Software Security for Developers you own this product

With examples in Java and Spring

Adib Saikali, Laurențiu Spilcă

May 2026
ISBN 9781617298585
360 pages

Included with a Manning Online subscription

printed in black & white

catalog / Software Development / Software Engineering / Security and Privacy / Cloud Application Security

print book available May 18, 2026

ePub + liveBook available May 18, 2026

resources: Source code Book forum Source code on GitHub Register your pBook for a free eBook

table of content

Part 1: Application Security the Big Picture

1 Making Sense of Application Security

1.1 Developers’ responsibility in software security

1.1.1 What does secure development actually look like?

1.1.2 How security expectations shape the developer’s role

1.2 Securing the supply chain risk

1.3 Roles and responsibilities in security

1.4 What you will learn in this book

1.5 Summary

2 Standards for implementing authentication

2.1 Logging users in

2.1.1 Customer authentication

2.1.2 Employee authentication

2.1.3 Partner authentication

2.1.4 Phishing resistant authentication

2.1.5 Authentication technology from a developer’s perspective

2.1.6 Exercises

2.2 Securing application credentials

2.2.1 Exercises

2.3 Exercise Answers

2.4 Summary

3 Service-to-service communication

3.1 Securing the service-to-service call chain

3.1.1 Propagating user identity through the service call chain

3.1.2 Determining service identity

3.1.3 Exercises

3.2 Securely running services on Kubernetes

3.2.1 Exercises

3.3 Security technologies every developer should know

3.3.1 Exercises

3.4 Exercise Answers

3.5 Summary

Part 2: Cryptography foundations

4 Message Integrity and Authentication

4.1 The goals of cryptography

4.2 Cryptographic hash functions

4.2.1 Secure Hash Algorithm (SHA)

4.2.2 Verifying integrity using a cryptographic hash function

4.2.3 Design for hash function change

4.2.4 Exercises

4.3 Java cryptography architecture and extensions

4.4 Implementing message integrity in Java

4.5 Message Authentication Code (MAC)

4.5.1 Hashed Message Authentication Code (HMAC)

4.5.2 Java Support for HMAC

4.5.3 Exercises

4.6 Guaranteeing authenticity using HMAC

4.7 Exercise answers

4.8 Summary

5 Advanced Encryption Standard

5.1 Advanced Encryption Standard Overview

5.2 Modes of operation

5.2.1 Cipher Block Chaining (CBC) mode

5.2.2 Authenticated encryption

5.2.3 Galois Counter Mode (GCM)

5.2.4 Exercises

5.3 Java Support for AES

5.3.1 The ACME Inc. Scenario

5.3.2 Implementing the ACME Inc. Scenario

5.4 Authenticated Encryption with Associated Data (AEAD)

5.4.1 Exercises

5.5 AES Best Practices

5.5.1 Selecting the AES key size

5.5.2 Checklist for using AES-GCM correctly in Java

5.5.3 Exercises

5.6 Answers to exercises

5.7 Summary

6 Public Key Encryption and Digital Signatures: Unleashing RSA

6.1 The secret key distribution problem

6.1.1 Exercises

6.2 Public key cryptosystems

6.2.1 Exercises

6.3 RSA public key cryptosystem

6.3.1 Configuring RSA

6.3.2 Hybrid Encryption

6.3.3 Signing data with RSA

6.3.4 Exercises

6.4 Java Support for RSA

6.5 Answers to exercises

6.6 Summary

7 Public Key Encryption and Digital Signatures: Using ECC

7.1 Elliptic curve public key cryptosystems

7.1.1 Configuring ECC

7.1.2 Diffie-Helman key agreement

7.1.3 Exercises

7.2 Java support for elliptic curves

7.2.1 Java support for encryption with elliptic curves

7.2.2 Java support for signing with elliptic curves

7.3 RSA vs. ECC

7.3.1 Exercises

7.4 Answers to exercises

7.5 Summary

Part 3: Securing communication channels

8 Public Key Infrastructure and X.509 Digital Certificates: know who you are talking to

8.1 Inspecting X.509 Digital Certificates

8.1.1 Inspecting X.509 certificates with OpenSSL CLI

8.1.2 Downloading a Website’s X.509 Digital Certificate Using OpenSSL CLI

8.1.3 Viewing The Fields of an X.509 Digital Certificate

8.1.4 Subject fields: Identify the public key and its owner.

8.1.5 Issuer Field: Identifies who created the certificate

8.1.6 Validity Fields

8.1.7 X.509 Digital Certificate Encoding Formats

8.1.8 Exercises

8.2 Verifying X.509 Digital Certificates

8.2.1 Verifying the GitHub.com X.509 Certificate

8.2.2 Exercises

