Spring Security in Action

Book description

While creating secure applications is critically important, it can also be tedious and time-consuming to stitch together the required collection of tools. For Java developers, the powerful Spring Security framework makes it easy for you to bake security into your software from the very beginning. Filled with code samples and practical examples, Spring Security in Action teaches you how to secure your apps from the most common threats, ranging from injection attacks to lackluster monitoring. In it, you'll learn how to manage system users, configure secure endpoints, and use OAuth2 and OpenID Connect for authentication and authorization.

About the Technology
Security is non-negotiable. You rely on Spring applications to transmit data, verify credentials, and prevent attacks. Adopting "secure by design" principles will protect your network from data theft and unauthorized intrusions.

About the Book
Spring Security in Action shows you how to prevent cross-site scripting and request forgery attacks before they do damage. You’ll start with the basics, simulating password upgrades and adding multiple types of authorization. As your skills grow, you'll adapt Spring Security to new architectures and create advanced OAuth2 configurations. By the time you're done, you'll have a customized Spring Security configuration that protects against threats both common and extraordinary.

What's Inside
  • Encoding passwords and authenticating users
  • Securing endpoints
  • Automating security testing
  • Setting up a standalone authorization server


About the Reader
For experienced Java and Spring developers.

About the Author
Laurențiu Spilcă is a dedicated development lead and trainer at Endava, with over ten years of Java experience.

Quotes
An indispensable guide to Spring Security that belongs on the desk of every serious Spring developer.
- Nathan B. Crocker, Galaxy Digital

A gold mine of knowledge, sound advice, and practical applications. I wish I had something like this years ago when I was learning about Spring Security.
- Alain Lompo, ISO-Gruppe

Everything you need to know about Spring Security to protect your Java enterprise applications from common threats and attacks.
- Harinath Kuntamukkala, Cognizant Technology Solutions

The definitive guide to secure your Spring applications. A must-read.
- Ubaldo Pescatore, Generali Business Solutions

