Pro Spring Security

Book description

Security is a key element in the development of any non-trivial application. The Spring Security Framework provides a comprehensive set of functionalities to implement industry-standard authentication and authorization mechanisms for Java applications.

Pro Spring Security will be a reference and advanced tutorial that will do the following:

  • Guides you through the implementation of the security features for a Java web application by presenting consistent examples built from the ground-up.

  • Demonstrates the different authentication and authorization methods to secure enterprise-level applications by using the Spring Security Framework.

  • Provides you with a broader look into Spring security by including up-to-date use cases such as building a security layer for RESTful web services and Grails applications.

  • What you'll learn

  • What the basics of securing a Java application, including core security concepts and the step-by-step configuration to include the Spring Security Framework in your web application

  • What tools are available in Spring security to provide login and logout capabilities, with add-ons such as remember-me and password change functionalities.

  • What are the types of authentication mechanisms tailored for enterprise-level Java applications, including LDAP, the Central Authentication Service, OpenID and X.509.

  • How to dive into each of the application layers to control user access to the different architectural elements of your Java application. You will first apply authorization control to each of the components of the Model-View-Controller tier.

  • How to work with Domain Objects and RESTful web services in our authorization queue in order to fully secure our application by using Access Control Lists, along with Object Level and Method Level authorization.

  • How to explore the powerful Grails framework and how to use Spring security in the context of a Groovy on Grails application. You will earn about the core security plugin and others such as OpenID, Facebook and Twitter authentication.

  • Who this book is for

    This book is for Java and Grails developers who would like to secure their applications easily by applying industry's best practices. I assume a fair knowledge of Java and a basic knowledge of Spring Dependency Injection.

    Table of contents

    1. Title Page
    2. Dedication
    3. Contents at a Glance
    4. Contents
    5. About the Author
    6. About the Technical Reviewer
    7. Acknowledgments
    8. Introduction
    9. CHAPTER 1: The Scope of Security
      1. The Network Security Layer
      2. The Operating System Layer
      3. The Application Layer
      4. Authentication and Authorization: General Concepts
      5. What to Secure
      6. More Security Concerns
      7. Java Options for Security
      8. Summary
    10. CHAPTER 2: Introducing Spring Security
      1. What Is Spring Security?
      2. Where Does Spring Security Fit In?
      3. Spring Security and Spring
      4. Spring Framework: A Quick Overview
      5. An Initial Spring Security Secured Application
      6. Understanding the Simple Application
      7. Summary
    11. CHAPTER 3: Spring Security Architecture and Design
      1. What Components Make Up Spring Security?
      2. Good Design and Patterns in Spring Security
      3. Summary
    12. CHAPTER 4: Web Security
      1. Introducing the Simple Example Application
      2. The Special URLs
      3. Custom Login Form
      4. Basic HTTP Authentication
      5. Digest Authentication
      6. Remember-Me Authentication
      7. Allowing Remember-Me Access to Selected Parts of the Application
      8. Logging Out
      9. The Session (javax.servlet.http.HttpSession) and the SecurityContext
      10. Beyond Simple User Roles: Using Spring Expression Language to Secure the Web Layer
      11. Extend with Your Own Expressions
      12. Switching to a Different User
      13. Session Management
      14. Forcing the Request to HTTPS
      15. Role Hierarchies
      16. Summary
    13. CHAPTER 5: Securing the Service Layer
      1. The Limitations of Web-Level Security
      2. What Is Business Service-Level Security?
      3. Setting Up the Example for the Chapter
      4. How the Described Actions Happen Under the Hood
      5. Creating a Business Layer in Your Application
      6. @RolesAllowed Annotation
      7. Securing the Application Using SpEL Expressions
      8. Securing the Data Returned from a Method
      9. Filtering Collections Sent and Returned from Methods
      10. Security Defined in XML
      11. Security Without a Web Layer
      12. Using AspectJ AOP instead of Spring AOP
      13. Summary
    14. CHAPTER 6: Configuring Alternative Authentication Providers
      1. Database-Provided Authentication
      2. LDAP Authentication
      3. Authenticating with OpenID
      4. X.509 Authentication
      5. JAAS Authentication
      6. Central Authentication Service (CAS) Authentication
      7. Integrating CAS with a Different Authentication Provider
      8. Summary
    15. CHAPTER 7: Business Object Security with ACLs
      1. The Security Example Application
      2. Accessing Secured Objects
      3. Filtering Returned Objects
      4. Securing the View Layer with ACLs
      5. The Cost of ACLs
      6. Summary
    16. CHAPTER 8: Customizing and Extending Spring Security
      1. Spring Security Extension Points
      2. Plug into the Spring Security Event System
      3. Your Own AuthenticationProvider and UserDetailsService
      4. Password Encryption
      5. New Voters in AccessDecisionManager
      6. Nonvoter AccessDecisionManager Implementations
      7. New Expression Root and SpEL
      8. Non-JDBC AclService
      9. Custom Security Filter
      10. Handling Errors and Entry Points
      11. Changing the Security Interceptor
      12. Spring Security Extensions Project
      13. Summary
    17. CHAPTER 9: Integrating Spring Security with Other Frameworks and Languages
      1. Spring Security with Struts 2
      2. Spring Security with Spring Web Flow
      3. Spring Security in Other JVM Languages
      4. Spring Security and Ruby (JRuby)
      5. Web-Layer Security in Rails
      6. Spring Security, Groovy, and Grails
      7. Using Grails to Secure the Web Layer with URL Rules
      8. Using Grails Security at the Method Level
      9. Spring Security and Scala
      10. Summary
    18. Index

    Product information

    • Title: Pro Spring Security
    • Author(s): Carlo Scarioni
    • Release date: March 2013
    • Publisher(s): Apress
    • ISBN: 9781430248187