book

Spring Security in Action

by Laurentiu Spilca

October 2020

Beginner to intermediate

560 pages

14h 52m

English

Manning Publications

Read now

Unlock full access

forewordprefaceacknowledgmentsabout this bookWho should read this book?How this book is organized: A roadmapAbout the codeThe liveBook discussion forumOther online resourcesabout the authorabout the cover illustration
1.1 Spring Security: The what and the why1.2 What is software security?1.3 Why is security important?1.4 Common security vulnerabilities in web applications1.4.1 Vulnerabilities in authentication and authorization1.4.2 What is session fixation?1.4.3 What is cross-site scripting (XSS)?1.4.4 What is cross-site request forgery (CSRF)?1.4.5 Understanding injection vulnerabilities in web applications1.4.6 Dealing with the exposure of sensitive data1.4.7 What is the lack of method access control?1.4.8 Using dependencies with known vulnerabilities1.5 Security applied in various architectures1.5.1 Designing a one-piece web application1.5.2 Designing security for a backend/frontend separation1.5.3 Understanding the OAuth 2 flow1.5.4 Using API keys, cryptographic signatures, and IP validation to secure requests1.6 What will you learn in this book?Summary
2.1 Starting with the first project2.2 Which are the default configurations?2.3 Overriding default configurations2.3.1 Overriding the UserDetailsService component2.3.2 Overriding the endpoint authorization configuration2.3.3 Setting the configuration in different ways2.3.4 Overriding the AuthenticationProvider implementation2.3.5 Using multiple configuration classes in your projectSummary
3.1 Implementing authentication in Spring Security3.2 Describing the user3.2.1 Demystifying the definition of the UserDetails contract3.2.2 Detailing on the GrantedAuthority contract3.2.3 Writing a minimal implementation of UserDetails3.2.4 Using a builder to create instances of the UserDetails type3.2.5 Combining multiple responsibilities related to the user3.3 Instructing Spring Security on how to manage users3.3.1 Understanding the UserDetailsService contract3.3.2 Implementing the UserDetailsService contract3.3.3 Implementing the UserDetailsManager contractUsing a JdbcUserDetailsManager for user managementUsing an LdapUserDetailsManager for user managementSummary
4.1 Understanding the PasswordEncoder contract4.1.1 The definition of the PasswordEncoder contract4.1.2 Implementing the PasswordEncoder contract4.1.3 Choosing from the provided implementations of PasswordEncoder4.1.4 Multiple encoding strategies with DelegatingPasswordEncoder4.2 More about the Spring Security Crypto module4.2.1 Using key generators4.2.2 Using encryptors for encryption and decryption operationsSummary

