Sign In Start Free Trial

Spring Security

By : Mick Knutson, Robert Winch, Mularien

4.5 (4)

Spring Security

4.5 (4)

By: Mick Knutson, Robert Winch, Mularien

Overview of this book

Knowing that experienced hackers are itching to test your skills makes security one of the most difficult and high-pressured concerns of creating an application. The complexity of properly securing an application is compounded when you must also integrate this factor with existing code, new technologies, and other frameworks. Use this book to easily secure your Java application with the tried and trusted Spring Security framework, a powerful and highly customizable authentication and access-control framework. The book starts by integrating a variety of authentication mechanisms. It then demonstrates how to properly restrict access to your application. It also covers tips on integrating with some of the more popular web frameworks. An example of how Spring Security defends against session fixation, moves into concurrency control, and how you can utilize session management for administrative functions is also included. It concludes with advanced security scenarios for RESTful webservices and microservices, detailing the issues surrounding stateless authentication, and demonstrates a concise, step-by-step approach to solving those issues. And, by the end of the book, readers can rest assured that integrating version 4.2 of Spring Security will be a seamless endeavor from start to finish.

Preface

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Free Chapter

Anatomy of an Unsafe Application

Anatomy of an Unsafe Application

Security audit

Application technology

Authentication

Authorization

Summary

Getting Started with Spring Security

Getting Started with Spring Security

Hello Spring Security

A little bit of polish

Summary

Custom Authentication

Custom Authentication

JBCP calendar architecture

Logging in new users using SecurityContextHolder

Creating a custom UserDetailsService object

Creating a custom AuthenticationProvider object

Which authentication method to use?

Summary

JDBC-Based Authentication

JDBC-Based Authentication

Required dependencies

Using the H2 database

The default user schema of Spring Security

The UserDetailsManager interface

Support for a custom schema

Configuring secure passwords

The PasswordEncoder method

Using salt in Spring Security

Trying out the salted passwords

Summary

Authentication with Spring Data

Authentication with Spring Data

Spring Data JPA

Refactoring from SQL to ORM

Application services

The UserDetailsService object

Document database implementation with MongoDB

Summary

LDAP Directory Services

LDAP Directory Services

Understanding LDAP

Understanding how Spring LDAP authentication works

Determining roles with Apache Directory Studio

Configuring the UserDetailsContextMapper object

Updating AccountController to use LdapUserDetailsService

Explicit LDAP bean configuration

Integrating with Microsoft Active Directory via LDAP

Summary

Remember-Me Services

Remember-Me Services

What is remember-me?

MD5

Is remember-me secure?

Configuring the persistent-based remember-me feature

The remember-me architecture

Custom cookie and HTTP parameter names

Summary

Client Certificate Authentication with TLS

Client Certificate Authentication with TLS

How does client certificate authentication work?

Configuring client certificate authentication using Spring beans

Summary

Opening up to OAuth 2

Opening up to OAuth 2

The promising world of OAuth 2

Configuring OAuth 2 support in Spring Security

Executing the OAuth 2 provider connection workflow

Additional OAuth 2 providers

Is OAuth 2 secure?

Single Sign-On with the Central Authentication Service

Single Sign-On with the Central Authentication Service

Introducing the Central Authentication Service

High-level CAS authentication flow

Spring Security and CAS

Configuring basic CAS integration

Single logout

Clustered environments

Using proxy tickets

Customizing the CAS server

Getting the UserDetails object from a CAS assertion

Additional CAS capabilities

Summary

Fine-Grained Access Control

Fine-Grained Access Control

Gradle dependencies

Conditional rendering with the Thymeleaf Spring Security tag library

Interface-based proxies

JSR-250 compliant standardized rules

Summary

Access Control Lists

Access Control Lists

The conceptual module of ACL

Access control lists in Spring Security

Basic configuration of Spring Security ACL support

Summary

Custom Authorization

Custom Authorization

Authorizing the requests

Dynamically defining access control to URLs

Creating a custom expression

Summary

Session Management

Session Management

Configuring session fixation protection

Restricting the number of concurrent sessions per user

Configuring expired session redirect

Common problems with concurrency control

Other benefits of concurrent session control

Displaying active sessions for a user

Summary

Additional Spring Security Features

Additional Spring Security Features

Security vulnerabilities

Cross-Site Scripting

Cross-Site Request Forgery

Security HTTP response headers

Summary

Migration to Spring Security 4.2

Migration to Spring Security 4.2

Introduction

Sample migration

Deprecations

Summary

Microservice Security with OAuth 2 and JSON Web Tokens

Microservice Security with OAuth 2 and JSON Web Tokens

What are microservices?

Service-oriented architectures

Microservice security

The OAuth 2 specification

JSON Web Tokens

OAuth 2 support in Spring Security

Microservices client

Summary

Additional Reference Material

Additional Reference Material

Getting started with the JBCP calendar sample code

Customer Reviews

4.5 (4)

5 star

50%

4 star

50%

3 star

0

2 star

0

1 star

0

Determining roles with Apache Directory Studio

We will now try to determine the roles for our user with Apache Directory Studio. Using the calendar-user1 connection we created previously, perform the following steps:

Right-click on DIT and select New | New Search.
Enter a search base of ou=Groups,dc=jbcpcalendar,dc=com. This corresponds to the baseDn attribute of the DefaultSpringSecurityContextSource object we specified, plus the groupSearchBase attribute we specified for the AuthenticationManagerBuilder object.
Enter a filter of [email protected],ou=Users,dc=jbcpcalendar,dc=com. This corresponds to the default groupSearchFilter attribute of (uniqueMember={0}). Notice that we have substituted the full DN of the user we found in our previous exercise for the {0} value.
Click on Search.
You will observe that the User group is the only group returned in our search...

Search

Your notes and bookmarks