

18.2.2 Specifying the client scopes

18.2.3 Adding the users and obtaining access tokens

18.2.4 Defining the users’ roles

18.3 Implementing the application’s Resource Server

18.4 Testing the application

18.4.1 Prove that the authenticated user can only add a record for themselves

18.4.2 Prove that a user can only retrieve their records

18.4.3 Prove that only admins can delete records

18.5 Summary

19 Spring Security for Reactive Apps

19.1 What are reactive apps?

19.2 User management in reactive apps

19.3 Configuring authorization rules in reactive apps

19.3.1 Applying authorization at the endpoint layer in reactive apps

19.3.2 Using method security in reactive apps

19.4 Reactive apps and OAuth 2

19.5 Summary

20 Spring Security Testing

20.1 Using mock users for test

20.2 Testing with users from a UserDetailsService

20.3 Using custom Authentication objects for testing

20.4 Testing method security

20.5 Testing authentication

20.6 Testing CSRF configurations

20.7 Testing CORS configurations

20.8 Testing reactive Spring Security implementations

20.9 Summary

Appendixes

Creating the Spring Boot project

A.1 Creating a project from start.spring.io

A.2 Creating a project with the Spring Tool Suite (STS)

What's inside

  • The principles of secure by design
  • The architecture of Spring Security
  • Spring Security contracts for password encoding, cryptography, and authentication
  • Applying Spring Security to different architecture styles

About the reader

For experienced Java developers, with knowledge of other Spring tools such as Spring Boot.

About the author

Laurentiu Spilca is a dedicated development lead and trainer at Endava, where he leads the development of a project in the financial market of European Nordic countries. He has over ten years experience as a Java developer and technology teacher.

placing your order...

Don't refresh or navigate away from the page.
Manning Early Access Program (MEAP) Read chapters as they are written, get the finished eBook as soon as it’s ready, and receive the pBook long before it's in bookstores.
print book $29.99 $59.99 pBook + eBook + liveBook
Additional shipping charges may apply
Spring Security in Action (print book) added to cart
continue shopping
go to cart

eBook $24.99 $47.99 3 formats + liveBook
Spring Security in Action (eBook) added to cart
continue shopping
go to cart

Prices displayed in rupees will be charged in USD when you check out.

FREE domestic shipping on three or more pBooks