Software Security for Developers you own this product

With examples in Java and Spring

Adib Saikali, Laurențiu Spilcă

MEAP began November 2021
Last updated March 2026
Publication in April 2026 (estimated)

ISBN 9781617298585
371 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Software Development / Software Engineering / Security and Privacy / Cloud Application Security

resources: Source code Book forum Source code on GitHub

table of content

Part 1: Application Security the Big Picture

1 Making Sense of Application Security

1.1 Developers’ responsibility in software security

1.1.1 What does secure development actually look like?

1.1.2 How security expectations shape the developer’s role

1.2 Securing the supply chain risk

1.3 Roles and responsibilities in security

1.4 What you will learn in this book

1.5 Summary

2 Standards for implementing authentication

2.1 Logging users in

2.1.1 Customer authentication

2.1.2 Employee authentication

2.1.3 Partner authentication

2.1.4 Phishing resistant authentication

2.1.5 Authentication technology from a developer’s perspective

2.1.6 Exercises

2.2 Securing application credentials

2.2.1 Exercises

2.3 Exercise Answers

2.4 Summary

3 Service-to-service communication

3.1 Securing the service-to-service call chain

3.1.1 Propagating user identity through the service call chain

3.1.2 Determining service identity

3.1.3 Exercises

3.2 Securely running services on Kubernetes

3.2.1 Exercises

3.3 Security technologies every developer should know

3.3.1 Exercises

3.4 Exercise Answers

3.5 Summary

Part 2: Cryptography foundations

4 Message Integrity and Authentication

4.1 The goals of cryptography

4.2 Cryptographic hash functions

4.2.1 Secure Hash Algorithm (SHA)

4.2.2 Verifying integrity using a cryptographic hash function

4.2.3 Design for hash function change

4.2.4 Exercises

4.3 Java cryptography architecture and extensions

4.4 Implementing message integrity in Java

4.5 Message Authentication Code (MAC)

4.5.1 Hashed Message Authentication Code (HMAC)

4.5.2 Java Support for HMAC

4.5.3 Exercises

4.6 Guaranteeing authenticity using HMAC

4.7 Exercise answers

4.8 Summary

5 Advanced Encryption Standard

5.1 Advanced Encryption Standard Overview

5.2 Modes of operation

5.2.1 Cipher Block Chaining (CBC) mode

5.2.2 Authenticated encryption

5.2.3 Galois Counter Mode (GCM)

5.2.4 Exercises

5.3 Java Support for AES

5.3.1 The ACME Inc. Scenario

5.3.2 Implementing the ACME Inc. Scenario

5.4 Authenticated Encryption with Associated Data (AEAD)

5.4.1 Exercises

5.5 AES Best Practices

5.5.1 Selecting the AES key size

5.5.2 Checklist for using AES-GCM correctly in Java

5.5.3 Exercises

5.6 Answers to exercises

5.7 Summary

6 Public Key Encryption and Digital Signatures: Unleashing RSA

6.1 The secret key distribution problem

6.1.1 Exercises

6.2 Public key cryptosystems

6.2.1 Exercises

6.3 RSA public key cryptosystem

6.3.1 Configuring RSA

6.3.2 Hybrid Encryption

6.3.3 Signing data with RSA

6.3.4 Exercises

6.4 Java Support for RSA

6.5 Answers to exercises

6.6 Summary

7 Public Key Encryption and Digital Signatures: Using ECC

7.1 Elliptic curve public key cryptosystems

7.1.1 Configuring ECC

7.1.2 Diffie-Helman key agreement

7.1.3 Exercises

7.2 Java support for elliptic curves

7.2.1 Java support for encryption with elliptic curves

7.2.2 Java support for signing with elliptic curves

7.3 RSA vs. ECC

7.3.1 Exercises

7.4 Answers to exercises

7.5 Summary

Part 3: Securing communication channels

8 Public Key Infrastructure and X.509 Digital Certificates: know who you are talking to

8.1 Inspecting X.509 Digital Certificates

8.1.1 Inspecting X.509 certificates with OpenSSL CLI

8.1.2 Downloading a Website’s X.509 Digital Certificate Using OpenSSL CLI

8.1.3 Viewing The Fields of an X.509 Digital Certificate

8.1.4 Subject fields: Identify the public key and its owner.

8.1.5 Issuer Field: Identifies who created the certificate

8.1.6 Validity Fields

8.1.7 X.509 Digital Certificate Encoding Formats

8.1.8 Exercises

8.2 Verifying X.509 Digital Certificates

8.2.1 Verifying the GitHub.com X.509 Certificate

8.2.2 Exercises

8.3 Answers to exercises

8.4 Summary

9 Working with X.509 Certificates: Lifecycle and Self-Signing

