Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Spring Security
  • Toc
  • feedback
Spring Security

Spring Security

By : Badr Nasslahsen
5 (4)
close
Spring Security

Spring Security

5 (4)
By: Badr Nasslahsen

Overview of this book

With experienced hackers constantly targeting apps, properly securing them becomes challenging when you integrate this factor with legacy code, new technologies, and other frameworks. Written by a Lead Cloud and Security Architect as well as CISSP, this book helps you easily secure your Java apps with Spring Security, a trusted and highly customizable authentication and access control framework. The book shows you how to implement different authentication mechanisms and properly restrict access to your app. You’ll learn to integrate Spring Security with popular web frameworks like Thymeleaf and Microservice and Cloud services like Zookeeper and Eureka, along with architecting solutions that leverage its full power while staying loosely coupled. You’ll also see how Spring Security defends against session fixation, moves into concurrency control, and how you can use session management for administrative functions. This fourth edition aligns with Java 17/21 and Spring Security 6, covering advanced security scenarios for RESTful web services and microservices. This ensures you fully understand the issues surrounding stateless authentication and discover a concise approach to solving those issues. By the end of this book, you’ll be able to integrate Spring Security 6 with GraalVM native images seamlessly, from start to finish.
Table of Contents (28 chapters)
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Code in Action
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
Free Chapter
1
Part 1: Fundamentals of Application Security
Part 1: Fundamentals of Application Security
2
Chapter 1: Anatomy of an Unsafe Application
Chapter 1: Anatomy of an Unsafe Application
Exploring software architecture styles
Understanding security audit
Addressing the security audit findings
Technical requirements
Summary
3
Chapter 2: Getting Started with Spring Security
Chapter 2: Getting Started with Spring Security
Hello Spring Security
A little bit of polish
Summary
4
Chapter 3: Custom Authentication
Chapter 3: Custom Authentication
Authentication architecture in Spring Security
Exploring the JBCP calendar architecture
Logging in new users using SecurityContextHolder
Creating a custom UserDetailsService object
Creating a custom AuthenticationProvider object
Which authentication method should you use?
Summary
5
Part 2: Authentication Techniques
Part 2: Authentication Techniques
6
Chapter 4: JDBC-based Authentication
Chapter 4: JDBC-based Authentication
Installing the required dependencies
Using the H2 database
The default user schema of Spring Security
Exploring UserDetailsManager interface
Support for a custom schema
Configuring secure passwords
Exploring the PasswordEncoder interface
Using salt in Spring Security
Trying out salted passwords
Summary
7
Chapter 5: Authentication with Spring Data
Chapter 5: Authentication with Spring Data
Spring Data JPA
Refactoring from SQL to ORM
Application services
The UserDetailsService object
Document database implementation with MongoDB
Summary
8
Chapter 6: LDAP Directory Services
Chapter 6: LDAP Directory Services
Understanding LDAP
Understanding how Spring LDAP authentication works
Determining roles with Jxplorer
Configuring the UserDetailsContextMapper object
Updating AccountController to use LdapUserDetailsService
Explicit LDAP bean configuration
Integrating with Microsoft Active Directory via LDAP
Summary
9
Chapter 7: Remember-me Services
Chapter 7: Remember-me Services
What is remember-me?
SHA-256 Algorithm
Is remember-me secure?
Configuring the persistent-based remember-me feature
The remember-me architecture
Custom cookie and HTTP parameter names
Summary
10
Chapter 8: Client Certificate Authentication with TLS
Chapter 8: Client Certificate Authentication with TLS
How does client certificate authentication work?
Configuring client certificate authentication using Spring beans
Summary
11
Part 3: Exploring OAuth 2 and SAML 2
Part 3: Exploring OAuth 2 and SAML 2
12
Chapter 9: Opening up to OAuth 2
chevron up
Chapter 9: Opening up to OAuth 2
The Promising World of OAuth 2
Additional OAuth 2 providers
Is OAuth 2 secure?
Summary
13
Chapter 10: SAML 2 Support