8.3 Answers to exercises

8.4 Summary

9 Working with X.509 Certificates: Lifecycle and Self-Signing

9.1 Certificate Lifecycle: Issuance to revocation

9.1.1 Creating a keypair

9.1.2 Creating a Certificate Signing Request (CSR)

9.1.3 CSR Validation

9.1.4 Certificate Issuance

9.1.5 Certificate Revocation

9.1.6 Exercises

9.2 Private Certificate Authority for Local Development

9.2.1 Create a Self-Signed Root Certificate

9.2.2 Install the Certificate Authority into the Operating System Trust Store

9.2.3 Issue a certificate using the personal certificate authority

9.2.4 Exercises

9.3 Answers to exercises

9.4 Summary

10 Transport Layer Security (TLS): How the internet is secured

10.1 Securing communication with TLS

10.1.1 How it all started

10.1.2 TLS and mTLS

10.1.3 Exercises

10.2 What TLS actually protects you against

10.2.1 Protection from eavesdropping

10.2.2 Making sure there’s no tampering

10.2.3 Avoiding impersonation

10.2.4 Exercises

10.3 TLS in practice

10.3.1 Exercises

10.4 Answers to exercises

10.5 Summary

Part 4: Modern Authentication and Identity

11 JSON Object Signing and Encryption (JOSE)

11.1 The Standards Layer Cake

11.2 The problem solved by JSON Web Algorithms (JWA)

11.2.1 Exercises

11.3 JSON Web Key (JWK)

11.3.1 Exercises

11.4 JSON Web Signature (JWS)

11.4.1 JSON Web Object (JWS) Structure

11.4.2 Creating and verifying a JWS object

11.4.3 The credit card refunds scenario with JWS

11.4.4 Exercises

11.5 JSON Web Encryption (JWE)

11.5.1 JWE Structure

11.5.2 Creating and verifying JWE objects

11.5.3 Exercises

11.6 JSON Web Token (JWT)

11.6.1 Exercises

11.7 Answers to exercises

11.8 Summary

12 Single Sign On (SSO) using OAuth2 and OpenID Connect

12.1 Splitting security data management responsibilities

12.1.1 Exercises

12.2 Using authentication flows

12.2.1 The authorization code grant type

12.2.2 What actually are the tokens?

12.2.3 The client credentials grant type

12.2.4 Exercises

12.3 Applying OpenID Connect to Acme Inc.

12.3.1 Answers to exercises

12.4 Summary

13 Deepening security with OpenID Connect

13.1 Augmenting the authorization code grant type with PKCE

13.1.1 Exercises

13.2 Using refresh tokens to simplify authentication

13.2.1 Exercises

13.3 Supporting identity management with OpenID Connect

13.3.1 The Identity Layer and ID Token

13.3.2 The UserInfo Endpoint

13.3.3 Protection Against Replay Attacks and CSRF

13.3.4 Session management and logout

13.3.5 Exercises

13.4 Using multitenancy

13.4.1 Exercises

13.5 Answers to exercises

13.6 Summary

14 Passwordless login: Using Magic links and OTPs

14.1 The real magic of magic links authentication

14.1.1 Exercises

14.2 Authentication through One-Time Passwords (OTPs)

14.2.1 Exercises

14.3 Answers to exercises

14.4 Summary

15 Passwordless login: WebAuthn and hardware authentication

15.1 Biometric authentication

15.1.1 Fingerprint Scanning (Most Common)

15.1.2 Facial Recognition (Rapidly Growing)

15.1.3 Iris & Retina Scanning (Highly Secure)

15.1.4 Voice Recognition (Used in Call Centers & Virtual Assistants)

15.1.5 Palm Vein Recognition (High Security, Less Common)

15.1.6 Exercises

15.2 Authenticating using hardware keys

15.2.1 Exercises

15.3 Implementing WebAuthn authentication

15.3.1 Exercises

15.4 Answers to exercises

15.5 Summary

Part 5: Securing service-to-service call chain

16 Implementing service identity

16.1 What service identity is

16.1.1 Exercises

16.2 Implementing service authorization at the application level

16.2.1 Using the OAuth2 client credentials grant type

16.2.2 Using API Keys

16.2.3 Using custom authorization logic

16.2.4 Exercises

16.3 Implementing service authorization at the infra-level

16.3.1 Exercises

16.4 Answers to exercises

16.5 Summary

17 Taming authorization: RBAC, ABAC, ReBAC

17.1 What are core authorization models

17.1.1 Role-Based Access Control (RBAC)

17.1.2 Attribute-Based Access Control (ABAC)

17.1.3 Relationship-Based Access Control (ReBAC)

17.1.4 Exercises

17.2 Authorization in real-world architectures

17.2.1 Authorization within monoliths

17.2.2 Service-oriented authorization

17.2.3 Exercises

17.3 Answers to questions

17.4 Summary

Appendix

Appendix A: Installation and Setup

