Software Security for Developers you own this product

With examples in Java and Spring

Adib Saikali, Laurențiu Spilcă

MEAP began November 2021
Last updated March 2026
Publication in April 2026 (estimated)

ISBN 9781617298585
371 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Software Development / Software Engineering / Security and Privacy / Cloud Application Security

resources: Source code Book forum Source code on GitHub

table of content

Part 1: Application Security the Big Picture

1 Making Sense of Application Security

1.1 Developers’ responsibility in software security

1.1.1 What does secure development actually look like?

1.1.2 How security expectations shape the developer’s role

1.2 Securing the supply chain risk

1.3 Roles and responsibilities in security

1.4 What you will learn in this book

1.5 Summary

2 Standards for implementing authentication

2.1 Logging users in

2.1.1 Customer authentication

2.1.2 Employee authentication

2.1.3 Partner authentication

2.1.4 Phishing resistant authentication

2.1.5 Authentication technology from a developer’s perspective

2.1.6 Exercises

2.2 Securing application credentials

2.2.1 Exercises

2.3 Exercise Answers

2.4 Summary

3 Service-to-service communication

3.1 Securing the service-to-service call chain

3.1.1 Propagating user identity through the service call chain

3.1.2 Determining service identity

3.1.3 Exercises

3.2 Securely running services on Kubernetes

3.2.1 Exercises

3.3 Security technologies every developer should know

3.3.1 Exercises

3.4 Exercise Answers

3.5 Summary

Part 2: Cryptography foundations

4 Message Integrity and Authentication

4.1 The goals of cryptography

4.2 Cryptographic hash functions

4.2.1 Secure Hash Algorithm (SHA)

4.2.2 Verifying integrity using a cryptographic hash function

4.2.3 Design for hash function change

4.2.4 Exercises

4.3 Java cryptography architecture and extensions

4.4 Implementing message integrity in Java

4.5 Message Authentication Code (MAC)

4.5.1 Hashed Message Authentication Code (HMAC)

4.5.2 Java Support for HMAC

4.5.3 Exercises

4.6 Guaranteeing authenticity using HMAC

4.7 Exercise answers

4.8 Summary

5 Advanced Encryption Standard

5.1 Advanced Encryption Standard Overview

5.2 Modes of operation

5.2.1 Cipher Block Chaining (CBC) mode

5.2.2 Authenticated encryption

5.2.3 Galois Counter Mode (GCM)

5.2.4 Exercises

5.3 Java Support for AES

5.3.1 The ACME Inc. Scenario

5.3.2 Implementing the ACME Inc. Scenario

5.4 Authenticated Encryption with Associated Data (AEAD)

5.4.1 Exercises

5.5 AES Best Practices

5.5.1 Selecting the AES key size

5.5.2 Checklist for using AES-GCM correctly in Java

5.5.3 Exercises

5.6 Answers to exercises

5.7 Summary

6 Public Key Encryption and Digital Signatures: Unleashing RSA

6.1 The secret key distribution problem

6.1.1 Exercises

6.2 Public key cryptosystems

6.2.1 Exercises

6.3 RSA public key cryptosystem

6.3.1 Configuring RSA

6.3.2 Hybrid Encryption

6.3.3 Signing data with RSA

6.3.4 Exercises

6.4 Java Support for RSA

6.5 Answers to exercises

6.6 Summary

7 Public Key Encryption and Digital Signatures: Using ECC

7.1 Elliptic curve public key cryptosystems

7.1.1 Configuring ECC

7.1.2 Diffie-Helman key agreement

7.1.3 Exercises

7.2 Java support for elliptic curves

7.2.1 Java support for encryption with elliptic curves

7.2.2 Java support for signing with elliptic curves

7.3 RSA vs. ECC

7.3.1 Exercises

7.4 Answers to exercises

7.5 Summary

Part 3: Securing communication channels

8 Public Key Infrastructure and X.509 Digital Certificates: know who you are talking to

8.1 Inspecting X.509 Digital Certificates

8.1.1 Inspecting X.509 certificates with OpenSSL CLI

8.1.2 Downloading a Website’s X.509 Digital Certificate Using OpenSSL CLI

8.1.3 Viewing The Fields of an X.509 Digital Certificate

8.1.4 Subject fields: Identify the public key and its owner.

8.1.5 Issuer Field: Identifies who created the certificate

8.1.6 Validity Fields

8.1.7 X.509 Digital Certificate Encoding Formats

8.1.8 Exercises

8.2 Verifying X.509 Digital Certificates

8.2.1 Verifying the GitHub.com X.509 Certificate

8.2.2 Exercises

8.3 Answers to exercises

8.4 Summary

9 Working with X.509 Certificates: Lifecycle and Self-Signing

9.1 Certificate Lifecycle: Issuance to revocation

9.1.1 Creating a keypair

9.1.2 Creating a Certificate Signing Request (CSR)

9.1.3 CSR Validation

9.1.4 Certificate Issuance

9.1.5 Certificate Revocation

9.1.6 Exercises

9.2 Private Certificate Authority for Local Development

9.2.1 Create a Self-Signed Root Certificate