Publisher resources

View/Submit Errata

Table of contents

  1. Spring Security in Action
  2. Copyright
  3. contents
  4. front matter
    1. foreword
    2. preface
    3. acknowledgments
    4. about this book
      1. Who should read this book?
      2. How this book is organized: A roadmap
      3. About the code
      4. The liveBook discussion forum
      5. Other online resources
    5. about the author
    6. about the cover illustration
  5. Part 1. First Steps
  6. 1 Security today
    1. 1.1 Spring Security: The what and the why
    2. 1.2 What is software security?
    3. 1.3 Why is security important?
    4. 1.4 Common security vulnerabilities in web applications
      1. 1.4.1 Vulnerabilities in authentication and authorization
      2. 1.4.2 What is session fixation?
      3. 1.4.3 What is cross-site scripting (XSS)?
      4. 1.4.4 What is cross-site request forgery (CSRF)?
      5. 1.4.5 Understanding injection vulnerabilities in web applications
      6. 1.4.6 Dealing with the exposure of sensitive data
      7. 1.4.7 What is the lack of method access control?
      8. 1.4.8 Using dependencies with known vulnerabilities
    5. 1.5 Security applied in various architectures
      1. 1.5.1 Designing a one-piece web application
      2. 1.5.2 Designing security for a backend/frontend separation
      3. 1.5.3 Understanding the OAuth 2 flow
      4. 1.5.4 Using API keys, cryptographic signatures, and IP validation to secure requests
    6. 1.6 What will you learn in this book?
    7. Summary
  7. 2 Hello Spring Security
    1. 2.1 Starting with the first project
    2. 2.2 Which are the default configurations?
    3. 2.3 Overriding default configurations
      1. 2.3.1 Overriding the UserDetailsService component
      2. 2.3.2 Overriding the endpoint authorization configuration
      3. 2.3.3 Setting the configuration in different ways
      4. 2.3.4 Overriding the AuthenticationProvider implementation
      5. 2.3.5 Using multiple configuration classes in your project
    4. Summary
  8. Part 2. Implementation
  9. 3 Managing users
    1. 3.1 Implementing authentication in Spring Security
    2. 3.2 Describing the user
      1. 3.2.1 Demystifying the definition of the UserDetails contract
      2. 3.2.2 Detailing on the GrantedAuthority contract
      3. 3.2.3 Writing a minimal implementation of UserDetails
      4. 3.2.4 Using a builder to create instances of the UserDetails type
      5. 3.2.5 Combining multiple responsibilities related to the user
    3. 3.3 Instructing Spring Security on how to manage users
      1. 3.3.1 Understanding the UserDetailsService contract
      2. 3.3.2 Implementing the UserDetailsService contract
      3. 3.3.3 Implementing the UserDetailsManager contract
        1. Using a JdbcUserDetailsManager for user management
        2. Using an LdapUserDetailsManager for user management
    4. Summary
  10. 4 Dealing with passwords
    1. 4.1 Understanding the PasswordEncoder contract
      1. 4.1.1 The definition of the PasswordEncoder contract
      2. 4.1.2 Implementing the PasswordEncoder contract
      3. 4.1.3 Choosing from the provided implementations of PasswordEncoder
      4. 4.1.4 Multiple encoding strategies with DelegatingPasswordEncoder
    2. 4.2 More about the Spring Security Crypto module
      1. 4.2.1 Using key generators
      2. 4.2.2 Using encryptors for encryption and decryption operations
    3. Summary
  11. 5 Implementing authentication
    1. 5.1 Understanding the AuthenticationProvider
      1. 5.1.1 Representing the request during authentication
      2. 5.1.2 Implementing custom authentication logic
      3. 5.1.3 Applying custom authentication logic
    2. 5.2 Using the SecurityContext
      1. 5.2.1 Using a holding strategy for the security context
      2. 5.2.2 Using a holding strategy for asynchronous calls
      3. 5.2.3 Using a holding strategy for standalone applications
      4. 5.2.4 Forwarding the security context with DelegatingSecurityContextRunnable
      5. 5.2.5 Forwarding the security context with DelegatingSecurityContextExecutorService
    3. 5.3 Understanding HTTP Basic and form-based login authentications
      1. 5.3.1 Using and configuring HTTP Basic
      2. 5.3.2 Implementing authentication with form-based login
    4. Summary
  12. 6 Hands-on: A small secured web application
    1. 6.1 Project requirements and setup
    2. 6.2 Implementing user management
    3. 6.3 Implementing custom authentication logic
    4. 6.4 Implementing the main page
    5. 6.5 Running and testing the application
    6. Summary
  13. 7 Configuring authorization: Restricting access
    1. 7.1 Restricting access based on authorities and roles
      1. 7.1.1 Restricting access for all endpoints based on user authorities
      2. 7.1.2 Restricting access for all endpoints based on user roles
      3. 7.1.3 Restricting access to all endpoints
    2. Summary
  14. 8 Configuring authorization: Applying restrictions
    1. 8.1 Using matcher methods to select endpoints
    2. 8.2 Selecting requests for authorization using MVC matchers
    3. 8.3 Selecting requests for authorization using Ant matchers
    4. 8.4 Selecting requests for authorization using regex matchers
    5. Summary
  15. 9 Implementing filters
    1. 9.1 Implementing filters in the Spring Security architecture
    2. 9.2 Adding a filter before an existing one in the chain
    3. 9.3 Adding a filter after an existing one in the chain
    4. 9.4 Adding a filter at the location of another in the chain
    5. 9.5 Filter implementations provided by Spring Security
    6. Summary
  16. 10 Applying CSRF protection and CORS
    1. 10.1 Applying cross-site request forgery (CSRF) protection in applications
      1. 10.1.1 How CSRF protection works in Spring Security
      2. 10.1.2 Using CSRF protection in practical scenarios
      3. 10.1.3 Customizing CSRF protection
    2. 10.2 Using cross-origin resource sharing
      1. 10.2.1 How does CORS work?
      2. 10.2.2 Applying CORS policies with the @CrossOrigin annotation
      3. 10.2.3 Applying CORS using a CorsConfigurer
    3. Summary
  17. 11 Hands-on: A separation of responsibilities
    1. 11.1 The scenario and requirements of the example
    2. 11.2 Implementing and using tokens
      1. 11.2.1 What is a token?
      2. 11.2.2 What is a JSON Web Token?
