Sign In Start Free Trial

Book Overview & Buying
Table Of Contents
Feedback & Rating

Spring Security

By : Mick Knutson, Robert Winch, Mularien

4.5 (4)

Spring Security

4.5 (4)

By: Mick Knutson, Robert Winch, Mularien

Overview of this book

Knowing that experienced hackers are itching to test your skills makes security one of the most difficult and high-pressured concerns of creating an application. The complexity of properly securing an application is compounded when you must also integrate this factor with existing code, new technologies, and other frameworks. Use this book to easily secure your Java application with the tried and trusted Spring Security framework, a powerful and highly customizable authentication and access-control framework. The book starts by integrating a variety of authentication mechanisms. It then demonstrates how to properly restrict access to your application. It also covers tips on integrating with some of the more popular web frameworks. An example of how Spring Security defends against session fixation, moves into concurrency control, and how you can utilize session management for administrative functions is also included. It concludes with advanced security scenarios for RESTful webservices and microservices, detailing the issues surrounding stateless authentication, and demonstrates a concise, step-by-step approach to solving those issues. And, by the end of the book, readers can rest assured that integrating version 4.2 of Spring Security will be a seamless endeavor from start to finish.

Preface

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Free Chapter

Anatomy of an Unsafe Application

Anatomy of an Unsafe Application

Security audit

Application technology

Authentication

Authorization

Summary

Getting Started with Spring Security

Getting Started with Spring Security

Hello Spring Security

A little bit of polish

Summary

Custom Authentication

Custom Authentication

JBCP calendar architecture

Logging in new users using SecurityContextHolder

Creating a custom UserDetailsService object

Creating a custom AuthenticationProvider object

Which authentication method to use?

Summary

JDBC-Based Authentication

JDBC-Based Authentication

Required dependencies

Using the H2 database

The default user schema of Spring Security

The UserDetailsManager interface

Support for a custom schema

Configuring secure passwords

The PasswordEncoder method

Using salt in Spring Security

Trying out the salted passwords

Summary

Authentication with Spring Data

Authentication with Spring Data

Spring Data JPA

Refactoring from SQL to ORM

Application services

The UserDetailsService object

Document database implementation with MongoDB

Summary

LDAP Directory Services

LDAP Directory Services

Understanding LDAP

Understanding how Spring LDAP authentication works

Determining roles with Apache Directory Studio

Configuring the UserDetailsContextMapper object

Updating AccountController to use LdapUserDetailsService

Explicit LDAP bean configuration

Integrating with Microsoft Active Directory via LDAP

Summary

Remember-Me Services

Remember-Me Services

What is remember-me?

MD5

Is remember-me secure?

Configuring the persistent-based remember-me feature

The remember-me architecture

Custom cookie and HTTP parameter names

Summary

Client Certificate Authentication with TLS

Client Certificate Authentication with TLS

How does client certificate authentication work?

Configuring client certificate authentication using Spring beans

Summary

Opening up to OAuth 2

Opening up to OAuth 2

The promising world of OAuth 2

Configuring OAuth 2 support in Spring Security

Executing the OAuth 2 provider connection workflow

Additional OAuth 2 providers

Is OAuth 2 secure?

Single Sign-On with the Central Authentication Service

Single Sign-On with the Central Authentication Service

Introducing the Central Authentication Service

High-level CAS authentication flow

Spring Security and CAS

Configuring basic CAS integration

Single logout

Clustered environments

Using proxy tickets

Customizing the CAS server

Getting the UserDetails object from a CAS assertion

Additional CAS capabilities

Summary

Fine-Grained Access Control

Fine-Grained Access Control

Gradle dependencies

Conditional rendering with the Thymeleaf Spring Security tag library

Interface-based proxies

JSR-250 compliant standardized rules

Summary

Access Control Lists

Access Control Lists

The conceptual module of ACL

Access control lists in Spring Security

Basic configuration of Spring Security ACL support

Summary

Custom Authorization

Custom Authorization

Authorizing the requests

Dynamically defining access control to URLs

Creating a custom expression

Summary

Session Management

Session Management

Configuring session fixation protection

Restricting the number of concurrent sessions per user

Configuring expired session redirect

Common problems with concurrency control

Other benefits of concurrent session control

Displaying active sessions for a user

Summary

Additional Spring Security Features

Additional Spring Security Features

Security vulnerabilities

Cross-Site Scripting

Cross-Site Request Forgery

Security HTTP response headers

Summary

Migration to Spring Security 4.2

Migration to Spring Security 4.2

Introduction

Sample migration

Deprecations

Summary

Microservice Security with OAuth 2 and JSON Web Tokens

Microservice Security with OAuth 2 and JSON Web Tokens

What are microservices?

Service-oriented architectures

Microservice security

The OAuth 2 specification

JSON Web Tokens

OAuth 2 support in Spring Security

Microservices client

Summary

Additional Reference Material

Additional Reference Material

Getting started with the JBCP calendar sample code

Customer Reviews

4.5 (4)

5 star

50%

4 star

50%

3 star

0

2 star

0

1 star

0

Conventions

In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning. Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "The next steps involve a series of updates to the web.xml file". A block of code is set as follows:

 //build.gradle:
    dependencies {
        compile "org.springframework.security:spring-security-  
        config:${springSecurityVersion}"
        compile "org.springframework.security:spring-security- 
        core:${springSecurityVersion}"
        compile "org.springframework.security:spring-security- 
        web:${springSecurityVersion}"
        ...
    }

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

 [default]
 exten => s,1,Dial(Zap/1|30)
 exten => s,2,Voicemail(u100)
 exten => s,102,Voicemail(b100)
 exten => i,1,Voicemail(s0)

Any command-line input or output is written as follows:

$ ./gradlew idea

New terms and important words are shown in bold.

Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "In Microsoft Windows, you can view some of the ACL capabilities of a file by right-clicking on a file and examining its security properties (Properties | Security), as shown in the following screenshot".

Warnings or important notes appear like this.

Tips and tricks appear like this.

Search

Your notes and bookmarks