9.2.2 Install the Certificate Authority into the Operating System Trust Store

9.2.3 Issue a certificate using the personal certificate authority

9.2.4 Exercises

9.3 Answers to exercises

9.4 Summary

10 Transport Layer Security (TLS): How the internet is secured

10.1 Securing communication with TLS

10.1.1 How it all started

10.1.2 TLS and mTLS

10.1.3 Exercises

10.2 What TLS actually protects you against

10.2.1 Protection from eavesdropping

10.2.2 Making sure there’s no tampering

10.2.3 Avoiding impersonation

10.2.4 Exercises

10.3 TLS in practice

10.3.1 Exercises

10.4 Answers to exercises

10.5 Summary

Part 4: Modern Authentication and Identity

11 JSON Object Signing and Encryption (JOSE)

11.1 The Standards Layer Cake

11.2 The problem solved by JSON Web Algorithms (JWA)

11.2.1 Exercises

11.3 JSON Web Key (JWK)

11.3.1 Exercises

11.4 JSON Web Signature (JWS)

11.4.1 JSON Web Object (JWS) Structure

11.4.2 Creating and verifying a JWS object

11.4.3 The credit card refunds scenario with JWS

11.4.4 Exercises

11.5 JSON Web Encryption (JWE)

11.5.1 JWE Structure

11.5.2 Creating and verifying JWE objects

11.5.3 Exercises

11.6 JSON Web Token (JWT)

11.6.1 Exercises

11.7 Answers to exercises

11.8 Summary

12 Single Sign On (SSO) using OAuth2 and OpenID Connect

12.1 Splitting security data management responsibilities

12.1.1 Exercises

12.2 Using authentication flows

12.2.1 The authorization code grant type

12.2.2 What actually are the tokens?

12.2.3 The client credentials grant type

12.2.4 Exercises

12.3 Applying OpenID Connect to Acme Inc.

12.3.1 Answers to exercises

12.4 Summary

13 Deepening security with OpenID Connect

13.1 Augmenting the authorization code grant type with PKCE

13.1.1 Exercises

13.2 Using refresh tokens to simplify authentication

13.2.1 Exercises

13.3 Supporting identity management with OpenID Connect

13.3.1 The Identity Layer and ID Token

13.3.2 The UserInfo Endpoint

13.3.3 Protection Against Replay Attacks and CSRF

13.3.4 Session management and logout

13.3.5 Exercises

13.4 Using multitenancy

13.4.1 Exercises

13.5 Answers to exercises

13.6 Summary

14 Passwordless login: Using Magic links and OTPs

14.1 The real magic of magic links authentication

14.1.1 Exercises

14.2 Authentication through One-Time Passwords (OTPs)

14.2.1 Exercises

14.3 Answers to exercises

14.4 Summary

15 Passwordless login: WebAuthn and hardware authentication

15.1 Biometric authentication

15.1.1 Fingerprint Scanning (Most Common)

15.1.2 Facial Recognition (Rapidly Growing)

15.1.3 Iris & Retina Scanning (Highly Secure)

15.1.4 Voice Recognition (Used in Call Centers & Virtual Assistants)

15.1.5 Palm Vein Recognition (High Security, Less Common)

15.1.6 Exercises

15.2 Authenticating using hardware keys

15.2.1 Exercises

15.3 Implementing WebAuthn authentication

15.3.1 Exercises

15.4 Answers to exercises

15.5 Summary

Part 5: Securing service-to-service call chain

16 Implementing service identity

16.1 What service identity is

16.1.1 Exercises

16.2 Implementing service authorization at the application level

16.2.1 Using the OAuth2 client credentials grant type

16.2.2 Using API Keys

16.2.3 Using custom authorization logic

16.2.4 Exercises

16.3 Implementing service authorization at the infra-level

16.3.1 Exercises

16.4 Answers to exercises

16.5 Summary

17 Taming authorization: RBAC, ABAC, ReBAC

17.1 What are core authorization models

17.1.1 Role-Based Access Control (RBAC)

17.1.2 Attribute-Based Access Control (ABAC)

17.1.3 Relationship-Based Access Control (ReBAC)

17.1.4 Exercises

17.2 Authorization in real-world architectures

17.2.1 Authorization within monoliths

17.2.2 Service-oriented authorization

17.2.3 Exercises

17.3 Answers to questions

17.4 Summary

Appendix

Appendix A: Installation and Setup

A.1 Setting up Java Development Environment

A.1.1 Setup Java 11

A.1.2 Setup A Java IDE

A.2 Obtaining the Book Samples

Overview

17 Taming authorization: RBAC, ABAC, ReBAC

Authorization is the discipline that decides not just who you are, but what you’re allowed to do across a growing sprawl of apps, APIs, and services. This chapter contrasts three core models—RBAC, ABAC, and ReBAC—showing where each excels and where it breaks down, and explains how to keep authorization maintainable as systems scale from monoliths to microservices. It emphasizes choosing the right model for context, preventing drift and complexity, and designing enforcement that’s consistent, auditable, and resilient.