    3. 11.3 Implementing the authentication server
    4. 11.4 Implementing the business logic server
      1. 11.4.1 Implementing the Authentication objects
      2. 11.4.2 Implementing the proxy to the authentication server
      3. 11.4.3 Implementing the AuthenticationProvider interface
      4. 11.4.4 Implementing the filters
      5. 11.4.5 Writing the security configurations
      6. 11.4.6 Testing the whole system
    5. Summary
  18. 12 How does OAuth 2 work?
    1. 12.1 The OAuth 2 framework
    2. 12.2 The components of the OAuth 2 authentication architecture
    3. 12.3 Implementation choices with OAuth 2
      1. 12.3.1 Implementing the authorization code grant type
        1. Step 1: Making the authentication request with the authorization code grant type
        2. Step 2: Obtaining an access token with the authorization code grant type
        3. Step 3: Calling the protected resource with the authorization code grant type
        4. An analogy for the grant type authorization code
      2. 12.3.2 Implementing the password grant type
        1. Step 1: Requesting an access token when using the password grant type
        2. Step 2: Using an access token to call resources when using the password grant type
        3. An analogy for the password grant type
      3. 12.3.3 Implementing the client credentials grant type
        1. Step 1: Requesting an access token with the client credential grant type
        2. Step 2: Using an access token to call resources with the client credential grant type
      4. 12.3.4 Using refresh tokens to obtain new access tokens
    4. 12.4 The sins of OAuth 2
    5. 12.5 Implementing a simple single sign-on application
      1. 12.5.1 Managing the authorization server
      2. 12.5.2 Starting the implementation
      3. 12.5.3 Implementing ClientRegistration
      4. 12.5.4 Implementing ClientRegistrationRepository
      5. 12.5.5 The pure magic of Spring Boot configuration
      6. 12.5.6 Obtaining details about an authenticated user
      7. 12.5.7 Testing the application
    6. Summary
  19. 13 OAuth 2: Implementing the authorization server
    1. 13.1 Writing your own authorization server implementation
    2. 13.2 Defining user management
    3. 13.3 Registering clients with the authorization server
    4. 13.4 Using the password grant type
    5. 13.5 Using the authorization code grant type
    6. 13.6 Using the client credentials grant type
    7. 13.7 Using the refresh token grant type
    8. Summary
  20. 14 OAuth 2: Implementing the resource server
    1. 14.1 Implementing a resource server
    2. 14.2 Checking the token remotely
    3. 14.3 Implementing blackboarding with a JdbcTokenStore
    4. 14.4 A short comparison of approaches
    5. Summary
  21. 15 OAuth 2: Using JWT and cryptographic signatures
    1. 15.1 Using tokens signed with symmetric keys with JWT
      1. 15.1.1 Using JWTs
      2. 15.1.2 Implementing an authorization server to issue JWTs
      3. 15.1.3 Implementing a resource server that uses JWT
    2. 15.2 Using tokens signed with asymmetric keys with JWT
      1. 15.2.1 Generating the key pair
        1. Generating a private key
        2. Obtaining the public key
      2. 15.2.2 Implementing an authorization server that uses private keys
      3. 15.2.3 Implementing a resource server that uses public keys
      4. 15.2.4 Using an endpoint to expose the public key
    3. 15.3 Adding custom details to the JWT
      1. 15.3.1 Configuring the authorization server to add custom details to tokens
      2. 15.3.2 Configuring the resource server to read the custom details of a JWT
    4. Summary
  22. 16 Global method security: Pre- and postauthorizations
    1. 16.1 Enabling global method security
      1. 16.1.1 Understanding call authorization
        1. Using preauthorization to secure access to methods
        2. Using postauthorization to secure a method call
      2. 16.1.2 Enabling global method security in your project
    2. 16.2 Applying preauthorization for authorities and roles
    3. 16.3 Applying postauthorization
    4. 16.4 Implementing permissions for methods
    5. Summary
  23. 17 Global method security: Pre- and postfiltering
    1. 17.1 Applying prefiltering for method authorization
    2. 17.2 Applying postfiltering for method authorization
    3. 17.3 Using filtering in Spring Data repositories
    4. Summary
  24. 18 Hands-on: An OAuth 2 application
    1. 18.1 The application scenario
    2. 18.2 Configuring Keycloak as an authorization server
      1. 18.2.1 Registering a client for our system
      2. 18.2.2 Specifying client scopes
      3. 18.2.3 Adding users and obtaining access tokens
      4. 18.2.4 Defining the user roles
    3. 18.3 Implementing the resource server
    4. 18.4 Testing the application
      1. 18.4.1 Proving an authenticated user can only add a record for themself
      2. 18.4.2 Proving that a user can only retrieve their own records
      3. 18.4.3 Proving that only admins can delete records
    5. Summary
  25. 19 Spring Security for reactive apps
    1. 19.1 What are reactive apps?
    2. 19.2 User management in reactive apps
    3. 19.3 Configuring authorization rules in reactive apps
      1. 19.3.1 Applying authorization at the endpoint layer in reactive apps
      2. 19.3.2 Using method security in reactive apps
    4. 19.4 Reactive apps and OAuth 2
    5. Summary
  26. 20 Spring Security testing
    1. 20.1 Using mock users for tests
    2. 20.2 Testing with users from a UserDetailsService
    3. 20.3 Using custom Authentication objects for testing
      1. Step 1: Defining a custom annotation
      2. Step 2: Creating a factory class for the mock SecurityContext
      3. Step 3: Linking the custom annotation to the factory class
    4. 20.4 Testing method security
    5. 20.5 Testing authentication
    6. 20.6 Testing CSRF configurations
    7. 20.7 Testing CORS configurations
    8. 20.8 Testing reactive Spring Security implementations
    9. Summary
  27. appendix A. Creating a Spring Boot project
    1. A.1 Creating a project with start.spring.io
    2. A.2 Creating a project with the Spring Tool Suite (STS)
  28. index

Product information

  • Title: Spring Security in Action
  • Author(s): Laurentiu Spilca
  • Release date: October 2020
  • Publisher(s): Manning Publications
  • ISBN: 9781617297731