Book Image

Spring Security - Third Edition

By : Mick Knutson, Peter Mularien, ROBERT WILLIAM WINCH
Book Image

Spring Security - Third Edition

By: Mick Knutson, Peter Mularien, ROBERT WILLIAM WINCH

Overview of this book

Knowing that experienced hackers are itching to test your skills makes security one of the most difficult and high-pressured concerns of creating an application. The complexity of properly securing an application is compounded when you must also integrate this factor with existing code, new technologies, and other frameworks. Use this book to easily secure your Java application with the tried and trusted Spring Security framework, a powerful and highly customizable authentication and access-control framework. The book starts by integrating a variety of authentication mechanisms. It then demonstrates how to properly restrict access to your application. It also covers tips on integrating with some of the more popular web frameworks. An example of how Spring Security defends against session fixation, moves into concurrency control, and how you can utilize session management for administrative functions is also included. It concludes with advanced security scenarios for RESTful webservices and microservices, detailing the issues surrounding stateless authentication, and demonstrates a concise, step-by-step approach to solving those issues. And, by the end of the book, readers can rest assured that integrating version 4.2 of Spring Security will be a seamless endeavor from start to finish.
Table of Contents (19 chapters)

Using salt in Spring Security

Spring Security 3.1 provides a new cryptography module that is included in the spring-security-core module and is available separately in spring-security-crypto. The crypto module contains its own o.s.s.crypto.password.PasswordEncoder interface. In fact, using this interface is the preferred method for encoding passwords, because it will salt passwords using a random salt. At the time of this writing, there are the following three implementations of o.s.s.crypto.password.PasswordEncoder:

Class

Description

o.s.s.crypto.bcrypt.BCryptPasswordEncoder

This class uses the bcrypt hashing function. It supports salt and the ability to slow down to perform over time as technology improves. This helps protect against brute-force search attacks.

o.s.s.crypto.password.NoOpPasswordEncoder

This class does no encoding (it returns the password in...