Hands-On Spring Security 5 for Reactive Applications

Hands-On Spring Security 5 for Reactive Applications

by Tomcy John
Released July 2018
Publisher(s): Packt Publishing
ISBN: 9781788995979

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Secure your Java applications by integrating the Spring Security framework in your code

Key Features

  • Provide authentication, authorization and other security features for Java applications.
  • Learn how to secure microservices, cloud, and serverless applications easily
  • Understand the code behind the implementation of various security features

Book Description

Security is one of the most vital concerns for any organization. The complexity of an application is compounded when you need to integrate security with existing code, new technology, and other frameworks. This book will show you how to effectively write Java code that is robust and easy to maintain.

Hands-On Spring Security 5 for Reactive Applications starts with the essential concepts of reactive programming, Spring Framework, and Spring Security. You will then learn about a variety of authentication mechanisms and how to integrate them easily with the Spring MVC application. You will also understand how to achieve authorization in a Spring WebFlux application using Spring Security.You will be able to explore the security confgurations required to achieve OAuth2 for securing REST APIs and integrate security in microservices and serverless applications. This book will guide you in integrating add-ons that will add value to any Spring Security module.

By the end of the book, you will be proficient at integrating Spring Security in your Java applications

What you will learn

  • Understand how Spring Framework and Reactive application programming are connected
  • Implement easy security confgurations with Spring Security expressions
  • Discover the relationship between OAuth2 and OpenID Connect
  • Secure microservices and serverless applications with Spring
  • Integrate add-ons, such as HDIV, Crypto Module, and CORS support
  • Apply Spring Security 5 features to enhance your Java reactive applications

Who this book is for

If you are a Java developer who wants to improve application security, then this book is for you. A basic understanding of Spring, Spring Security framework, and reactive applications is required to make the most of the book.

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. Hands-On Spring Security 5 for Reactive Applications
  3. Dedication
  4. Packt Upsell
    1. Why subscribe?
    2. PacktPub.com
  5. Contributors
    1. About the author
    2. About the reviewer
    3. Packt is searching for authors like you
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the example code files
      2. Download the color images
      3. Conventions used
    4. Get in touch
      1. Reviews
  7. Overview of Spring 5 and Spring Security 5
    1. How examples are structured
    2. New-generation application requirements
    3. Reactive programming
    4. Reactive applications
      1. Reactive Manifesto
        1. Responsive
        2. Resilient
        3. Elastic
        4. Message-driven
    5. Spring Framework
    6. Reactive Landscape in Java
      1. Reactive Streams and Reactive Streams Specifications
        1. Non-blocking
        2. Backpressure
      2. Reactive Extensions
        1. RxJava
      3. Reactive Streams and RxJava
      4. JDK 9 additions
        1. Important interfaces
          1. The Publisher Interface
          2. The Subscriber Interface
          3. The Subscription interface
          4. The Processor interface
    7. Spring Framework and reactive applications
      1. Modules in Reactor
        1. Reactive types in Reactor Core
          1. The Flux reative type
          2. The Mono reactive type
        2. Data stream types
        3. Reactor and RxJava
      2. Reactive Web Application
        1. Spring WebFlux
          1. Reactive Spring Web
        2. WebClient
        3. WebSockets
    8. Application security
    9. Spring Security
      1. Spring Security terminologies
    10. Spring Security's core features
      1. Authentication
      2. Authorization
    11. Spring Security 5's new features
    12. Working of Spring Security
      1. Servlet Filter
      2. Filter Chain
      3. Security Interceptor (DelegatingFilterProxy)
    13. Core Spring Security modules
    14. Summary
  8. Deep Diving into Spring Security
    1. Authentication
      1. Setting up AuthenticationManager
      2. AuthenticationProvider
        1. Custom AuthenticationProvider
        2. Multiple AuthenticationProvider
    2. Sample application
      1. Base project setup
        1. Step 1—Create a Maven project in IntelliJ IDEA
        2. Step 2—pom.xml changes
        3. Step 3—MySQL database schema setup
        4. Step 4—Setting up MySQL database properties in your project
        5. Step 5—Spring application configuration
        6. Step 6—Web application configuration
        7. Step 7—Spring MVC setup
        8. Step 8—Controller setup
        9. Step 9—JSP creation
      2. Spring Security setup
        1. Step 1—Spring Security configuration setup
        2. Step 2—Spring Security setup for a web application
      3. Running the application
      4. In-memory user storage
      5. Run as Spring Boot
    3. Authorization
      1. Web URL
      2. Method invocation
      3. Domain instance
    4. Other Spring Security capabilities
    5. Summary
  9. Authentication Using SAML, LDAP, and OAuth/OIDC
    1. Security Assertion Markup Language
      1. Setting up an SSO provider
      2. Setting up the project
        1. The pom.xml file setup
        2. The application.yml file setup
        3. The Spring Security configuration files
        4. The resources folder setup
      3. Running and testing the application
    2. Lightweight Directory Access Protocol
      1. Set up dependencies in the pom.xml file
      2. Spring Security configuration
      3. LDAP server setup
        1. Setting up users in the LDAP server
      4. Running the application
        1. Seeing the application in action on a browser
    3. OAuth2 and OpenID Connect
      1. Setting up a project
        1. Bootstrap Spring project using Spring Initializr
        2. Inclusion of OAuth libraries in pom.xml
        3. Setting up provider details in application.properties
      2. Provider setup
      3. Default application change
        1. The HomeController class
        2. The home.jsp file
        3. Spring Boot main application class change
      4. Running the application
    4. Summary
  10. Authentication Using CAS and JAAS
    1. CAS
      1. CAS server setup
        1. Git clone
        2. Adding additional dependencies
        3. Setting up the resources folder in the project
        4. Creating the application.properties file
        5. Creating a local SSL keystore
        6. Creating the .crt file to be used by the client
        7. Exporting the .crt file to Java and the JRE cacert keystore
        8. Building a CAS server project and running it
      2. Registering a client with the CAS server
        1. JSON service configuration
        2. Additional application.properties file changes
      3. CAS client setup
        1. Bootstrap Spring project using Spring Initializr
        2. Including CAS libraries in pom.xml
        3. Changing the application.properties file
        4. Additional bean configuration
          1. ServiceProperties bean
          2. AuthenticationEntryPoint bean
          3. TicketValidator bean
          4. CasAuthenticationProvider bean
        5. Setting up Spring Security
          1. Creating the CasAuthenticationFilter bean
        6. Setting up the controller
      4. Running the application
    2. Java Authentication and Authorization Service
      1. Setting up a project
        1. Setting up Maven project
        2. Setting up LoginModule
        3. Setting up a custom principal
        4. Setting up a custom AuthorityGranter
        5. Configuration files
          1. Application configuration
          2. Spring MVC configuration
          3. Spring Security configuration
          4. Controllers
          5. Setting up pages
      2. Running the application
    3. Kerberos
    4. Custom AuthenticationEntryPoint
      1. Multiple AuthenticationEntryPoint
    5. PasswordEncoder
      1. Salt
    6. Custom filters
    7. Summary
  11. Integrating with Spring WebFlux
    1. Spring MVC versus WebFlux
      1. When to choose what?
    2. Reactive support in Spring 5
      1. Reactive in Spring MVC
    3. Spring WebFlux
      1. HandlerFunction
      2. RouterFunction
      3. Spring WebFlux server support
      4. Reactive WebClient
      5. Reactive WebTestClient
      6. Reactive WebSocket
    4. Spring WebFlux authentication architecture
    5. Spring WebFlux authorization
    6. Sample project
      1. WebFlux project setup
        1. Maven setup
        2. Configuration class
          1. The SpringWebFluxConfig class
        3. Repository
        4. Handler and router
        5. Bootstrap application
        6. Running the application
      2. Adding security
        1. Configuration classes
          1. The UserDetailsService bean
          2. The SpringSecurityFilterChain bean
        2. Running the application
          1. CURL
          2. Browser
      3. WebClient
        1. Maven setup
        2. Creating a WebClient instance
        3. Handling errors
        4. Sending requests and retrieving responses
        5. Running and testing the application
      4. Unit testing (WebTestClient)
        1. Maven dependency
        2. Test class
      5. Spring Data
        1. Maven dependency
        2. MongoDB configuration
        3. Setting up a model
        4. Implementing a repository
        5. Implementing a controller
        6. Running the application
      6. Authorization
        1. Method security
    7. Customization
      1. Writing custom filters
        1. Using WebFilter
        2. Using HandlerFilterFunction
    8. Summary
  12. REST API Security
    1. Important concepts
      1. REST
      2. JSON Web Token (JWT)
        1. Structure of a token
          1. Header
          2. Payload
          3. Signature
    2. Modern application architecture
      1. SOFEA
    3. Reactive REST API
    4. Simple REST API security
      1. Spring Security configuration
      2. Authentication success handler
      3. Custom WebFilter namely JWTAuthWebFilter
      4. New controller classes
      5. Running the application and testing
    5. Advanced REST API security
      1. OAuth2 roles
        1. Resource owner
        2. Resource server
        3. Client
        4. Authorization server
      2. Authorization grant types
        1. Authorization code flow
        2. Implicit flow
        3. Client credentials
        4. Resource owner password credentials
      3. Access Token and Refresh Token
    6. Spring Security OAuth project
    7. OAuth2 and Spring WebFlux
    8. Spring Boot and OAuth2
    9. Sample project
      1. Authorization server
        1. Maven dependencies
        2. Spring Boot run class
        3. Spring Security config
        4. Authorization server config
        5. Application properties
      2. Resource server
        1. Maven dependencies
        2. Spring Boot run class
        3. Resource server config
        4. Spring Security config
        5. Spring MVC config class
        6. Controller class
        7. Application properties
      3. Client application
        1. Maven dependencies
        2. Spring Boot class
        3. OAuth client config
        4. Spring Security config
        5. Controller classes
        6. Templates
        7. Application properties
      4. Running the project
    10. Summary
  13. Spring Security Add-Ons
    1. Remember-me authentication
      1. Creating a new table in MySQL database
      2. Spring Security configuration
      3. The custom login page
      4. Running the application and testing
    2. Session management
    3. CSRF
    4. CSP
      1. CSP using Spring Security
    5. Channel security
    6. CORS Support
    7. The Crypto module
      1. Password encoding
      2. Encryption
      3. Key generation
    8. Secret management
      1. Starting by unsealing Vault
      2. The Spring Boot project
      3. The Maven dependency
    9. HTTP Data Integrity Validator
      1. What is HDIV?
      2. The Bootstrap project
      3. Maven dependencies
      4. Spring Security configuration
        1. Spring MVC configuration
        2. HDIV configuration
        3. The Model class
        4. The Controller class
        5. Pages
        6. Running the application
    10. Custom DSL
    11. Summary
  14. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Hands-On Spring Security 5 for Reactive Applications
  • Author(s): Tomcy John
  • Release date: July 2018
  • Publisher(s): Packt Publishing
  • ISBN: 9781788995979