Book Image

Spring Security - Third Edition

By : Mick Knutson, Peter Mularien, ROBERT WILLIAM WINCH
Book Image

Spring Security - Third Edition

By: Mick Knutson, Peter Mularien, ROBERT WILLIAM WINCH

Overview of this book

Knowing that experienced hackers are itching to test your skills makes security one of the most difficult and high-pressured concerns of creating an application. The complexity of properly securing an application is compounded when you must also integrate this factor with existing code, new technologies, and other frameworks. Use this book to easily secure your Java application with the tried and trusted Spring Security framework, a powerful and highly customizable authentication and access-control framework. The book starts by integrating a variety of authentication mechanisms. It then demonstrates how to properly restrict access to your application. It also covers tips on integrating with some of the more popular web frameworks. An example of how Spring Security defends against session fixation, moves into concurrency control, and how you can utilize session management for administrative functions is also included. It concludes with advanced security scenarios for RESTful webservices and microservices, detailing the issues surrounding stateless authentication, and demonstrates a concise, step-by-step approach to solving those issues. And, by the end of the book, readers can rest assured that integrating version 4.2 of Spring Security will be a seamless endeavor from start to finish.

Related Content you might be interested in

Current Title:

Small book image
Spring Security - Third Edition
Mick Knutson | Peter Mularien | ROBERT WILLIAM WINCH
Nov, 2017 | 542 pages
No titles found
Table of Contents (19 chapters)
Preface
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Free Chapter
1
Anatomy of an Unsafe Application
Anatomy of an Unsafe Application
Security audit
Application technology
Authentication
Authorization
Summary
2
Getting Started with Spring Security
Getting Started with Spring Security
Hello Spring Security
A little bit of polish
Summary
3
Custom Authentication
Custom Authentication
JBCP calendar architecture
Logging in new users using SecurityContextHolder
Creating a custom UserDetailsService object
Creating a custom AuthenticationProvider object
Which authentication method to use?
Summary
4
JDBC-Based Authentication
JDBC-Based Authentication
Required dependencies
Using the H2 database
The default user schema of Spring Security
The UserDetailsManager interface
Support for a custom schema
Configuring secure passwords
The PasswordEncoder method
Using salt in Spring Security
Trying out the salted passwords
Summary
5
Authentication with Spring Data
Authentication with Spring Data
Spring Data JPA
Refactoring from SQL to ORM
Application services
The UserDetailsService object
Document database implementation with MongoDB
Summary
6
LDAP Directory Services
LDAP Directory Services
Understanding LDAP
Understanding how Spring LDAP authentication works
Determining roles with Apache Directory Studio
Configuring the UserDetailsContextMapper object
Updating AccountController to use LdapUserDetailsService
Explicit LDAP bean configuration
Integrating with Microsoft Active Directory via LDAP
Summary
7
Remember-Me Services
Remember-Me Services
What is remember-me?
MD5
Is remember-me secure?
Configuring the persistent-based remember-me feature
The remember-me architecture
Custom cookie and HTTP parameter names
Summary
8
Client Certificate Authentication with TLS
Client Certificate Authentication with TLS
How does client certificate authentication work?
Configuring client certificate authentication using Spring beans
Summary
9
Opening up to OAuth 2
Opening up to OAuth 2
The promising world of OAuth 2
Configuring OAuth 2 support in Spring Security
Executing the OAuth 2 provider connection workflow
Additional OAuth 2 providers
Is OAuth 2 secure?
10
Single Sign-On with the Central Authentication Service
Single Sign-On with the Central Authentication Service
Introducing the Central Authentication Service
High-level CAS authentication flow
Spring Security and CAS
Configuring basic CAS integration
Single logout
Clustered environments
Using proxy tickets
Customizing the CAS server
Getting the UserDetails object from a CAS assertion
Additional CAS capabilities
Summary
11
Fine-Grained Access Control
Fine-Grained Access Control
Gradle dependencies
Conditional rendering with the Thymeleaf Spring Security tag library
Interface-based proxies
JSR-250 compliant standardized rules
Summary
12
Access Control Lists
Access Control Lists
The conceptual module of ACL
Access control lists in Spring Security
Basic configuration of Spring Security ACL support
Summary
13
Custom Authorization
Custom Authorization
Authorizing the requests
Dynamically defining access control to URLs
Creating a custom expression
Summary
14
Session Management
Session Management
Configuring session fixation protection
Restricting the number of concurrent sessions per user
Configuring expired session redirect
Common problems with concurrency control
Other benefits of concurrent session control
Displaying active sessions for a user
Summary
15
Additional Spring Security Features
Additional Spring Security Features
Security vulnerabilities
Cross-Site Scripting
Cross-Site Request Forgery
Security HTTP response headers
Summary
16
Migration to Spring Security 4.2
Migration to Spring Security 4.2
Introduction
Sample migration
Deprecations
Summary
17
Microservice Security with OAuth 2 and JSON Web Tokens
Microservice Security with OAuth 2 and JSON Web Tokens
What are microservices?
Service-oriented architectures
Microservice security
The OAuth 2 specification
JSON Web Tokens
OAuth 2 support in Spring Security
Microservices client
Summary
18
Additional Reference Material
Additional Reference Material
Getting started with the JBCP calendar sample code

Preface

Welcome to the world of Spring Security 4.2! We're certainly pleased that you have acquired the only published book fully devoted to Spring Security 4.2. Before we get started with the book, we would like to give you an overview of how the book is organized and how you can get the most out of it.

Once you have read this book, you should be familiar with key security concepts and understand how to solve the majority of the real-world problems that you will need to solve with Spring Security. Through this discovery, you will gain an in-depth understanding of Spring Security's architecture, which will allow you to handle any unexpected use cases the book does not cover.

The book is divided into the following four main sections:

  • The first section (Chapter 1, Anatomy of an Unsafe Application and Chapter 2, Getting Started with Spring Security) provides an introduction to Spring Security and allows you to get started with Spring Security quickly
  • The second section (Chapter 3, Custom Authentication, Chapter 4, JDBC-Based Authentication, Chapter 5, Authentication with Spring Data, Chapter 6, LDAP Directory Services, Chapter 7, Remember-Me Services, Chapter 8, Client Certificate Authentication with TLS, and Chapter 9, Opening up to OAuth 2) provides in-depth instructions for integrating with a number of different authentication technologies
  • The third section (Chapter 10, Single Sign-On with the Central Authentication Service, Chapter 11, Fine-Grained Access Control, and Chapter 12, Access Control Lists) explains how Spring Security's authorization support works
  • Finally, the last section (Chapters 13, Custom Authorization, Chapter 14, Session Management, Chapter 15, Additional Spring Security Features, and Chapter 16, Migration to Spring Security 4.2, Chapter 17, Microservice Security with OAuth 2 and JSON Web Tokens) provides information specialized topics and guides that help you perform very specific tasks

Security is a very interwoven concept, and so are many of the topics in the book. However, once you have read through the first three chapters, the rest of the chapters are fairly independent. This means that you can easily skip chapters and still understand what is happening. The goal is to provide a cookbook-style guide that when read in its entirety still helps you develope a clear understanding of Spring Security.

The book uses a simple Spring Web MVC-based application to illustrate how to solve real-world problems. The application is intended to be very simple and straightforward, and deliberately contains very little functionality—the goal of this application is to encourage you to focus on Spring Security concepts and not get tied up in the complexities of application development. You will have a much easier time following the book if you take the time to review the sample application source code and try to follow along with the exercises. Some tips on getting started are found in the Getting started with the JBCP calendar sample code section in Appendix, Additional Reference Material.

Previous Section
Next Section