A.1 Setting up Java Development Environment

A.1.1 Setup Java 11

A.1.2 Setup A Java IDE

A.2 Obtaining the Book Samples

Overview

13 Deepening security with OpenID Connect

As organizations expand and introduce Single Sign-On, they benefit from separating authentication from application backends and adopting standards that balance security and usability. OAuth 2.0 provides delegated authorization, while OpenID Connect (OIDC) layers identity on top, enabling apps to confirm who a user is in a consistent, interoperable way. This chapter deepens those foundations by showing how to harden the Authorization Code flow, keep sessions smooth without sacrificing safety, leverage OIDC’s identity features, and scale securely across multiple tenants.

To defend the Authorization Code flow—especially for public clients like mobile and SPA—PKCE pairs a one-time code verifier with a hashed code challenge so only the original client can redeem an intercepted code; use the S256 method and treat PKCE as mandatory per OAuth 2.1, while noting it’s unnecessary for machine-to-machine flows. Since short-lived access tokens reduce risk but can annoy users, refresh tokens allow seamless renewal; secure them with TLS, appropriate storage, limited scopes, rotation on use, expiration, and rapid revocation, and pair them with PKCE for public clients to curb abuse.

OIDC enriches identity with an ID token (always a JWT) that conveys verified user claims, a UserInfo endpoint for additional profile data, and built-in defenses like nonce and state to thwart replay and CSRF. It standardizes session management and logout—supporting silent checks, RP-initiated logout, and single logout—for consistent cross-application behavior. For multitenancy, a single IdP can serve many isolated tenants through tenant-specific endpoints, branding, and configuration, embedding tenant-aware claims (such as tenant identifiers, roles, and permissions), enabling per-tenant RBAC, dynamic client registration, and strictly isolated sessions to prevent cross-tenant leakage.

The Authorization Code Grant Flow. The client application requests access to resources protected by a backend application (resource server) on behalf of a user. To initiate this process, the client redirects the user to authenticate with a trusted authorization server. Upon successful authentication, the client receives an authorization code, which it then exchanges for an access token. With a valid access token, the client can securely access the protected resources hosted by the backend application.

Proof Key for Code Exchange (PKCE) Flow. Before initiating the authentication process, the client generates a unique and random pair of values: a code challenge and a code verifier. The client uses this pair throughout the authorization flow to enhance security, ensuring no unauthorized party can intercept or misuse the authentication process to impersonate the user.

Relationship Between Code Verifier and Code Challenge. The code verifier is a securely generated random value. The code challenge is derived by applying a cryptographic hash function (commonly SHA-256) to the code verifier. This one-way transformation strengthens the security of the authorization process by ensuring the verifier cannot be reverse-engineered from the challenge.

The Refresh Token flow. When a client is registered to use refresh tokens, it receives both an access token and a refresh token from the authorization server. The client can later use the refresh token to seamlessly request a new access token without requiring any additional user interaction. This approach maintains security while providing a smoother, uninterrupted user experience.

OAuth 2.0 is like a bouncer at a club—it checks if you're allowed to enter but has no idea you're a VIP member.

Illustration of a Replay Attack—An attacker intercepts and maliciously resends a previously valid request to trigger unauthorized actions or changes within the system.

Example of a Replay Attack with Data Tampering—If cryptographic signing is not used, a hacker can intercept and modify a transaction. In this case, the attacker increases the transaction amount and redirects the payment to their own account instead of the legitimate shop's account.