Chapter 10: SAML 2 Support
What is SAML?
SAML 2.0 Login with Spring Security
Overriding SAML Spring Boot Auto Configuration
Performing Single Logout
Summary
14
Part 4: Enhancing Authorization Mechanisms
Part 4: Enhancing Authorization Mechanisms
15
Chapter 11: Fine-Grained Access Control
Chapter 11: Fine-Grained Access Control
Integrating Spring Expression Language (SpEL)
Conditional rendering with the Thymeleaf Spring Security tag library
JSR-250 compliant standardized rules
Summary
16
Chapter 12: Access Control Lists
Chapter 12: Access Control Lists
The conceptual module of an ACL
ACLs in Spring Security
Basic configuration of Spring Security ACL support
Advanced ACL topics
Considerations for a typical ACL deployment
Summary
17
Chapter 13: Custom Authorization
Chapter 13: Custom Authorization
Authorizing the Requests
Handling of Invocations
Modifying AccessDecisionManager and AccessDecisionVoter
Legacy Authorization Components
Dynamically defining access control to URLs
Creating a custom expression
Summary
18
Part 5: Advanced Security Features and Deployment Optimization
Part 5: Advanced Security Features and Deployment Optimization
19
Chapter 14: Session Management
Chapter 14: Session Management
Configuring session fixation protection
Restricting the number of concurrent sessions per user
Configuring expired session redirect
Common problems with concurrency control
Other benefits of concurrent session control
Displaying active sessions for a user
Summary
20
Chapter 15: Additional Spring Security Features
Chapter 15: Additional Spring Security Features
Security vulnerabilities
Cross-Site Scripting
Cross-Site Request Forgery
Security HTTP response headers
Testing Spring Security Applications
Reactive Applications Support
Summary
21
Chapter 16: Migration to Spring Security 6
Chapter 16: Migration to Spring Security 6
Exploit Protection
Configuration Migrations
Applying the migration steps from Spring Security 5.x to Spring Security 6.x
Summary
22
Chapter 17: Microservice Security with OAuth 2 and JSON Web Tokens
Chapter 17: Microservice Security with OAuth 2 and JSON Web Tokens
What are microservices?
Service-oriented architectures
Microservice security
The OAuth 2 specification
JSON Web Tokens
JWT Authentication in Spring Security
OAuth 2 support in Spring Security
Summary
23
Chapter 18: Single Sign-On with the Central Authentication Service
Chapter 18: Single Sign-On with the Central Authentication Service
Introducing the Central Authentication Service
High-level CAS authentication flow
Spring Security and CAS
Configuring basic CAS integration
Single Logout
Clustered environments
Using proxy tickets
Customizing the CAS server
Getting the UserDetails object from a CAS assertion
Additional CAS capabilities
Summary
24
Chapter 19: Build GraalVM Native Images
Chapter 19: Build GraalVM Native Images
Introducing GraalVM
GraalVM images using Buildpacks
Building a native image using Native Build Tools
Method Security in GraalVM Native Image
Summary
25
Index
Index
Why subscribe?
26
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book
Appendix – Additional Reference Material
Appendix – Additional Reference Material
Build tools
Getting started with the JBCP calendar sample code
Generating a server certificate
Supplementary materials

Is OAuth 2 secure?

As support for OAuth 2 relies on the trustworthiness of the OAuth 2 provider and the verifiability of the provider’s response, security and authenticity are critical in order for the application to have confidence in the user’s OAuth 2-based login.

Fortunately, the designers of the OAuth 2 specification were very aware of this concern, and implemented a series of verification steps to prevent response forgery, replay attacks, and other types of tampering, which are explained as follows:

  • Response forgery is prevented due to a combination of a shared secret key (created by the OAuth 2-enabled site prior to the initial request) and a one-way hashed message signature on the response itself. A malicious user tampering with the data in any of the response fields without having access to the shared secret key—and signature algorithm—would generate an invalid response.
  • Replay attacks are prevented due to the inclusion of a nonce...

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
End of Section 4
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete