book

Spring Security in Action

Name: Spring Security in Action
Author: Laurentiu Spilca
ISBN: 9781617297731

by Laurentiu Spilca

October 2020

Beginner to intermediate

560 pages

14h 52m

English

Manning Publications

Read now

Unlock full access

Spring Security in Action
Copyright
contents
front matter
forewordprefaceacknowledgmentsabout this bookWho should read this book?How this book is organized: A roadmapAbout the codeThe liveBook discussion forumOther online resourcesabout the authorabout the cover illustration
Part 1. First Steps
1 Security today
1.1 Spring Security: The what and the why1.2 What is software security?1.3 Why is security important?1.4 Common security vulnerabilities in web applications1.4.1 Vulnerabilities in authentication and authorization1.4.2 What is session fixation?1.4.3 What is cross-site scripting (XSS)?1.4.4 What is cross-site request forgery (CSRF)?1.4.5 Understanding injection vulnerabilities in web applications1.4.6 Dealing with the exposure of sensitive data1.4.7 What is the lack of method access control?1.4.8 Using dependencies with known vulnerabilities1.5 Security applied in various architectures1.5.1 Designing a one-piece web application1.5.2 Designing security for a backend/frontend separation1.5.3 Understanding the OAuth 2 flow1.5.4 Using API keys, cryptographic signatures, and IP validation to secure requests1.6 What will you learn in this book?Summary
2 Hello Spring Security
2.1 Starting with the first project2.2 Which are the default configurations?2.3 Overriding default configurations2.3.1 Overriding the UserDetailsService component2.3.2 Overriding the endpoint authorization configuration2.3.3 Setting the configuration in different ways2.3.4 Overriding the AuthenticationProvider implementation2.3.5 Using multiple configuration classes in your projectSummary
Part 2. Implementation
3 Managing users
3.1 Implementing authentication in Spring Security3.2 Describing the user3.2.1 Demystifying the definition of the UserDetails contract3.2.2 Detailing on the GrantedAuthority contract3.2.3 Writing a minimal implementation of UserDetails3.2.4 Using a builder to create instances of the UserDetails type3.2.5 Combining multiple responsibilities related to the user3.3 Instructing Spring Security on how to manage users3.3.1 Understanding the UserDetailsService contract3.3.2 Implementing the UserDetailsService contract3.3.3 Implementing the UserDetailsManager contractUsing a JdbcUserDetailsManager for user managementUsing an LdapUserDetailsManager for user managementSummary
4 Dealing with passwords
4.1 Understanding the PasswordEncoder contract4.1.1 The definition of the PasswordEncoder contract4.1.2 Implementing the PasswordEncoder contract4.1.3 Choosing from the provided implementations of PasswordEncoder4.1.4 Multiple encoding strategies with DelegatingPasswordEncoder4.2 More about the Spring Security Crypto module4.2.1 Using key generators4.2.2 Using encryptors for encryption and decryption operationsSummary

