Welcome to Manning India!

We are pleased to be able to offer regional eBook pricing for Indian residents.
All eBook prices are discounted 40% or more!
Spring Security in Action
Laurentiu Spilca
  • MEAP began December 2019
  • Publication in Fall 2020 (estimated)
  • ISBN 9781617297731
  • 450 pages (estimated)
  • printed in black & white

If you want to get a thorough understanding of software security, and how it can be applied in a Spring application, this book is for you!

Matt Greene
While creating secure applications is critically important, it can also be tedious and time-consuming to stitch together the required collection of tools. For Java developers, the powerful Spring Security framework makes it easy for you to bake security into your software from the very beginning. Filled with code samples and practical examples, Spring Security in Action teaches you how to secure your apps from the most common threats, ranging from injection attacks to lackluster monitoring. In it, you’ll learn how to manage system users, configure secure endpoints, and use OAuth2 and OpenID Connect for authentication and authorization.
Table of Contents detailed table of contents

Part 1 First Steps

1 Security today

1.1 Spring Security - the what and the why

1.2 What is software security?

1.3 Why is security important?

1.4 Common security vulnerabilities in web applications

1.4.1 Vulnerabilities in authentication and authorization

1.4.2 What is session fixation?

1.4.3 What is cross-site scripting (XSS)?

1.4.4 What is cross-site request forgery (CSRF)?

1.4.5 Understanding injection vulnerabilities in web applications

1.4.6 Dealing with the exposure of sensitive data

1.4.7 What is the lack of method access control?

1.4.8 Using dependencies with known vulnerabilities

1.5 Security applied in various architectures

1.5.1 Designing a one-piece web application

1.5.2 Designing security for a backend/frontend separation

1.5.3 Understanding the OAuth2 flow

1.5.4 Using API keys, cryptographic signatures, and IP whitelisting to secure requests

1.6 What will you learn in this book?

1.7 Summary

2 Hello Spring Security

2.1 Starting with the first project

2.2 Which are the default configurations?

2.3 Overriding the default configurations

2.3.1 Overriding the UserDetailsService component

2.3.2 Overriding the endpoint authorization configuration

2.3.3 Setting the configuration in different ways

2.3.4 Overriding the AuthenticationProvider implementation

2.3.5 Using multiple configuration classes in your project

2.4 Summary

Part 2: Implementation

3 Managing users and passwords

3.1 Implementing authentication in Spring Security

3.2 Describing the user

3.2.1 Demystifying the definition of the UserDetails contract

3.2.2 Detailing on the GrantedAuthority contract

3.2.3 Writing the minimal implementation of the UserDetails

3.2.4 Using a builder to create instances of the UserDetails type

3.3 Instructing Spring Security on how to manage the users

3.3.1 Understanding the UserDetailsService contract

3.3.2 Implementing the UserDetailsService contract

3.3.3 Implementing the UserDetailsManager contract

3.4 Understanding the PasswordEncoder contract

3.4.1 The definition of the PasswordEncoder contract

3.4.2 Implementing the PasswordEncoder contract

3.4.3 Choosing from the provided implementations of PasswordEncoder

3.4.4 Having multiple encoding strategies with DelegatingPasswordEncoder

3.5 More about the Spring Security Crypto Module

3.5.1 Using key generators

3.5.2 Using encryptors for encryption and decryption operations

3.6 Summary

4 Implementing authentication

4.1 Understanding the AuthenticationProvider

4.1.1 Representing the request during authentication

4.1.2 Implementing the custom authentication logic

4.1.3 Applying the custom authentication logic

4.2 Using the SecurityContext

4.2.1 Using a holding strategy for the security context

4.2.2 Using a holding strategy for asynchronous calls

4.2.3 Using a holding strategy for standalone applications

4.2.4 Forwarding the security context with a DelegatingSecurityContextRunnable

4.2.5 Forwarding the security context with a DelegatingSecurityContextExecutorService

4.3 Understanding HTTP Basic and Form Login authentication methods

4.3.1 Using and configuring HTTP Basic

4.3.2 Implementing the authentication with the Form Login method

4.4 Summary

5 Hands-On: A small secured web application

5.1 Requirements and setup of the project

5.2 Implementing user management

5.3 Implementing the custom authentication logic

5.4 Implementing the main page

5.5 Running and testing the application

5.6 Summary

6 Configuring authorization

6.1 Restricting access based on authorities and roles

6.1.1 Restricting access for all the endpoints based on the user authorities

6.1.2 Restricting access for all the endpoints based on the user roles

6.1.3 Restricting all the access to endpoints

6.2 Selecting endpoints with matcher methods

6.2.1 Using matcher methods to select endpoints

6.2.2 Selecting requests for authorization using MVC matchers

6.2.3 Selecting requests for authorization using ANT matchers

6.2.4 Selecting requests for authorization using regex matchers

6.3 Summary

7 Implementing filters

7.1 Implementing filters in the Spring Security architecture

7.2 Adding a filter before an existing one in the chain

7.3 Adding a filter after an existing one in the chain

7.4 Adding a filter at the location of another in the chain

7.5 Filter implementations provided by Spring Security

7.6 Summary

8 Applying CSRF protection and CORS

8.1 Applying CSRF protection in applications

8.1.1 How CSRF protection works in Spring Security

8.1.2 Using CSRF protection in practical scenarios

8.1.3 Customizing CSRF protection

8.2 Using Cross-Origin Resource Sharing (CORS)

8.2.1 How does CORS work?

8.2.2 Applying CORS policies with the @CorsOrigin annotation

8.2.3 Applying CORS using a CorsConfigurer

8.3 Summary

9 Hands-On: Implementing authorization

9.1 The scenario and requirements of the example

9.2 Implementing and using tokens

9.2.1 What is a token?

9.2.2 What is a JSON Web Token (JWT)?

9.3 Implementing the Authentication Server

9.4 Implementing the Business Logic Server

9.4.1 Implementing the Authentication objects

9.4.2 Implementing the proxy to the Authentication Server

9.4.3 Implementing the AuthenticationProvider objects

9.4.4 Implementing the filters

9.4.5 Writing the security configurations

9.4.6 Testing the whole system

9.5 Summary

10 OAuth2 - How does it work?

10.1 The OAuth 2 framework

10.2 The components of the OAuth 2 authentication architecture

10.3 Implementation choices with OAuth 2

10.3.1 Implementing the authorization code grant type

10.3.2 Implementing the password grant type

10.3.3 Implementing the client credentials grant type

10.3.4 Using refresh tokens to obtain new access tokens

10.4 The sins of OAuth 2

10.5 Implementing a simple Single Sign-On application

10.5.1 Managing the authorization server

10.5.2 Starting the implementation

10.5.3 Implementing the ClientRegistration

10.5.4 Implementing a ClientRegistrationRepository

10.5.5 The pure magic of the Spring Boot configuration

10.5.6 Obtaining details about the authenticated user

10.5.7 Testing the application

10.6 Summary

11 OAuth2 – Implementing the authorization server

11.1 Writing your own authorization server implementation

11.2 Defining user management

11.3 Registering clients with the Authorization Server

11.4 Using the password grant

11.5 Using the authorization code grant

11.6 Using the client credentials grant

11.7 Using the refresh token grant

11.8 Summary

12 OAuth2 – Implementing the resource server

12.1 Implementing a resource server

12.2 Checking the token remotely

12.3 Implementing blackboarding with a JdbcTokenStore

12.4 A short comparison of the approaches

12.5 Summary

13 Global Method Security

14 Integration with Spring Data

15 Hands-On: Implementing an OAuth2 app

16 Integration with Spring Data

17 Spring Security for reactive applications

18 Spring Security Testing

Part 3: Beyond Spring Security in applications

19 Spring Security and orchestration in containers


A Creating the Spring Boot project

A.1 Creating a project from start.spring.io

A.2 Creating a project with the Spring Tool Suite (STS)

About the Technology

Your applications, along with the data they manage, are one of your organization’s most valuable assets. No company wants their applications easily cracked by malicious attackers or left vulnerable by avoidable errors. The specialized Spring Security framework reduces the time and manpower required to create reliable authorization, authentication, and other security features for your Java enterprise software. Thanks to Spring Security, you can easily bake security into your applications, from design right through to implementation.

About the book

Spring Security in Action shows you how to use Spring Security to create applications you can be confident will withstand even the most dedicated attacks. Starting with essential “secure by design” principles, you’ll learn common software vulnerabilities and how to avoid them right from the design stage. Through hands-on projects, including a web application and a microservices architecture, you’ll learn to manage system users, configure secure endpoints, and use, OAuth2 and OpenID Connect for authentication and authorization. As you go, you’ll learn how to adapt Spring Security to different architectures, such as configuring Spring Security for Reactive applications and container-based applications orchestrated with Kubernetes. When you’re done, you’ll have a complete understanding of how to use Spring Security to protect your Java enterprise applications from common threats and attacks.

What's inside

  • The principles of secure by design
  • The architecture of Spring Security
  • Spring Security contracts for password encoding, cryptography, and authentication
  • Applying Spring Security to different architecture styles

About the reader

For experienced Java developers, with knowledge of other Spring tools such as Spring Boot.

About the author

Laurentiu Spilca is a dedicated development lead and trainer at Endava, where he leads the development of a project in the financial market of European Nordic countries. He has over ten years experience as a Java developer and technology teacher.

Manning Early Access Program (MEAP) Read chapters as they are written, get the finished eBook as soon as it’s ready, and receive the pBook long before it's in bookstores.
MEAP combo $59.99 pBook + eBook + liveBook
MEAP eBook $47.99 pdf + ePub + kindle + liveBook
Prices displayed in rupees will be charged in USD when you check out.

placing your order...

Don't refresh or navigate away from the page.

FREE domestic shipping on three or more pBooks