Spring Security in Action
Laurentiu Spilca
  • October 2020
  • ISBN 9781617297731
  • 560 pages
  • printed in black & white

An indispensable guide to Spring Security that belongs on the desk of every serious Spring developer.

Nathan B. Crocker, Galaxy Digital
While creating secure applications is critically important, it can also be tedious and time-consuming to stitch together the required collection of tools. For Java developers, the powerful Spring Security framework makes it easy for you to bake security into your software from the very beginning. Filled with code samples and practical examples, Spring Security in Action teaches you how to secure your apps from the most common threats, ranging from injection attacks to lackluster monitoring. In it, you'll learn how to manage system users, configure secure endpoints, and use OAuth2 and OpenID Connect for authentication and authorization.

About the Technology

Security is non-negotiable. You rely on Spring applications to transmit data, verify credentials, and prevent attacks. Adopting "secure by design" principles will protect your network from data theft and unauthorized intrusions.

About the book

Spring Security in Action shows you how to prevent cross-site scripting and request forgery attacks before they do damage. You’ll start with the basics, simulating password upgrades and adding multiple types of authorization. As your skills grow, you'll adapt Spring Security to new architectures and create advanced OAuth2 configurations. By the time you're done, you'll have a customized Spring Security configuration that protects against threats both common and extraordinary.
Table of Contents detailed table of contents