5 Implementing authentication
5.1 Understanding the AuthenticationProvider5.1.1 Representing the request during authentication5.1.2 Implementing custom authentication logic5.1.3 Applying custom authentication logic5.2 Using the SecurityContext5.2.1 Using a holding strategy for the security context5.2.2 Using a holding strategy for asynchronous calls5.2.3 Using a holding strategy for standalone applications5.2.4 Forwarding the security context with DelegatingSecurityContextRunnable5.2.5 Forwarding the security context with DelegatingSecurityContextExecutorService5.3 Understanding HTTP Basic and form-based login authentications5.3.1 Using and configuring HTTP Basic5.3.2 Implementing authentication with form-based loginSummary
6 Hands-on: A small secured web application
6.1 Project requirements and setup6.2 Implementing user management6.3 Implementing custom authentication logic6.4 Implementing the main page6.5 Running and testing the applicationSummary
7 Configuring authorization: Restricting access
7.1 Restricting access based on authorities and roles7.1.1 Restricting access for all endpoints based on user authorities7.1.2 Restricting access for all endpoints based on user roles7.1.3 Restricting access to all endpointsSummary
8 Configuring authorization: Applying restrictions
8.1 Using matcher methods to select endpoints8.2 Selecting requests for authorization using MVC matchers8.3 Selecting requests for authorization using Ant matchers8.4 Selecting requests for authorization using regex matchersSummary
9 Implementing filters
9.1 Implementing filters in the Spring Security architecture9.2 Adding a filter before an existing one in the chain9.3 Adding a filter after an existing one in the chain9.4 Adding a filter at the location of another in the chain9.5 Filter implementations provided by Spring SecuritySummary
10 Applying CSRF protection and CORS
10.1 Applying cross-site request forgery (CSRF) protection in applications10.1.1 How CSRF protection works in Spring Security10.1.2 Using CSRF protection in practical scenarios10.1.3 Customizing CSRF protection10.2 Using cross-origin resource sharing10.2.1 How does CORS work?10.2.2 Applying CORS policies with the @CrossOrigin annotation10.2.3 Applying CORS using a CorsConfigurerSummary
11 Hands-on: A separation of responsibilities
11.1 The scenario and requirements of the example11.2 Implementing and using tokens11.2.1 What is a token?11.2.2 What is a JSON Web Token?11.3 Implementing the authentication server11.4 Implementing the business logic server11.4.1 Implementing the Authentication objects11.4.2 Implementing the proxy to the authentication server11.4.3 Implementing the AuthenticationProvider interface11.4.4 Implementing the filters11.4.5 Writing the security configurations11.4.6 Testing the whole systemSummary
12 How does OAuth 2 work?
12.1 The OAuth 2 framework12.2 The components of the OAuth 2 authentication architecture12.3 Implementation choices with OAuth 212.3.1 Implementing the authorization code grant typeStep 1: Making the authentication request with the authorization code grant typeStep 2: Obtaining an access token with the authorization code grant typeStep 3: Calling the protected resource with the authorization code grant typeAn analogy for the grant type authorization code12.3.2 Implementing the password grant typeStep 1: Requesting an access token when using the password grant typeStep 2: Using an access token to call resources when using the password grant typeAn analogy for the password grant type12.3.3 Implementing the client credentials grant typeStep 1: Requesting an access token with the client credential grant typeStep 2: Using an access token to call resources with the client credential grant type12.3.4 Using refresh tokens to obtain new access tokens12.4 The sins of OAuth 212.5 Implementing a simple single sign-on application12.5.1 Managing the authorization server12.5.2 Starting the implementation12.5.3 Implementing ClientRegistration12.5.4 Implementing ClientRegistrationRepository12.5.5 The pure magic of Spring Boot configuration12.5.6 Obtaining details about an authenticated user12.5.7 Testing the applicationSummary
13 OAuth 2: Implementing the authorization server
13.1 Writing your own authorization server implementation13.2 Defining user management13.3 Registering clients with the authorization server13.4 Using the password grant type13.5 Using the authorization code grant type13.6 Using the client credentials grant type13.7 Using the refresh token grant typeSummary
14 OAuth 2: Implementing the resource server
14.1 Implementing a resource server14.2 Checking the token remotely14.3 Implementing blackboarding with a JdbcTokenStore14.4 A short comparison of approachesSummary
15 OAuth 2: Using JWT and cryptographic signatures
15.1 Using tokens signed with symmetric keys with JWT15.1.1 Using JWTs15.1.2 Implementing an authorization server to issue JWTs15.1.3 Implementing a resource server that uses JWT15.2 Using tokens signed with asymmetric keys with JWT15.2.1 Generating the key pairGenerating a private keyObtaining the public key15.2.2 Implementing an authorization server that uses private keys15.2.3 Implementing a resource server that uses public keys15.2.4 Using an endpoint to expose the public key15.3 Adding custom details to the JWT15.3.1 Configuring the authorization server to add custom details to tokens15.3.2 Configuring the resource server to read the custom details of a JWTSummary
16 Global method security: Pre- and postauthorizations
16.1 Enabling global method security16.1.1 Understanding call authorizationUsing preauthorization to secure access to methodsUsing postauthorization to secure a method call16.1.2 Enabling global method security in your project16.2 Applying preauthorization for authorities and roles16.3 Applying postauthorization16.4 Implementing permissions for methodsSummary
17 Global method security: Pre- and postfiltering
17.1 Applying prefiltering for method authorization17.2 Applying postfiltering for method authorization17.3 Using filtering in Spring Data repositoriesSummary
18 Hands-on: An OAuth 2 application
18.1 The application scenario18.2 Configuring Keycloak as an authorization server18.2.1 Registering a client for our system18.2.2 Specifying client scopes18.2.3 Adding users and obtaining access tokens18.2.4 Defining the user roles18.3 Implementing the resource server18.4 Testing the application18.4.1 Proving an authenticated user can only add a record for themself18.4.2 Proving that a user can only retrieve their own records18.4.3 Proving that only admins can delete recordsSummary
19 Spring Security for reactive apps
19.1 What are reactive apps?19.2 User management in reactive apps19.3 Configuring authorization rules in reactive apps19.3.1 Applying authorization at the endpoint layer in reactive apps19.3.2 Using method security in reactive apps19.4 Reactive apps and OAuth 2Summary
20 Spring Security testing
20.1 Using mock users for tests20.2 Testing with users from a UserDetailsService20.3 Using custom Authentication objects for testingStep 1: Defining a custom annotationStep 2: Creating a factory class for the mock SecurityContextStep 3: Linking the custom annotation to the factory class20.4 Testing method security20.5 Testing authentication20.6 Testing CSRF configurations20.7 Testing CORS configurations20.8 Testing reactive Spring Security implementationsSummary
appendix A. Creating a Spring Boot project
A.1 Creating a project with start.spring.ioA.2 Creating a project with the Spring Tool Suite (STS)
index

Content preview from Spring Security in Action

15 OAuth 2: Using JWT and cryptographic signatures

This chapter covers

Validating tokens using cryptographic signatures
Using JSON Web Tokens in the OAuth 2 architecture
Signing tokens with symmetric and asymmetric keys
Adding custom details to a JWT

In this chapter, we’ll discuss using JSON Web Tokens (JWTs) for token implementation. You learned in chapter 14 that the resource server needs to validate tokens issued by the authorization server. And I told you three ways to do this:

Using direct calls between the resource server and the authorization server, which we implemented in section 14.2
Using a shared database for storing the tokens, which we implemented in section 14.3
Using cryptographic signatures, which we’ll discuss ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Spring Security in Action, Second Edition

Publisher Resources

ISBN: 9781617297731Publisher Support Publisher Website Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Spring Security in Action

by Laurentiu Spilca

15 OAuth 2: Using JWT and cryptographic signatures

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.