5.1 Understanding the AuthenticationProvider5.1.1 Representing the request during authentication5.1.2 Implementing custom authentication logic5.1.3 Applying custom authentication logic5.2 Using the SecurityContext5.2.1 Using a holding strategy for the security context5.2.2 Using a holding strategy for asynchronous calls5.2.3 Using a holding strategy for standalone applications5.2.4 Forwarding the security context with DelegatingSecurityContextRunnable5.2.5 Forwarding the security context with DelegatingSecurityContextExecutorService5.3 Understanding HTTP Basic and form-based login authentications5.3.1 Using and configuring HTTP Basic5.3.2 Implementing authentication with form-based loginSummary
6.1 Project requirements and setup6.2 Implementing user management6.3 Implementing custom authentication logic6.4 Implementing the main page6.5 Running and testing the applicationSummary
7.1 Restricting access based on authorities and roles7.1.1 Restricting access for all endpoints based on user authorities7.1.2 Restricting access for all endpoints based on user roles7.1.3 Restricting access to all endpointsSummary
8.1 Using matcher methods to select endpoints8.2 Selecting requests for authorization using MVC matchers8.3 Selecting requests for authorization using Ant matchers8.4 Selecting requests for authorization using regex matchersSummary
9.1 Implementing filters in the Spring Security architecture9.2 Adding a filter before an existing one in the chain9.3 Adding a filter after an existing one in the chain9.4 Adding a filter at the location of another in the chain9.5 Filter implementations provided by Spring SecuritySummary
10.1 Applying cross-site request forgery (CSRF) protection in applications10.1.1 How CSRF protection works in Spring Security10.1.2 Using CSRF protection in practical scenarios10.1.3 Customizing CSRF protection10.2 Using cross-origin resource sharing10.2.1 How does CORS work?10.2.2 Applying CORS policies with the @CrossOrigin annotation10.2.3 Applying CORS using a CorsConfigurerSummary
11.1 The scenario and requirements of the example11.2 Implementing and using tokens11.2.1 What is a token?11.2.2 What is a JSON Web Token?11.3 Implementing the authentication server11.4 Implementing the business logic server11.4.1 Implementing the Authentication objects11.4.2 Implementing the proxy to the authentication server11.4.3 Implementing the AuthenticationProvider interface11.4.4 Implementing the filters11.4.5 Writing the security configurations11.4.6 Testing the whole systemSummary
12.1 The OAuth 2 framework12.2 The components of the OAuth 2 authentication architecture12.3 Implementation choices with OAuth 212.3.1 Implementing the authorization code grant typeStep 1: Making the authentication request with the authorization code grant typeStep 2: Obtaining an access token with the authorization code grant typeStep 3: Calling the protected resource with the authorization code grant typeAn analogy for the grant type authorization code12.3.2 Implementing the password grant typeStep 1: Requesting an access token when using the password grant typeStep 2: Using an access token to call resources when using the password grant typeAn analogy for the password grant type12.3.3 Implementing the client credentials grant typeStep 1: Requesting an access token with the client credential grant typeStep 2: Using an access token to call resources with the client credential grant type12.3.4 Using refresh tokens to obtain new access tokens12.4 The sins of OAuth 212.5 Implementing a simple single sign-on application12.5.1 Managing the authorization server12.5.2 Starting the implementation12.5.3 Implementing ClientRegistration12.5.4 Implementing ClientRegistrationRepository12.5.5 The pure magic of Spring Boot configuration12.5.6 Obtaining details about an authenticated user12.5.7 Testing the applicationSummary
13.1 Writing your own authorization server implementation13.2 Defining user management13.3 Registering clients with the authorization server13.4 Using the password grant type13.5 Using the authorization code grant type13.6 Using the client credentials grant type13.7 Using the refresh token grant typeSummary
14.1 Implementing a resource server14.2 Checking the token remotely14.3 Implementing blackboarding with a JdbcTokenStore14.4 A short comparison of approachesSummary
15.1 Using tokens signed with symmetric keys with JWT15.1.1 Using JWTs15.1.2 Implementing an authorization server to issue JWTs15.1.3 Implementing a resource server that uses JWT15.2 Using tokens signed with asymmetric keys with JWT15.2.1 Generating the key pairGenerating a private keyObtaining the public key15.2.2 Implementing an authorization server that uses private keys15.2.3 Implementing a resource server that uses public keys15.2.4 Using an endpoint to expose the public key15.3 Adding custom details to the JWT15.3.1 Configuring the authorization server to add custom details to tokens15.3.2 Configuring the resource server to read the custom details of a JWTSummary
16.1 Enabling global method security16.1.1 Understanding call authorizationUsing preauthorization to secure access to methodsUsing postauthorization to secure a method call16.1.2 Enabling global method security in your project16.2 Applying preauthorization for authorities and roles16.3 Applying postauthorization16.4 Implementing permissions for methodsSummary
17.1 Applying prefiltering for method authorization17.2 Applying postfiltering for method authorization17.3 Using filtering in Spring Data repositoriesSummary
18.1 The application scenario18.2 Configuring Keycloak as an authorization server18.2.1 Registering a client for our system18.2.2 Specifying client scopes18.2.3 Adding users and obtaining access tokens18.2.4 Defining the user roles18.3 Implementing the resource server18.4 Testing the application18.4.1 Proving an authenticated user can only add a record for themself18.4.2 Proving that a user can only retrieve their own records18.4.3 Proving that only admins can delete recordsSummary
19.1 What are reactive apps?19.2 User management in reactive apps19.3 Configuring authorization rules in reactive apps19.3.1 Applying authorization at the endpoint layer in reactive apps19.3.2 Using method security in reactive apps19.4 Reactive apps and OAuth 2Summary
20.1 Using mock users for tests20.2 Testing with users from a UserDetailsService20.3 Using custom Authentication objects for testingStep 1: Defining a custom annotationStep 2: Creating a factory class for the mock SecurityContextStep 3: Linking the custom annotation to the factory class20.4 Testing method security20.5 Testing authentication20.6 Testing CSRF configurations20.7 Testing CORS configurations20.8 Testing reactive Spring Security implementationsSummary
A.1 Creating a project with start.spring.ioA.2 Creating a project with the Spring Tool Suite (STS)

Content preview from Spring Security in Action

17 Global method security: Pre- and postfiltering

This chapter covers

Using prefiltering to restrict what a method receives as parameter values
Using postfiltering to restrict what a method returns
Integrating filtering with Spring Data

In chapter 16, you learned how to apply authorization rules using global method security. We worked on examples using the @PreAuthorize and @PostAuthorize annotations. By using these annotations, you apply an approach in which the application either allows the method call or it completely rejects the call. Suppose you don’t want to forbid the call to a method, but you want to make sure that the parameters sent to it follow some rules. Or, in another scenario, you want to make sure that after someone ...