Part 1. First Steps

1 Security today

1.1 Spring Security: The what and the why

1.2 What is software security?

1.3 Why is security important?

1.4 Common security vulnerabilities in web applications

1.4.1 Vulnerabilities in authentication and authorization

1.4.2 What is session fixation?

1.4.3 What is cross-site scripting (XSS)?

1.4.4 What is cross-site request forgery (CSRF)?

1.4.5 Understanding injection vulnerabilities in web applications

1.4.6 Dealing with the exposure of sensitive data

1.4.7 What is the lack of method access control?

1.4.8 Using dependencies with known vulnerabilities

1.5 Security applied in various architectures

1.5.1 Designing a one-piece web application

1.5.2 Designing security for a backend/frontend separation

1.5.3 Understanding the OAuth 2 flow

1.5.4 Using API keys, cryptographic signatures, and IP validation to secure requests

1.6 What will you learn in this book?

Summary

2 Hello Spring Security

2.1 Starting with the first project

2.2 Which are the default configurations?

2.3 Overriding default configurations

2.3.1 Overriding the UserDetailsService component

2.3.2 Overriding the endpoint authorization configuration

2.3.3 Setting the configuration in different ways

2.3.4 Overriding the AuthenticationProvider implementation

2.3.5 Using multiple configuration classes in your project

Summary

Part 2. Implementation

3 Managing users

3.1 Implementing authentication in Spring Security

3.2 Describing the user

3.2.1 Demystifying the definition of the UserDetails contract

3.2.2 Detailing on the GrantedAuthority contract

3.2.3 Writing a minimal implementation of UserDetails

3.2.4 Using a builder to create instances of the UserDetails type

3.3 Instructing Spring Security on how to manage users

3.3.1 Understanding the UserDetailsService contract

3.3.2 Implementing the UserDetailsService contract

3.3.3 Implementing the UserDetailsManager contract

Summary

4 Dealing with passwords

4.1 Understanding the PasswordEncoder contract

4.1.1 The definition of the PasswordEncoder contract

4.1.2 Implementing the PasswordEncoder contract

4.1.3 Choosing from the provided implementations of PasswordEncoder

4.1.4 Multiple encoding strategies with DelegatingPasswordEncoder

4.2 More about the Spring Security Crypto module

4.2.1 Using key generators

4.2.2 Using encryptors for encryption and decryption operations

Summary

5 Implementing authentication

5.1 Understanding the AuthenticationProvider

5.1.1 Representing the request during authentication

5.1.2 Implementing custom authentication logic

5.1.3 Applying custom authentication logic

5.2 Using the SecurityContext

5.2.1 Using a holding strategy for the security context

5.2.2 Using a holding strategy for asynchronous calls

5.2.3 Using a holding strategy for standalone applications

5.2.4 Forwarding the security context with DelegatingSecurityContextRunnable

5.2.5 Forwarding the security context with DelegatingSecurityContextExecutorService

5.3 Understanding HTTP Basic and form-based login authentications

5.3.1 Using and configuring HTTP Basic

5.3.2 Implementing authentication with form-based login

Summary

6 Hands-on: A small secured web application

6.1 Project requirements and setup

6.2 Implementing user management

6.3 Implementing custom authentication logic

6.4 Implementing the main page

6.5 Running and testing the application

Summary

7 Configuring authorization: Restricting access

7.1 Restricting access based on authorities and roles

7.1.1 Restricting access for all endpoints based on user authorities

7.1.2 Restricting access for all endpoints based on user roles

7.1.3 Restricting access to all endpoints

Summary

8 Configuring authorization: Applying restrictions

8.1 Using matcher methods to select endpoints

8.2 Selecting requests for authorization using MVC matchers

8.3 Selecting requests for authorization using Ant matchers

8.4 Selecting requests for authorization using regex matchers

Summary

9 Implementing filters

9.1 Implementing filters in the Spring Security architecture

9.2 Adding a filter before an existing one in the chain

9.3 Adding a filter after an existing one in the chain

9.4 Adding a filter at the location of another in the chain

9.5 Filter implementations provided by Spring Security

Summary

10 Applying CSRF protection and CORS

10.1 Applying cross-site request forgery (CSRF) protection in applications

10.1.1 How CSRF protection works in Spring Security

10.1.2 Using CSRF protection in practical scenarios

10.1.3 Customizing CSRF protection

10.2 Using cross-origin resource sharing

10.2.1 How does CORS work?

10.2.2 Applying CORS policies with the @CrossOrigin annotation

10.2.3 Applying CORS using a CorsConfigurer

Summary

11 Hands-on: A separation of responsibilities

11.1 The scenario and requirements of the example

11.2 Implementing and using tokens

11.2.1 What is a token?

11.2.2 What is a JSON Web Token?

11.3 Implementing the authentication server

11.4 Implementing the business logic server

11.4.1 Implementing the Authentication objects

11.4.2 Implementing the proxy to the authentication server

11.4.3 Implementing the AuthenticationProvider interface

11.4.4 Implementing the filters

11.4.5 Writing the security configurations

11.4.6 Testing the whole system

Summary

12 How does OAuth 2 work?

12.1 The OAuth 2 framework

12.2 The components of the OAuth 2 authentication architecture

12.3 Implementation choices with OAuth 2

12.3.1 Implementing the authorization code grant type

12.3.2 Implementing the password grant type

12.3.3 Implementing the client credentials grant type

12.3.4 Using refresh tokens to obtain new access tokens

12.4 The sins of OAuth 2

12.5 Implementing a simple single sign-on application

12.5.1 Managing the authorization server

12.5.2 Starting the implementation

12.5.3 Implementing ClientRegistration

12.5.4 Implementing ClientRegistrationRepository

12.5.5 The pure magic of Spring Boot configuration

12.5.6 Obtaining details about an authenticated user

12.5.7 Testing the application

Summary

13 OAuth 2: Implementing the authorization server

13.1 Writing your own authorization server implementation

13.2 Defining user management

13.3 Registering clients with the authorization server

13.4 Using the password grant type

13.5 Using the authorization code grant type

13.6 Using the client credentials grant type

13.7 Using the refresh token grant type

Summary

14 OAuth 2: Implementing the resource server

14.1 Implementing a resource server

14.2 Checking the token remotely

14.3 Implementing blackboarding with a JdbcTokenStore

14.4 A short comparison of approaches

Summary

15 OAuth 2: Using JWT and cryptographic signatures

15.1 Using tokens signed with symmetric keys with JWT

15.1.1 Using JWTs

15.1.2 Implementing an authorization server to issue JWTs

15.1.3 Implementing a resource server that uses JWT

15.2 Using tokens signed with asymmetric keys with JWT

15.2.1 Generating the key pair

15.2.2 Implementing an authorization server that uses private keys

15.2.3 Implementing a resource server that uses public keys

15.2.4 Using an endpoint to expose the public key

15.3 Adding custom details to the JWT

15.3.1 Configuring the authorization server to add custom details to tokens

15.3.2 Configuring the resource server to read the custom details of a JWT

Summary

16 Global method security: Pre- and postauthorizations

16.1 Enabling global method security

16.1.1 Understanding call authorization

16.1.2 Enabling global method security in your project

16.2 Applying preauthorization for authorities and roles

16.3 Applying postauthorization

16.4 Implementing permissions for methods

Summary

17 Global method security: Pre- and postfiltering

17.1 Applying prefiltering for method authorization

17.2 Applying postfiltering for method authorization

17.3 Using filtering in Spring Data repositories

Summary

18 Hands-on: An OAuth 2 application

18.1 The application scenario

18.2 Configuring Keycloak as an authorization server

18.2.1 Registering a client for our system

18.2.2 Specifying client scopes

18.2.3 Adding users and obtaining access tokens

18.2.4 Defining the user roles

18.3 Implementing the resource server

18.4 Testing the application

18.4.1 Proving an authenticated user can only add a record for themself

18.4.2 Proving that a user can only retrieve their own records

18.4.3 Proving that only admins can delete records

Summary

19 Spring Security for reactive apps

19.1 What are reactive apps?

19.2 User management in reactive apps

19.3 Configuring authorization rules in reactive apps

19.3.1 Applying authorization at the endpoint layer in reactive apps

19.3.2 Using method security in reactive apps

19.4 Reactive apps and OAuth 2

Summary

20 Spring Security testing

20.1 Using mock users for tests

20.2 Testing with users from a UserDetailsService

20.3 Using custom Authentication objects for testing

20.4 Testing method security

20.5 Testing authentication

20.6 Testing CSRF configurations

20.7 Testing CORS configurations

20.8 Testing reactive Spring Security implementations

Summary

Appendixes

Appendix A: Creating a Spring Boot project

A.1 Creating a project with start.spring.io

A.2 Creating a project with the Spring Tool Suite (STS)

What's inside

  • Encoding passwords and authenticating users
  • Securing endpoints
  • Automating security testing
  • Setting up a standalone authorization server

About the reader

For experienced Java and Spring developers.

About the author

Laurentiu Spilca is a dedicated development lead and trainer at Endava, with over ten years of Java experience.

placing your order...

Don't refresh or navigate away from the page.
print book $59.99 pBook + eBook + liveBook
Additional shipping charges may apply
Spring Security in Action (print book) added to cart
continue shopping
go to cart

eBook $47.99 3 formats + liveBook
Spring Security in Action (eBook) added to cart
continue shopping
go to cart

Prices displayed in rupees will be charged in USD when you check out.
customers also reading

This book 1-hop 2-hops 3-hops

FREE domestic shipping on three or more pBooks