Book description
Learn how to secure your Java applications from hackers using Spring Security 4.2
About This Book
- Architect solutions that leverage the full power of Spring Security while remaining loosely coupled.
- Implement various scenarios such as supporting existing user stores, user sign up, authentication, and supporting AJAX requests,
- Integrate with popular Microservice and Cloud services such as Zookeeper, Eureka, and Consul, along with advanced techniques, including OAuth, JSON Web Token's (JWS), Hashing, and encryption algorithms
Who This Book Is For
This book is intended for Java Web and/or RESTful webservice developers and assumes a basic understanding of creating Java 8, Java Web and/or RESTful webservice applications, XML, and the Spring Framework. You are not expected to have any previous experience with Spring Security.
What You Will Learn
- Understand common security vulnerabilities and how to resolve them
- Learn to perform initial penetration testing to uncover common security vulnerabilities
- Implement authentication and authorization
- Learn to utilize existing corporate infrastructure such as LDAP, Active Directory, Kerberos, CAS, OpenID, and OAuth
- Integrate with popular frameworks such as Spring, Spring-Boot, Spring-Data, JSF, Vaaden, jQuery, and AngularJS.
- Gain deep understanding of the security challenges with RESTful webservices and microservice architectures
- Integrate Spring with other security infrastructure components like LDAP, Apache Directory server and SAML
In Detail
Knowing that experienced hackers are itching to test your skills makes security one of the most difficult and high-pressured concerns of creating an application. The complexity of properly securing an application is compounded when you must also integrate this factor with existing code, new technologies, and other frameworks. Use this book to easily secure your Java application with the tried and trusted Spring Security framework, a powerful and highly customizable authentication and access-control framework.
The book starts by integrating a variety of authentication mechanisms. It then demonstrates how to properly restrict access to your application. It also covers tips on integrating with some of the more popular web frameworks. An example of how Spring Security defends against session fixation, moves into concurrency control, and how you can utilize session management for administrative functions is also included.
It concludes with advanced security scenarios for RESTful webservices and microservices, detailing the issues surrounding stateless authentication, and demonstrates a concise, step-by-step approach to solving those issues. And, by the end of the book, readers can rest assured that integrating version 4.2 of Spring Security will be a seamless endeavor from start to finish.
Style and approach
This practical step-by-step tutorial has plenty of example code coupled with the necessary screenshots and clear narration so that grasping content is made easier and quicker.
Table of contents
- Preface
- Anatomy of an Unsafe Application
- Getting Started with Spring Security
-
Custom Authentication
- JBCP calendar architecture
- Logging in new users using SecurityContextHolder
- Creating a custom UserDetailsService object
- Creating a custom AuthenticationProvider object
- Which authentication method to use?
- Summary
- JDBC-Based Authentication
- Authentication with Spring Data
-
LDAP Directory Services
- Understanding LDAP
- Understanding how Spring LDAP authentication works
- Determining roles with Apache Directory Studio
- Configuring the UserDetailsContextMapper object
- Updating AccountController to use LdapUserDetailsService
- Explicit LDAP bean configuration
- Integrating with Microsoft Active Directory via LDAP
- Summary
- Remember-Me Services
-
Client Certificate Authentication with TLS
-
How does client certificate authentication work?
- Setting up the client certificate authentication infrastructure
- Importing the certificate key pair into a browser
- Troubleshooting client certificate authentication
- Configuring client certificate authentication in Spring Security
- Configuring client certificate authentication using the security namespace
- Configuring client certificate authentication using Spring beans
- Summary
-
How does client certificate authentication work?
- Opening up to OAuth 2
-
Single Sign-On with the Central Authentication Service
- Introducing the Central Authentication Service
- High-level CAS authentication flow
- Spring Security and CAS
- Configuring basic CAS integration
- Single logout
- Clustered environments
- Using proxy tickets
- Customizing the CAS server
-
Getting the UserDetails object from a CAS assertion
- Returning LDAP attributes in the CAS response
- Mapping LDAP attributes to CAS attributes
- Authorizing CAS services to access custom attributes
- Acquiring a UserDetails from CAS
- The GrantedAuthorityFromAssertionAttributesUser object
- Alternative ticket authentication using SAML 1.1
- How is attribute retrieval useful?
- Additional CAS capabilities
- Summary
-
Fine-Grained Access Control
- Gradle dependencies
- Conditional rendering with the Thymeleaf Spring Security tag library
- Interface-based proxies
-
JSR-250 compliant standardized rules
- Method security using Spring's @Secured annotation
- Method security rules incorporating method parameters
- Method security rules incorporating returned values
- Securing method data using role-based filtering
- Prefiltering collections with @PreFilter
- Comparing method authorization types
- Practical considerations for annotation-based security
- Summary
-
Access Control Lists
- The conceptual module of ACL
- Access control lists in Spring Security
-
Basic configuration of Spring Security ACL support
- Gradle dependencies
- Defining a simple target scenario
- Adding ACL tables to the H2 database
- Configuring SecurityExpressionHandler
- The AclPermissionCacheOptimizer object
- Creating a simple ACL entry
- Advanced ACL topics
- The custom ACL permission declaration
- Enabling ACL permission evaluation
- Mutable ACLs and authorization
- Considerations for a typical ACL deployment
- Should I use Spring Security ACL?
- Summary
-
Custom Authorization
- Authorizing the requests
- Dynamically defining access control to URLs
- Creating a custom expression
- Summary
- Session Management
- Additional Spring Security Features
-
Migration to Spring Security 4.2
- Introduction
- Sample migration
-
Deprecations
- The spring-security-core deprecations
-
The spring-security-web deprecations
- FilterChainProxy
- ExceptionTranslationFilter
- AbstractAuthenticationProcessingFilter
- AnonymousAuthenticationFilter
- LoginUrlAuthenticationEntryPoint
- PreAuthenticatedGrantedAuthoritiesUserDetailsService
- AbstractRememberMeServices
- PersistentTokenBasedRememberMeServices
- RememberMeAuthenticationFilter
- TokenBasedRememberMeServices
- ConcurrentSessionControlStrategy
- SessionFixationProtectionStrategy
- BasicAuthenticationFilter
- SecurityContextPersistenceFilter
- RequestCacheAwareFilter
- ConcurrentSessionFilter
- SessionManagementFilter
- RequestMatcher
- WebSecurityExpressionHandler
- @AuthenticationPrincipal
- Migrating default filter URLs
- JAAS
- Summary
- Microservice Security with OAuth 2 and JSON Web Tokens
- Additional Reference Material
Product information
- Title: Spring Security - Third Edition
- Author(s):
- Release date: November 2017
- Publisher(s): Packt Publishing
- ISBN: 9781787129511
You might also like
video
Spring Security
8+ Hours of Video Instruction Overview In Spring Security LiveLessons, learn from Spring experts Rob Winch, …
video
Spring Security LDAP Integration and SAML Extension
Spring Security is a Java/Java EE framework that provides authentication, authorization and other security features for …
book
Pro Spring Security: Securing Spring Framework 5 and Boot 2-based Java Applications
Build and deploy secure Spring Framework and Spring Boot-based enterprise Java applications with the Spring Security …
video
The Spring Security Architecture for Authentication and Authorization
Do you know how to use OAuth2 for authentication and authorization and properly implement internet security? …