9.1 Certificate Lifecycle: Issuance to revocation

9.1.1 Creating a keypair

9.1.2 Creating a Certificate Signing Request (CSR)

9.1.3 CSR Validation

9.1.4 Certificate Issuance

9.1.5 Certificate Revocation

9.1.6 Exercises

9.2 Private Certificate Authority for Local Development

9.2.1 Create a Self-Signed Root Certificate

9.2.2 Install the Certificate Authority into the Operating System Trust Store

9.2.3 Issue a certificate using the personal certificate authority

9.2.4 Exercises

9.3 Answers to exercises

9.4 Summary

10 Transport Layer Security (TLS): How the internet is secured

10.1 Securing communication with TLS

10.1.1 How it all started

10.1.2 TLS and mTLS

10.1.3 Exercises

10.2 What TLS actually protects you against

10.2.1 Protection from eavesdropping

10.2.2 Making sure there’s no tampering

10.2.3 Avoiding impersonation

10.2.4 Exercises

10.3 TLS in practice

10.3.1 Exercises

10.4 Answers to exercises

10.5 Summary

Part 4: Modern Authentication and Identity

11 JSON Object Signing and Encryption (JOSE)

11.1 The Standards Layer Cake

11.2 The problem solved by JSON Web Algorithms (JWA)

11.2.1 Exercises

11.3 JSON Web Key (JWK)

11.3.1 Exercises

11.4 JSON Web Signature (JWS)

11.4.1 JSON Web Object (JWS) Structure

11.4.2 Creating and verifying a JWS object

11.4.3 The credit card refunds scenario with JWS

11.4.4 Exercises

11.5 JSON Web Encryption (JWE)

11.5.1 JWE Structure

11.5.2 Creating and verifying JWE objects

11.5.3 Exercises

11.6 JSON Web Token (JWT)

11.6.1 Exercises

11.7 Answers to exercises

11.8 Summary

12 Single Sign On (SSO) using OAuth2 and OpenID Connect

12.1 Splitting security data management responsibilities

12.1.1 Exercises

12.2 Using authentication flows

12.2.1 The authorization code grant type

12.2.2 What actually are the tokens?

12.2.3 The client credentials grant type

12.2.4 Exercises

12.3 Applying OpenID Connect to Acme Inc.

12.3.1 Answers to exercises

12.4 Summary

13 Deepening security with OpenID Connect

13.1 Augmenting the authorization code grant type with PKCE

13.1.1 Exercises

13.2 Using refresh tokens to simplify authentication

13.2.1 Exercises

13.3 Supporting identity management with OpenID Connect

13.3.1 The Identity Layer and ID Token

13.3.2 The UserInfo Endpoint

13.3.3 Protection Against Replay Attacks and CSRF

13.3.4 Session management and logout

13.3.5 Exercises

13.4 Using multitenancy

13.4.1 Exercises

13.5 Answers to exercises

13.6 Summary

14 Passwordless login: Using Magic links and OTPs

14.1 The real magic of magic links authentication

14.1.1 Exercises

14.2 Authentication through One-Time Passwords (OTPs)

14.2.1 Exercises

14.3 Answers to exercises

14.4 Summary

15 Passwordless login: WebAuthn and hardware authentication

15.1 Biometric authentication

15.1.1 Fingerprint Scanning (Most Common)

15.1.2 Facial Recognition (Rapidly Growing)

15.1.3 Iris & Retina Scanning (Highly Secure)

15.1.4 Voice Recognition (Used in Call Centers & Virtual Assistants)

15.1.5 Palm Vein Recognition (High Security, Less Common)

15.1.6 Exercises

15.2 Authenticating using hardware keys

15.2.1 Exercises

15.3 Implementing WebAuthn authentication

15.3.1 Exercises

15.4 Answers to exercises

15.5 Summary

Part 5: Securing service-to-service call chain

16 Implementing service identity

16.1 What service identity is

16.1.1 Exercises

16.2 Implementing service authorization at the application level

16.2.1 Using the OAuth2 client credentials grant type

16.2.2 Using API Keys

16.2.3 Using custom authorization logic

16.2.4 Exercises

16.3 Implementing service authorization at the infra-level

16.3.1 Exercises

16.4 Answers to exercises

16.5 Summary

17 Taming authorization: RBAC, ABAC, ReBAC

17.1 What are core authorization models

17.1.1 Role-Based Access Control (RBAC)

17.1.2 Attribute-Based Access Control (ABAC)

17.1.3 Relationship-Based Access Control (ReBAC)

17.1.4 Exercises

17.2 Authorization in real-world architectures

17.2.1 Authorization within monoliths

17.2.2 Service-oriented authorization

17.2.3 Exercises

17.3 Answers to questions

17.4 Summary

Appendix

Appendix A: Installation and Setup

A.1 Setting up Java Development Environment

A.1.1 Setup Java 11

A.1.2 Setup A Java IDE

A.2 Obtaining the Book Samples

Overview

12 Single Sign On (SSO) using OAuth2 and OpenID Connect

Modern enterprises and consumer apps benefit from Single Sign-On, where a user authenticates once and seamlessly accesses multiple applications. The chapter motivates this with employee and customer scenarios, then shows how to decouple authentication from individual apps by delegating it to a dedicated Identity Provider. Centralizing authentication improves usability and reduces credential sprawl, while enabling consistent, stronger controls. Applications rely on the Identity Provider to verify identity and issue tokens that act like access cards, which other services can use to authorize requests.

The chapter frames SSO with OAuth 2 and OpenID Connect, introducing the four main actors: user, client, Identity Provider, and resource server. It explains the authorization code flow: redirect the user to authenticate, return a one-time authorization code, exchange it for an access token, then call the backend with that token. Tokens are commonly JWTs signed with rotating asymmetric keys so resource servers can validate integrity and issuer authenticity via public keys. It contrasts this with token introspection (ask the Identity Provider each time) and notes its coupling, latency, and exposure trade-offs. It also clarifies token types and lifetimes, why the implicit flow is deprecated due to leakage risks, and how OpenID Connect adds an ID token alongside the access token.

Finally, the chapter applies these concepts to an Acme Inc. system using a dedicated Identity Provider and standard client configuration: defining users and clients, allowed grant types, redirect URIs, and scopes. It demonstrates the end-to-end path—discovering endpoints, initiating the authorization request, authenticating, obtaining the authorization code, exchanging it at the token endpoint, and inspecting the resulting JWT claims (such as subject, audience, issuer, and expiration) identified by a key ID for verification. It also covers the client credentials flow for service-to-service calls (for example, payments), where no end user is involved and a service authenticates directly to obtain a token for backend-to-backend requests.

Jeanny uses multiple apps as part of her daily work routine, requiring her to authenticate into each one individually every day.

Patrick shops online, listens to music on various platforms, and purchases tickets for shows and movies, all using different apps and websites. Since he already has a Gmail account, he prefers to authenticate across these services using his Gmail credentials.

Before accessing an app, the Identity Provider (IdP) authenticates the user. The IdP handles the authentication process, while the other apps rely on it to provide the necessary details for authorizing the user to use the specific features they offer.

Authenticating using a known social media account. Patrick uses his Google credentials to sign into multiple apps. In this case, Google acts as the IdP. The other apps Patrick uses are designed to let users, like him, authenticate with their Google credentials. Generally, apps offer multiple authentication options, including social media platforms and email services.

The user authenticates with the IdP, which then issues a token. This token serves as proof of the user's identity and successful authentication.

The authorization code grant type. The user verifies their identity to access and work with data managed by the app’s backend.

Verifying the authenticity of a signed token. When the resource server receives a signed token, it uses a public key to validate the token. The resource server obtains this public key from the IdP, allowing it to verify that the token is valid.

Token Introspection. When a token isn’t cryptographically signed, the resource server must directly query the IdP to validate the token. This process is known as token introspection.

Suppose Acme Inc. needs to issue payments. In this scenario, our app must communicate with a specialized service known as a payment service provider. This provider must verify that the requests are indeed coming from Acme Inc. and not another service. Additionally, it needs to ensure that the data has not been altered during transmission.

Acme Inc. authenticates against an Identity Provider (IdP) and obtains a token. The app then uses this token to send requests to another service, which authorizes them.

Summary

Single Sign-On (SSO) simplifies user authentication by allowing employees and customers to use a single set of credentials for multiple applications.
OAuth2 and OpenID Connect are protocols used to implement SSO by separating authentication responsibilities into an Identity Provider (IdP).
Among the authentication flows the OAuth 2 specification describes the most used ones are:

The authorization code grant type is the most common, used when user interaction is required.
The client credentials grant type is used when one application needs to authenticate another without user involvement.

Using OAuth 2/OpenID Connect implies multiple actors in the authentication flow:

The user (e.g., employee or customer)
The client (app or service used)
The IdP (also known as authorization server) – a service offering authentication capabilities to multiple clients.
The resource server - app backend that handles data and authorization

Tokens are central to OAuth2 and OpenID Connect:

Access tokens which are used for authorization
ID tokens which contain user information

JWTs (JSON Web Tokens) are commonly used for token formatting and include a header (metadata), a payload (user/client details), and a signature for validation.
Token validation involves cryptographic methods or token introspection, ensuring secure communication between applications.

FAQ

What is Single Sign-On (SSO) and why is it useful?

SSO lets a user authenticate once with a trusted Identity Provider (IdP) and then access multiple applications without logging in again. It reduces password fatigue, streamlines access for employees using many internal apps, and enables customers to reuse existing accounts (for example, Google) across services.

What is an Identity Provider (IdP)? Is it the same as an Authorization Server?

An IdP is a dedicated application that authenticates users and issues tokens as proof. Other apps rely on it to verify identity and drive authorization decisions. Some people call it an Authorization Server; this chapter consistently uses the term IdP.

Who are the main actors in OAuth 2.0 and OpenID Connect?

- User: the person using the app - Client: the application the user interacts with (web or mobile) - Identity Provider (IdP): authenticates users and issues tokens - Resource Server: the backend API that enforces authorization and serves data

How does the authorization code grant type work?

- The user asks the client to access protected data. - The client redirects the user to the IdP’s login page. - The user authenticates at the IdP. - The IdP redirects back with a one-time authorization code. - The client exchanges that code with the IdP for an access token. - The client calls the resource server, presenting the access token. - The resource server validates the token and returns the data.

Why is the implicit grant type deprecated?

It returns the access token via a browser redirect URL, which risks token exposure: - Tokens can leak through browser history or plugins. - URLs might be logged. - URLs can be mistakenly forwarded. The authorization code exchange avoids sending the access token in the redirect URL.

How does a resource server validate an access token?

Commonly, the IdP signs tokens with a private key and publishes matching public keys. The resource server: - Reads the token’s key ID (kid), - Fetches the corresponding public key from the IdP, - Verifies the signature to ensure authenticity and integrity. If tokens are opaque (not signed/self-describing), the resource server can use token introspection by asking the IdP directly if the token is valid.

What are access tokens and ID tokens, and how are they used?

- Access token: presented to the resource server to authorize API calls. - ID token: carries identity details about the authenticated user. With OpenID Connect, both are typically JWTs and serve complementary roles.

What’s the difference between opaque and non-opaque (JWT) tokens?

- Non-opaque (e.g., JWT): self-contained; include header and payload claims; can be validated locally with the IdP’s public key. - Opaque: carry no readable claims; must be validated via token introspection with the IdP. Opaque tokens increase coupling and latency but can centralize validation.

How long do access tokens last, and what limits misuse if they’re stolen?

Access tokens are short-lived (often an hour or less). Short lifetimes reduce the window of misuse. Signed tokens prevent tampering, and avoiding token delivery via browser URLs (using the code exchange) helps prevent leakage.

When should I use the client credentials grant type?

Use it for machine-to-machine scenarios with no user involved (for example, an internal service calling a payment provider). The client authenticates to the IdP, obtains an access token, and uses it to call the resource server, which authorizes the request.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$47.99 $33.59

you save $14.40 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$47.99 $33.59

you save $14.40 (30%)

eBook

pdf, ePub, online

$47.99 $33.59

you save $14.40 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more