O'Reilly logo
live online training icon Live Online training

Spring Security for REST APIs

Authentication, authorization, and common defenses

Topic: Software Development
Josh Cummings

Would you ever give out your credit card information in reply to an unidentified text message? Of course not. And yet we do this all the time with our REST APIs when we don’t know who’s talking to them and whether they have authority to do so.

Join Spring Security maintainer Josh Cummings to learn how to secure a Spring Boot-powered REST API. You’ll explore the simplicity of HTTP Basic, the scalability of JSON Web Tokens (JWTs), and the security of opaque tokens in your journey toward an API that authenticates and authorizes each request. By the time you’re through, you’ll understand the different authentication mechanisms relevant to REST APIs—and how and when to apply them in practice. You’ll also have a deeper knowledge of how Spring Security is architected, enabling you to apply your own secure customizations with greater ease.

What you'll learn-and how you can apply it

By the end of this live online course, you’ll understand:

  • How to authenticate a REST request with Spring Security and OAuth 2.0
  • How to authorize that request’s actions in both fine- and coarse-grain ways
  • How to securely expose your REST API to the public
  • How to communicate with other OAuth 2.0-secured REST APIs

And you’ll be able to:

  • Use Spring Boot properties and the Spring Security DSL to protect an application
  • Work with Keycloak to secure a single-page application (SPA) and Spring Boot REST API together
  • Consider RESTful multitenancy scenarios

This training course is for you because...

  • You’re a Java application developer.
  • You work with Spring.
  • You want to become a more security-conscious engineer.


  • A working knowledge of Java 8 and Spring Boot 2
  • Familiarity with Spring Security 5 (useful but not required)

Course Set-up

Recommended preparation:

Recommended follow-up:

About your instructor

  • Josh enjoys application security, live hacking, and frosted mini-wheats. He works for VMWare, maintaining Spring Security with Rob Winch.


The timeframes are only estimates and may vary according to how the class is progressing

Local authentication (45 minutes)

  • Group discussion: What are your goals?
  • Presentation: An unsecured REST API; Spring Boot security starters; the Spring Security filter chain; UserDetailsService; customizing the principal and authorities
  • Hands-on exercises: Use spring-boot-starter-security; use an in-memory user details service; use a custom user principal; determine how secure the solution is
  • Q&A

Break (5 minutes)

Local authorization (45 minutes)

  • Presentation: Filter-based security; method-based security; insecure direct object references; authorities versus roles; complex authorization rules
  • Hands-on exercises: Use @PreAuthorize, @PostAuthorize, @PostFilter, and @Query; extract authorization rules to a Spring Bean; add a record; determine why your user doesn’t have the authority
  • Q&A

Break (5 minutes)

Ingress (25 minutes)

  • Group discussion: When is it safe to turn off CSRF?; How realistic is HTTP Basic for REST APIs?
  • Presentation: CORS
  • Hands-on exercise: Enable CORS
  • Q&A

Distributed authorization with JWT (45 minutes)

  • Presentation: Bearer tokens and JWT; the delegator pattern; canonicalization; testing
  • Hands-on exercises: Add the JWT authentication mechanism; customize granted authorities; canonicalize the authentication; introduce tests that mock authentication
  • Group discussion: Scopes versus authorities; thoughts on multitenancy
  • Q&A

Break (5 minutes)

Distributed authorization with opaque tokens (45 minutes)

  • Presentation: Opaque versus JWT; customizing the principal; multitenancy—opaque or JWT?
  • Hands-on exercises: Switch to an opaque token; customize the principal; create an AuthenticationManagerResolver
  • Q&A

Egress (20 minutes)

  • Presentation: CORS and CSRF with REST APIs; propagating the token
  • Hands-on exercises: Configure CORS; coordinate with a downstream service
  • Group discussion: What if you need to renew the token?
  • Q&A