Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Spring Security
  • Table Of Contents Toc
  • Feedback & Rating feedback
Spring Security

Spring Security

By : Badr Nasslahsen
5 (4)
Buy this Book
close
close
Spring Security

Spring Security

5 (4)
By: Badr Nasslahsen
Buy this Book

Overview of this book

With experienced hackers constantly targeting apps, properly securing them becomes challenging when you integrate this factor with legacy code, new technologies, and other frameworks. Written by a Lead Cloud and Security Architect as well as CISSP, this book helps you easily secure your Java apps with Spring Security, a trusted and highly customizable authentication and access control framework. The book shows you how to implement different authentication mechanisms and properly restrict access to your app. You’ll learn to integrate Spring Security with popular web frameworks like Thymeleaf and Microservice and Cloud services like Zookeeper and Eureka, along with architecting solutions that leverage its full power while staying loosely coupled. You’ll also see how Spring Security defends against session fixation, moves into concurrency control, and how you can use session management for administrative functions. This fourth edition aligns with Java 17/21 and Spring Security 6, covering advanced security scenarios for RESTful web services and microservices. This ensures you fully understand the issues surrounding stateless authentication and discover a concise approach to solving those issues. By the end of this book, you’ll be able to integrate Spring Security 6 with GraalVM native images seamlessly, from start to finish.
Table of Contents (28 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Download the example code files
Icon
Code in Action
Icon
Conventions used
Icon
Get in touch
Icon
Share Your Thoughts
Icon
Download a free PDF copy of this book
Free Chapter
1
Part 1: Fundamentals of Application Security
Icon
Part 1: Fundamentals of Application Security
2
Chapter 1: Anatomy of an Unsafe Application
Icon
Chapter 1: Anatomy of an Unsafe Application
Icon
Exploring software architecture styles
Icon
Understanding security audit
Icon
Addressing the security audit findings
Icon
Technical requirements
Icon
Summary
3
Chapter 2: Getting Started with Spring Security
Icon
Chapter 2: Getting Started with Spring Security
Icon
Hello Spring Security
Icon
A little bit of polish
Icon
Summary
4
Chapter 3: Custom Authentication
Icon
Chapter 3: Custom Authentication
Icon
Authentication architecture in Spring Security
Icon
Exploring the JBCP calendar architecture
Icon
Logging in new users using SecurityContextHolder
Icon
Creating a custom UserDetailsService object
Icon
Creating a custom AuthenticationProvider object
Icon
Which authentication method should you use?
Icon
Summary
5
Part 2: Authentication Techniques
Icon
Part 2: Authentication Techniques
6
Chapter 4: JDBC-based Authentication
Icon
Chapter 4: JDBC-based Authentication
Icon
Installing the required dependencies
Icon
Using the H2 database
Icon
The default user schema of Spring Security
Icon
Exploring UserDetailsManager interface
Icon
Support for a custom schema
Icon
Configuring secure passwords
Icon
Exploring the PasswordEncoder interface
Icon
Using salt in Spring Security
Icon
Trying out salted passwords
Icon
Summary
7
Chapter 5: Authentication with Spring Data
Icon
Chapter 5: Authentication with Spring Data
Icon
Spring Data JPA
Icon
Refactoring from SQL to ORM
Icon
Application services
Icon
The UserDetailsService object
Icon
Document database implementation with MongoDB
Icon
Summary
8
Chapter 6: LDAP Directory Services
Icon
Chapter 6: LDAP Directory Services
Icon
Understanding LDAP
Icon
Understanding how Spring LDAP authentication works
Icon
Determining roles with Jxplorer
Icon
Configuring the UserDetailsContextMapper object
Icon
Updating AccountController to use LdapUserDetailsService
Icon
Explicit LDAP bean configuration
Icon
Integrating with Microsoft Active Directory via LDAP
Icon
Summary
9
Chapter 7: Remember-me Services
Icon
Chapter 7: Remember-me Services
Icon
What is remember-me?
Icon
SHA-256 Algorithm
Icon
Is remember-me secure?
Icon
Configuring the persistent-based remember-me feature
Icon
The remember-me architecture
Icon
Custom cookie and HTTP parameter names
Icon
Summary
10
Chapter 8: Client Certificate Authentication with TLS
Icon
Chapter 8: Client Certificate Authentication with TLS
Icon
How does client certificate authentication work?
Icon
Configuring client certificate authentication using Spring beans
Icon
Summary
11
Part 3: Exploring OAuth 2 and SAML 2
Icon
Part 3: Exploring OAuth 2 and SAML 2
12
Chapter 9: Opening up to OAuth 2
Icon
Chapter 9: Opening up to OAuth 2
Icon
The Promising World of OAuth 2
Icon
Additional OAuth 2 providers
Icon
Is OAuth 2 secure?
Icon
Summary
13
Chapter 10: SAML 2 Support
Icon
Chapter 10: SAML 2 Support
Icon
What is SAML?