RBAC grants access via roles mapped to permissions, making it fast, intuitive, and widely supported, but prone to role explosion and weak at context-specific decisions. ABAC evaluates attributes of users, resources, and environment to enforce least privilege with fine-grained, dynamic rules; its power brings policy complexity, dependency on accurate, consistent attributes, and potential performance costs. ReBAC bases decisions on explicit relationships like ownership, membership, sharing, or delegation, fitting collaborative, hierarchical, and multi-tenant domains; its challenges include modeling and querying relationship graphs at scale and explaining indirect, inherited access.

In monoliths, authorization is simpler because all context is local; modular designs let each domain module guard its own resources and enable clearer testing, auditing, and logging. In distributed systems, every service must enforce access independently—never trusting upstream checks—and teams must share precise semantics for roles and attributes. Practical patterns include combining IdP-issued tokens with consistent claims, using dedicated policy/authorization services for fine-grained ABAC or ReBAC, and treating a central relationship store as critical infrastructure. The trade-offs are real: avoid inconsistent attribute vocabularies, mitigate single points of failure, and be cautious with embedding relationships in tokens to prevent stale, incomplete, or forged access.

Comparing RBAC, ABAC, and ReBAC. RBAC grants access based on predefined roles like user, manager, or admin. ABAC adds flexibility by using user and resource attributes such as department, shift, and clearance level to make decisions. ReBAC focuses on the relationships between entities, for example, who owns a resource or who is responsible for whom, making it ideal for collaborative and delegated access scenarios.

Roles and their associated permissions in RBAC. In role-based access control, each role represents a bundle of permissions. A user assigned to a role automatically inherits all the permissions granted by that role. This structure simplifies access control but can become difficult to manage as permission needs grow more specific.

ABAC rule based on multiple user attributes. In this ABAC example, access to documents is granted if a user has a clearance level of "top" or belongs to the "US" region. Mary meets the clearance requirement, and John meets the region condition, so both are allowed access. Bob, who has neither "top" clearance nor "US" region, is denied. This highlights how ABAC evaluates access dynamically based on attribute values rather than fixed roles.

Attribute inconsistency leads to broken authorization. In this example, all users are meant to access documents if they are from Europe. However, inconsistent attribute values like "EU", "Europe", and "FR" cause authorization failures.

Enriching authorization claims across system layer. The identity provider issues a token with basic claims, such as roles or user ID. The API Gateway can enhance the token with request-specific claims, like active project IDs or request origin. Finally, backend services (like the Order Service) may fetch additional business-specific data, such as user preferences, access scope, or customer assignments, from a profile service or a custom authorization component. This layered enrichment ensures services receive the right context to make fine-grained authorization decisions.

Using a central relationship store for ReBAC in a microservices architecture. Each service syncs its relationship data (like ownerships, memberships, or associations) to a central relationship store. When a service needs to authorize a request, it queries the store to evaluate whether a valid relationship exists between the user and the resource in question.

A service querying the central relationship store to evaluate access. In a ReBAC-enabled architecture, services don’t store or compute relationship logic locally. Instead, when the Payment Service needs to verify if user “joe” owns specific invoices, it sends a query to the central relationship store. The store evaluates the relationship graph and returns the answer.

Central relationship store as a single point of failure. If the central relationship store becomes unavailable, services relying on it for authorization cannot validate user-resource relationships. This dependency introduces a potential single point of failure: even if business services are fully operational, access checks may fail, blocking critical functionality across the system. High-availability strategies or fallbacks are essential to mitigate this risk.

Summary

RBAC assigns access based on roles, making it easy to implement and widely supported, but it can lead to role explosion in larger systems.
ABAC adds flexibility by evaluating user, resource, and environment attributes, enabling context-aware decisions but requiring consistent attribute definitions and data quality.
ReBAC uses relationships between entities to determine access, allowing fine-grained permissions in collaborative or multi-tenant systems but needing a relationship graph or central store.
Monoliths simplify authorization logic, making implementing and testing all three models locally easier. Authorization model implementation is even easier and more efficient when the monoliths are designed modular.
In distributed systems, all services must agree on what roles, attributes, and relationships mean. If they don’t, access rules become inconsistent and security gaps can appear.
Service-oriented systems demand each service enforce its own rules, making identity propagation and consistent interpretation of roles and attributes essential.
Cloud-native and serverless architectures offload part of the authorization logic to IAM policies, combining app-level decisions with infrastructure-enforced rules.
In distributed environments, consistency and trust are key.
Choosing between RBAC, ABAC, and ReBAC depends on the system’s complexity and access patterns, and in many systems, a hybrid approach provides the best balance.

FAQ

What’s the core difference between RBAC, ABAC, and ReBAC?

RBAC grants access based on assigned roles (bundles of permissions). ABAC evaluates attributes of the user, resource, and environment against policies (e.g., department, region, time). ReBAC decides using relationships between entities (e.g., owner, member_of, shared_with). In short: roles vs attributes vs relationships.

When do I need more than just roles?

You’ve likely outgrown pure RBAC when decisions depend on context or resource-specific rules, such as:

“Managers can edit only their direct reports.”
“Users can access data only for their region.”
Multi-tenant boundaries or per-object sharing/delegation.

These call for ABAC (attributes) or ReBAC (relationships) to avoid creating many narrowly scoped roles.

What is role explosion, and how do I prevent it?

Role explosion happens when you create many highly specific roles to capture edge cases, making access hard to understand and audit. Prevention tips:

Keep roles coarse and stable; push variability into ABAC rules.
Document role semantics and align teams on meaning.
Map roles to explicit capabilities/scopes; avoid ad hoc roles.
Periodically review and merge or retire rarely used roles.

When should I choose ABAC, and what are the trade-offs?

Use ABAC when decisions require context (department, region, sensitivity, time, device) or strict least-privilege boundaries. Benefits: fine-grained, dynamic control. Trade-offs:

Policy complexity grows with scenarios (“attribute sprawl”).
Attribute accuracy/consistency is critical; bad data breaks decisions.
Performance depends on fetching and evaluating attributes.

Mitigate with a shared attribute vocabulary, strong data ownership, caching, and policy tooling (e.g., a policy engine).

How does ReBAC work, and when is it a good fit?

ReBAC evaluates access from relationships among users, groups, projects, and resources (ownership, membership, shared_with). It shines in:

Collaboration and sharing (docs, boards, tasks).
Delegation and approvals (“act on behalf of”).
Multi-tenant and org hierarchies.

Expect to model and query a relationship graph; plan for graph traversal performance and explainability.

Where should authorization checks live in a monolith?

Enforce checks close to domain logic, not sprinkled across controllers. In a modular monolith:

Let each module guard its own resources (e.g., Invoices module decides “canEditInvoice”).
Expose clear gatekeeper methods/decorators and reuse them consistently.
Add auditing and failure logging at decision points.

This improves maintainability, testing, and traceability.

How should microservices handle authorization?

Each service must authorize independently—never trust upstream checks. To keep decisions consistent:

Define shared role semantics and an attribute contract.
Prefer capabilities/scopes over ambiguous role names.
Use a central policy/relationship service when decisions need global context.

This avoids drift where the same role means different things per service.

Who should own attributes and relationships: the IdP, a gateway, or a dedicated service?

Identity provider (IdP): great for authentication, roles, and a few stable attributes.
Gateway/middleware: can enrich requests with transient context (IP, locale), but adds coupling.
Dedicated profile/authorization service: source of truth for dynamic, domain-specific attributes and relationships; query at decision time or mint short-lived claims.

In complex systems, split responsibilities: IdP for identity; dedicated service for fine-grained auth data.

Why use a central relationship store for ReBAC, and what are the risks?

A central relationship store lets services query a unified graph (“Is user X related to resource Y?”), delivering consistent and auditable decisions. Risks and mitigations:

Single point of failure or latency bottleneck → design for HA, horizontal scaling, and caching.
Stale/incomplete graph → event-driven sync and integrity checks.
Throughput spikes → rate limiting and asynchronous precomputation where possible.

Is embedding relationship data in tokens a good idea?

It’s fast but risky:

Stale: memberships change after token issuance.
Incomplete: indirect/inherited links may be omitted for size.
Forged: if tokens aren’t verified correctly.

Mitigate with short-lived tokens, strict signature/issuer validation, narrow scopes, and on-demand checks against a trusted relationship store for sensitive actions; consider cache-with-invalidation patterns.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$47.99 $33.59

you save $14.40 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$47.99 $33.59

you save $14.40 (30%)

eBook

pdf, ePub, online

$47.99 $33.59

you save $14.40 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more