Using a nonce with a properly signed transaction prevents hackers from replaying or modifying the request, ensuring the transaction is secure and unique.

Cross-Site Request Forgery (CSRF)—An attacker tricks a logged-in user into unknowingly sending a malicious request to a trusted website. Because the user is already authenticated, the server treats the request as legitimate and executes unauthorized actions, potentially leading to unintended changes or data exposure.

Cross-Site Request Forgery (CSRF) Tokens—The server issues a unique, secret token to the client, which must be included in all subsequent requests. If the token is missing, invalid, or incorrect, the server rejects the request. Since the attacker does not know this token, they cannot craft a valid request, preventing them from tricking the user into executing unauthorized actions.

Without centralized session management, users may unintentionally leave multiple sessions open across different devices or applications, increasing the risk of unauthorized access and potential security breaches.

Summary

Proof Key for Code Exchange (PKCE) strengthens the Authorization Code Flow by preventing authorization code interception, especially for public clients like mobile and web apps.
Refresh Tokens allow applications to maintain user sessions without repeatedly prompting for login, banacing security (by limiting access token lifespan) and user experience (by reducing interruptions).
OpenID Connect’s Identity Layer introduces the ID Token, securely providing user identity information alongside the access token, enabling applications to authenticate users safely and reliably.
The UserInfo Endpoint allows applications to retrieve additional user profile information in a standardized and secure manner, complementing the ID Token.
OIDC enhances security against Replay Attacks and Cross-Site Request Forgery (CSRF) by using security parameters like nonce and state, ensuring requests are legitimate and unique.
Session Management and Logout are standardized in OIDC, allowing consistent user session handling and Single Logout (SLO) across multiple connected applications, improving both security and user experience.
Multitenancy with OIDC enables Acme Commerce Cloud to securely serve multiple tenants with distinct authentication flows, custom branding, isolated sessions, and tenant-specific roles and permissions—all from a single identity provider.
Best Practices include always using PKCE with public clients, securely storing refresh tokens, enabling refresh token rotation, and enforcing secure communication with TLS/SSL.

FAQ

What problem does PKCE solve in the authorization code flow?

It prevents attackers who intercept an authorization code from exchanging it for tokens by binding the code to the original client through a code challenge and verifier—especially critical for public clients.

How does PKCE work, in brief?

The client generates a random code verifier, derives a code challenge (preferably using SHA-256), sends the challenge in the auth request, and later must present the original verifier when exchanging the code. The server matches them before issuing tokens.

When should I use PKCE, and when is it unnecessary?

Use PKCE for all public clients (SPAs, mobile, IoT) and, per OAuth 2.1, for all authorization code flows. It adds little value for machine-to-machine (client credentials) flows and may be redundant in tightly controlled private environments—but don’t disable it if supported.

Which code challenge method should I use?

Use S256 (SHA-256) over plain. S256 provides strong one-way protection; the plain method offers minimal security and should be avoided.

Why not make access tokens long-lived instead of using refresh tokens?

Long-lived access tokens increase damage if stolen. Short-lived access tokens limit exposure, while refresh tokens let clients obtain new access tokens without re-prompting the user.

How do I secure refresh tokens, especially on public clients?

Use TLS end-to-end, pair with PKCE, minimize scopes, enable refresh token rotation, set expirations, and support revocation on suspicious activity. Store tokens securely; confidential clients can store them server-side.

What does OpenID Connect add to OAuth 2.0?

An identity layer: ID tokens for authentication, the UserInfo endpoint for profile data, nonce/state for replay and CSRF protection, and standardized session management/logout.

What is an ID token and why is it always a JWT?

An ID token carries verified user identity and auth details for the client. It’s always a JWT so claims are readable and cryptographically verifiable; access tokens may be JWTs or opaque.

When should I call the UserInfo endpoint versus using the ID token?

Use the ID token for core identity at login. Call UserInfo when you need additional or updated profile data not included in the ID token. Provide a valid access token to call it.

How does OIDC support multitenancy?

By enabling tenant-specific endpoints and branding, tenant-aware claims (e.g., tenant_id, roles), isolated sessions, dynamic client registration, and routing auth to different IdPs per tenant.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$47.99 $33.59

you save $14.40 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$47.99 $33.59

you save $14.40 (30%)

eBook

pdf, ePub, online

$47.99 $33.59

you save $14.40 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more