Icon
SAML 2.0 Login with Spring Security
Icon
Overriding SAML Spring Boot Auto Configuration
Icon
Performing Single Logout
Icon
Summary
14
Part 4: Enhancing Authorization Mechanisms
Icon
Part 4: Enhancing Authorization Mechanisms
15
Chapter 11: Fine-Grained Access Control
Icon
Chapter 11: Fine-Grained Access Control
Icon
Integrating Spring Expression Language (SpEL)
Icon
Conditional rendering with the Thymeleaf Spring Security tag library
Icon
JSR-250 compliant standardized rules
Icon
Summary
16
Chapter 12: Access Control Lists
Icon
Chapter 12: Access Control Lists
Icon
The conceptual module of an ACL
Icon
ACLs in Spring Security
Icon
Basic configuration of Spring Security ACL support
Icon
Advanced ACL topics
Icon
Considerations for a typical ACL deployment
Icon
Summary
17
Chapter 13: Custom Authorization
Icon
Chapter 13: Custom Authorization
Icon
Authorizing the Requests
Icon
Handling of Invocations
Icon
Modifying AccessDecisionManager and AccessDecisionVoter
Icon
Legacy Authorization Components
Icon
Dynamically defining access control to URLs
Icon
Creating a custom expression
Icon
Summary
18
Part 5: Advanced Security Features and Deployment Optimization
Icon
Part 5: Advanced Security Features and Deployment Optimization
19
Chapter 14: Session Management
Icon
Chapter 14: Session Management
Icon
Configuring session fixation protection
Icon
Restricting the number of concurrent sessions per user
Icon
Configuring expired session redirect
Icon
Common problems with concurrency control
Icon
Other benefits of concurrent session control
Icon
Displaying active sessions for a user
Icon
Summary
20
Chapter 15: Additional Spring Security Features
Icon
Chapter 15: Additional Spring Security Features
Icon
Security vulnerabilities
Icon
Cross-Site Scripting
Icon
Cross-Site Request Forgery
Icon
Security HTTP response headers
Icon
Testing Spring Security Applications
Icon
Reactive Applications Support
Icon
Summary
21
Chapter 16: Migration to Spring Security 6
Icon
Chapter 16: Migration to Spring Security 6
Icon
Exploit Protection
Icon
Configuration Migrations
Icon
Applying the migration steps from Spring Security 5.x to Spring Security 6.x
Icon
Summary
22
Chapter 17: Microservice Security with OAuth 2 and JSON Web Tokens
Icon
Chapter 17: Microservice Security with OAuth 2 and JSON Web Tokens
Icon
What are microservices?
Icon
Service-oriented architectures
Icon
Microservice security
Icon
The OAuth 2 specification
Icon
JSON Web Tokens
Icon
JWT Authentication in Spring Security
Icon
OAuth 2 support in Spring Security
Icon
Summary
23
Chapter 18: Single Sign-On with the Central Authentication Service
chevron up
Icon
Chapter 18: Single Sign-On with the Central Authentication Service
Icon
Introducing the Central Authentication Service
Icon
High-level CAS authentication flow
Icon
Spring Security and CAS
Icon
Configuring basic CAS integration
Icon
Single Logout
Icon
Clustered environments
Icon
Using proxy tickets
Icon
Customizing the CAS server
Icon
Getting the UserDetails object from a CAS assertion
Icon
Additional CAS capabilities
Icon
Summary
24
Chapter 19: Build GraalVM Native Images
Icon
Chapter 19: Build GraalVM Native Images
Icon
Introducing GraalVM
Icon
GraalVM images using Buildpacks
Icon
Building a native image using Native Build Tools
Icon
Method Security in GraalVM Native Image
Icon
Summary
25
Index
Icon
Index
Icon
Why subscribe?
26
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Packt is searching for authors like you
Icon
Share Your Thoughts
Icon
Download a free PDF copy of this book
Appendix – Additional Reference Material
Icon
Appendix – Additional Reference Material
Icon
Build tools
Icon
Getting started with the JBCP calendar sample code
Icon
Generating a server certificate
Icon
Supplementary materials

Clustered environments

One of the things that we failed to mention in our initial diagram of Single Logout was how the logout is performed. Unfortunately, it is implemented by storing a mapping of the service ticket to HttpSession as an in-memory map. This means that Single Logout will not work properly within a clustered environment:

Figure 18.3 – CAS authentication in a clustered environment

Figure 18.3 – CAS authentication in a clustered environment

Consider the following situation in the context of the preceding diagram:

  1. The user logs in to Cluster Member A.
  2. Cluster Member A validates the service ticket.
  3. It then stores in memory, the mapping of the service ticket to the user’s session.
  4. The user requests to log out from the CAS server.

The CAS server sends a logout request to the CAS service, but Cluster Member B receives the logout request. It looks in its memory but does not find a session for Service Ticket A, because it only exists in Cluster Member A. This means...

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
End of Section 7
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY