Don't let security be an afterthought. Spring Security in Action, Second Edition is your vital companion to robust, secure applications that are protected right from the first line of code.
Spring Security in Action, Second Edition is a revised version of the bestselling original, fully updated for Spring Boot 3 and Oauth2/OpenID Connect.
In Spring Security in Action, Second Edition you will learn essential security skills including how to:
• Implement and customize authentication and authorization
• Set up all components of an OAuth2/OpenID Connect system
• Utilize CRSF and CORS configurations
• Secure Spring reactive applications
• Write tests for security configurations
Whether you’re a beginner or a pro, Spring Security in Action, Second Edition teaches you how to secure your Java applications from the ground up. Author Laurentiu Spilca distills his years of experience as a skilled Java and Spring developer into an indispensable guide to everything security—from authentication and authorization, to testing security configurations. This new edition covers the latest patterns for application-level security in Spring apps, demonstrating how Spring Security simplifies every step of the security process.
Foreword by Joe Grandja.
About the technology
Spring Security makes it much, much easier to secure enterprise-scale Java applications. This powerful framework integrates with Spring apps end to end, with “secure by design” principles and ready-to-use features that help you implement robust authorization and authentication and protect against data theft and intrusions. And like everything else in the Spring ecosystem, it’s free, open source, and backed by the awesome team at VMWare.
About the book
Spring Security in Action, Second Edition updates this bestselling guide to Spring Security to include deep coverage of OAuth2/OpenID Connect and security configuration using the new SecurityFilterChain. The crystal clear explanations and relevant examples, teach you how to build your own authorization server, configure secure endpoints, and prevent cross-site scripting and request forgery attacks.
What's inside
• Custom authentication and authorization
• CRSF and CORS configurations
• Secure Spring reactive applications
• Write tests for security configurations
About the reader
For experienced Java and Spring developers.
About the author
Laurentiu Spilca is a skilled Java and Spring developer and an experienced technology instructor. He is also the author of Manning’s Spring Start Here and Troubleshooting Java.
Author(s): Laurentiu Spilca
Edition: 1
Publisher: Manning Publications
Year: 2024
Language: English
Commentary: Publisher's PDF
Pages: 440
City: Shelter Island, NY
Tags: Security; Java; Web Applications; OAuth; OpenID; Testing; Spring Framework; User Management; Password Management; Authentication; CORS; CSRF
Praise for the first edition
brief contents
contents
foreword
preface
acknowledgments
about this book
Who should read this book?
How this book is organized: A roadmap
About the code
liveBook discussion forum
about the author
about the cover illustration
Part 1
1 Security today
1.1 Discovering Spring Security
1.2 What is software security?
1.3 Why is security important?
1.4 What will you learn in this book?
2 Hello, Spring Security
2.1 Starting your first project
2.2 The big picture of Spring Security class design
2.3 Overriding default configurations
2.3.1 Customizing user details management
2.3.2 Applying authorization at the endpoint level
2.3.3 Configuring in different ways
2.3.4 Defining custom authentication logic
2.3.5 Using multiple configuration classes
Part 2
3 Managing users
3.1 Implementing authentication in Spring Security
3.2 Describing the user
3.2.1 Describing users with the UserDetails contract
3.2.2 Detailing on the GrantedAuthority contract
3.2.3 Writing a minimal implementation of UserDetails
3.2.4 Using a builder to create instances of the UserDetails type
3.2.5 Combining multiple responsibilities related to the user
3.3 Instructing Spring Security on how to manage users
3.3.1 Understanding the UserDetailsService contract
3.3.2 Implementing the UserDetailsService contract
3.3.3 Implementing the UserDetailsManager contract
4 Managing passwords
4.1 Using password encoders
4.1.1 The PasswordEncoder contract
4.1.2 Implementing your PasswordEncoder
4.1.3 Choosing from the provided PasswordEncoder implementations
4.1.4 Multiple encoding strategies with DelegatingPasswordEncoder
4.2 Taking advantage of the Spring Security Crypto module
4.2.1 Using key generators
4.2.2 Encrypting and decrypting secrets using encryptors
5 A web app’s security begins with filters
5.1 Implementing filters in the Spring Security architecture
5.2 Adding a filter before an existing one in the chain
5.3 Adding a filter after an existing one in the chain
5.4 Adding a filter at the location of another in the chain
5.5 Filter implementations provided by Spring Security
6 Implementing authentications
6.1 Understanding the AuthenticationProvider
6.1.1 Representing the request during authentication
6.1.2 Implementing custom authentication logic
6.1.3 Applying custom authentication logic
6.2 Using the SecurityContext
6.2.1 Using a holding strategy for the security context
6.2.2 Using a holding strategy for asynchronous calls
6.2.3 Using a holding strategy for standalone applications
6.2.4 Forwarding the security context with DelegatingSecurityContextRunnable
6.2.5 Forwarding the security context with DelegatingSecurityContextExecutorService
6.3 Understanding HTTP Basic and form-based login authentications
6.3.1 Using and configuring HTTP Basic
6.3.2 Implementing authentication with form-based login
Part 3
7 Configuring endpoint-level
7.1 Restricting access based on authorities and roles
7.1.1 Restricting access for all endpoints based on user authorities
7.1.2 Restricting access for all endpoints based on user roles
7.1.3 Restricting access to all endpoints
8 Configuring endpoint-level authorization: Applying restrictions
8.1 Using the requestMatchers() method to select endpoints
8.2 Selecting requests to apply authorization restrictions
8.3 Using regular expressions with request matchers
9 Configuring CSRF protection
9.1 How CSRF protection works in Spring Security
9.2 Using CSRF protection in practical scenarios
9.3 Customizing CSRF protection
10 Configuring CORS
10.1 How does CORS work?
10.2 Applying CORS policies with the @CrossOrigin annotation
10.3 Applying CORS using a CorsConfigurer
11 Implementing authorization at the method level
11.1 Enabling method security
11.1.1 Understanding call authorization
11.1.2 Enabling method security in your project
11.2 Applying preauthorization rules
11.3 Applying postauthorization rules
11.4 Implementing permissions for methods
12 Implementing filtering at the method level
12.1 Applying prefiltering for method authorization
12.2 Applying postfiltering for method authorization
12.3 Using filtering in Spring Data repositories
Part 4
13 What are OAuth 2
13.1 The big picture of OAuth 2 and OpenID Connect
13.2 Using various token implementations
13.2.1 Using opaque tokens
13.2.2 Using non-opaque tokens
13.3 Obtaining tokens through various grant types
13.3.1 Getting a token using the authorization code grant type
13.3.2 Applying PKCE protection to the authorization code grant type
13.3.3 Getting a token with the client credentials grant type
13.3.4 Using refresh tokens to get new access tokens
13.4 What OpenID Connect brings to OAuth 2
13.5 The sins of OAuth 2
14 Implementing an OAuth 2 authorization server
14.1 Implementing basic authentication using JSON web tokens
14.2 Running the authorization code grant type
14.3 Running the client credentials grant type
14.4 Using opaque tokens and introspection
14.5 Revoking tokens
15 Implementing an OAuth 2 resource server
15.1 Configuring JWT validation
15.2 Using customized JWTs
15.3 Configuring token validation through introspection
15.4 Implementing multitenant systems
16 Implementing an
16.1 Implementing OAuth 2 login
16.1.1 Implementing authentication with a common provider
16.1.2 Giving the user more possibilities
16.1.3 Using a custom authorization server
16.1.4 Adding flexibility to your configurations
16.1.5 Managing authorization for an OAuth 2 login
16.2 Implementing an OAuth 2 client
Part 5
17 Implementing security
17.1 What are reactive apps?
17.2 User management in reactive apps
17.3 Configuring authorization rules in reactive apps
17.3.1 Applying authorization at the endpoint layer in reactive apps
17.3.2 Using method security in reactive apps
17.4 Creating a reactive OAuth 2 resource server
Part 6
18 Testing security
18.1 Using mock users for tests
18.2 Testing with users from a UserDetailsService
18.3 Using custom Authentication objects for testing
18.4 Testing method security
18.5 Testing authentication
18.6 Testing CSRF configurations
18.7 Testing CORS configurations
18.8 Testing reactive Spring Security implementations
A Links to official
B Further reading
index