Spring Security in Action

Spring Security in Action shows you how to prevent cross-site scripting and request forgery attacks before they do damage. You’ll start with the basics, simulating password upgrades and adding multiple types of authorization. As your skills grow, you'll adapt Spring Security to new architectures and create advanced OAuth2 configurations. By the time you're done, you'll have a customized Spring Security configuration that protects against threats both common and extraordinary.

Summary
While creating secure applications is critically important, it can also be tedious and time-consuming to stitch together the required collection of tools. For Java developers, the powerful Spring Security framework makes it easy for you to bake security into your software from the very beginning. Filled with code samples and practical examples, Spring Security in Action teaches you how to secure your apps from the most common threats, ranging from injection attacks to lackluster monitoring. In it, you'll learn how to manage system users, configure secure endpoints, and use OAuth2 and OpenID Connect for authentication and authorization.

Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications.

About the technology
Security is non-negotiable. You rely on Spring applications to transmit data, verify credentials, and prevent attacks. Adopting "secure by design" principles will protect your network from data theft and unauthorized intrusions.

About the book
Spring Security in Action shows you how to prevent cross-site scripting and request forgery attacks before they do damage. You’ll start with the basics, simulating password upgrades and adding multiple types of authorization. As your skills grow, you'll adapt Spring Security to new architectures and create advanced OAuth2 configurations. By the time you're done, you'll have a customized Spring Security configuration that protects against threats both common and extraordinary.

What's inside
Encoding passwords and authenticating users
Securing endpoints
Automating security testing
Setting up a standalone authorization server

About the reader
For experienced Java and Spring developers.

About the author
Laurentiu Spilca is a dedicated development lead and trainer at Endava, with over ten years of Java experience.

Table of Contents

PART 1 - FIRST STEPS

1 Security Today

2 Hello Spring Security

PART 2 - IMPLEMENTATION

3 Managing users

4 Dealing with passwords

5 Implementing authentication

6 Hands-on: A small secured web application

7 Configuring authorization: Restricting access

8 Configuring authorization: Applying restrictions

9 Implementing filters

10 Applying CSRF protection and CORS

11 Hands-on: A separation of responsibilities

12 How does OAuth 2 work?

13 OAuth 2: Implementing the authorization server

14 OAuth 2: Implementing the resource server

15 OAuth 2: Using JWT and cryptographic signatures

16 Global method security: Pre- and postauthorizations

17 Global method security: Pre- and postfiltering

18 Hands-on: An OAuth 2 application

19 Spring Security for reactive apps

20 Spring Security testing

Spring Security in Action

59.99 In Stock

Spring Security in Action

Add to Wishlist

Spring Security in Action

Paperback

$59.99

View All Available Formats & Editions

Paperback
$59.99

View All Available Formats & Editions

SHIP THIS ITEM

In stock. Ships in 3-7 days. Typically arrives in 3 weeks.
PICK UP IN STORE

Your local store may have stock of this item.

Available within 2 business hours

Want it Today?
Check Store Availability

Related collections and offers

Overview

Product Details

ISBN-13:	9781617297731
Publisher:	Manning
Publication date:	11/03/2020
Pages:	560
Product dimensions:	7.38(w) x 9.25(h) x 1.00(d)

About the Author

Laurentiu Spilca is a skilled Java and Spring developer and an experienced technology instructor. He is the author of Manning’s Spring Start Here and Spring Security in Action.

Foreword xv

Preface xvii

Acknowledgments xix

About this book xx

About the author xxvi

About the cover illustration xxvii

Part 1 First Steps 1

1 Security today 3

1.1 Spring Security: The what and the why 5

1.2 What is software security? 7

1.3 Why is security important? 12

1.4 Common security vulnerabilities in web applications 14

Vulnerabilities in authentication and authorization 15

What is session fixation? 16

What is cross-site scripting (XSS)? 16

What is cross-site request forgery (CSRF)? 18

Understanding injection vulnerabilities in web applications 18

Dealing with the exposure of sensitive data 19

What is the lack of method access control? 22

Using dependencies with known vulnerabilities 23

1.5 Security applied in various architectures 24

Designing a one-piece web application 24

Designing security for a backend/frontend separation 26

Understanding the OAuth 2 flow 27

Using API keys, cryptographic signatures, and IP validation to secure requests 29

1.6 What will you learn in this book? 31

2 Hello Spring Security 33

2.1 Starting with the first project 34

2.2 Which are the default configurations? 38

2.3 Overriding default configurations 43

Overriding the UserDetailsService component 44

Overriding the endpoint authorization configuration 48

Setting the configuration in different ways 50

Overriding the AuthenticationProvider implementation 53

Using multiple configuration classes in your project 56

Part 2 Implementation 59

3 Managing users 61

3.1 Implementing authentication in Spring Security 62

3.2 Describing the user 65

Demystifying the definition of the UserDetails contract 65

Detailing on the GrantedAuthority contract 66

Writing a minimal implementation of UserDetails 67

Using a builder to create instances of the UserDetails type 70

Combining multiple responsibilities related to the user 71

3.3 Instructing Spring Security on how to manage users 74

Understanding the UserDetailsService contract 74

Implementing the UserDetalsService contract 75

Implementing the UserDetailsManager contract 78

4 Dealing with passwords 86

4.1 Understanding the PasswordEncoder contract 86

The definition of the PasswordEncoder contract 87

Implementing the PasswordEncoder contract 88

Choosing from the provided implementations of PasswordEncoder 90

Multiple encoding strategies with DelegatingPasswordEncoder 93

4.2 More about the Spring Security Crypto module 97

Using key generators 97

Using encryptors for encryption and decryption operations 99

5 Implementing authentication 102

5.1 Understanding the Authentication Provider 104

Representing the request during authentication 105

Implementing custom authentication logic 106

Applying custom authentication logic 108

5.2 Using the SecurityContext 113

Using a holding strategy for the security context 114

Using a holding strategy for asynchronous calls 116

Using a holding strategy for standalone applications 118

Forwarding the security context with DelegatingSecurityContextRunnable 119

Forwarding the security context with DelegatingSecurityContext-ExecutorService 121

5.3 Understanding HTTP Basic and form-based login authentications 124

Using and configuring HTTP Basic 124

Implementing authentication with form-based login 127

6 Hands-on: A small secured web application 135

6.1 Project requirements and setup 136

6.2 Implementing user management 141

6.3 Implementing custom authentication logic 146

6.4 Implementing the main page 148

6.5 Running and testing the application 151

7 Configuring authorization: Restricting access 153

7.1 Restricting access based on authorities and roles 155

Restricting access for all endpoints based on user authorities 157

Restricting access for all endpoints based on user roles 165

Restricting access to all endpoints 169

8 Configuring authorization: Applying restrictions 172

8.1 Using matcher methods to select endpoints 173

8.2 Selecting requests for authorization using MVC matchers 178

8.3 Selecting requests for authorization using Ant matchers 185

8.4 Selecting requests for authorization using regex matchers 190

9 Implementing filters 195

9.1 Implementing filters in the Spring Security architecture 198

9.2 Adding a filter before an existing one in the chain 199

9.3 Adding a filter after an existing one in the chain 203

9.4 Adding a filter at the location of another in the chain 205

9.5 Filter implementations provided by Spring Security 210

10 Applying CSRF protection and CORS 213

10.1 Applying cross-site request forgery (CSRF) protection in applications 213

How CSRF protection works in Spring Security 214

Using CSRF protection in practical scenarios 220

Customizing CSRF protection 226

10.2 Using cross-origin resource sharing 235

How does CORS work? 236

Applying CORS policies with the @CrossOrigin annotation 240

Applying CORS using a CorsConfigurer 242

11 Hands-on: A separation of responsibilities 244

11.1 The scenario and requirements of the example 245

11.2 Implementing and using tokens 248

What is a token? 248

What is a JSON Web Token? 252

11.3 Implementing the authentication server 253

11.4 Implementing the business logic server 263

Implementing the Authentication objects 268

Implementing the proxy to the authentication server 270

Implementing the AuthenticationProvider interface 272

Implementing the filters 274

Writing the security configurations 280

Testing the whole system 281

12 How does OAuth 2 work? 284

12.1 The OAuth 2 framework 285

12.2 The components of the OAuth 2 authentication architecture 287

12.3 Implementation choices with OAuth 2 288

Implementing the authorization code grant type 289

Implementing the password grant type 293

Implementing the client credentials grant type 295

Using refresh tokens to obtain new access tokens 297

12.4 The sins of OAuth 2 299

12.5 Implementing a simple single sign-on application 299

Managing the authorization server 300

Starting the implementation 303

Implementing ClientRegistration 304

Implementing ClientRegistrationRepository 307

The pure magic of Spring Boot configuration 309

Obtaining details about an authenticated user 311

Testing the application 311

13 OAuth 2: Implementing the authorization server 316

13.1 Writing your own authorization server implementation 318

13.2 Defining user management 319

13.3 Registering clients with the authorization server 322

13.4 Using the password grant type 325

13.5 Using the authorization code grant type 327

13.6 Using the client credentials grant type 333

13.7 Using the refresh token grant type 335

14 OAuth 2: Implementing the resource server 338

14.1 Implementing a resource server 341

14.2 Checking the token remotely 343

14.3 Implementing blackboarding with a JdbcTokenStore 350

14.4 A short comparison of approaches 358

15 OAuth 2: Using JWT and cryptographic signatures 360

15.1 Using tokens signed with symmetric keys with JWT 361

Using JWTs 361

Implementing an authorization server to issue JWTs 363

Implementing a resource server that uses JWT 367

15.2 Using tokens signed with asymmetric keys with JWT 370

Generating the key pair 372

Implementing an authorization sewer that uses private keys 373

Implementing a resource server that uses public keys 375

Using an endpoint to expose the public key 377

15.3 Adding custom details to the JWT 380

Configuring the authorization server to add custom details to tokens 381

Configuring the resource server to read the custom details of a JWT 383

16 Global method security: Pre- and postauthorizations 387

16.1 Enabling global method security 388

Understanding call authonzation 389

Enabling global method security in your project 391

16.2 Applying preauthorization for authorities and roles 392

16.3 Applying postauthorization 397

16.4 Implementing permissions for methods 401

17 Global method security: Pre- and postfiltering 413

17.1 Applying prefiltering for method authorization 414

17.2 Applying postfiltering for method authorization 420

17.3 Using filtering in Spring Data repositories 425

8 Hands-on: An OAuth 2 application 433

18.1 The application scenario 434

18.2 Configuring Keycloak as an authorization server 436

Registering a client for our system 441

Specifying client scopes 442

Adding users and obtaining access tokens 444

Defining the user roles 448

18.3 Implementing the resource server 453

18.4 Testing the application 462

Proving an authenticated user can only add a record for themself 462

Proving that a user can only retrieve their own records 464

Proving that only admins can delete records 465

19 Spring Security for reactive apps 467

19.1 What are reactive apps? 468

19.2 User management in reactive apps 473

19.3 Configuring authorization rules in reactive apps 477

Applying authorization at the endpoint layer in reactive apps 477

Using method security in reactive apps 484

19.4 Reactive apps and OAuth 2 486

20 Spring Security testing 490

20.1 Using mock users for tests 493

20.2 Testing with users from a UserDetailsService 500

20.3 Using custom Authentication objects for testing 501

20.4 Testing method security 505

20.5 Testing authentication 507

20.6 Testing CSRF configurations 510

20.7 Testing CORS configurations 511

20.8 Testing reactive Spring Security implementations 512

Appendix A Creating a Spring Boot project 515

Index 519

From the B&N Reads Blog

Page 1 of

Related collections and offers

Overview

Product Details

About the Author

Table of Contents

Related Subjects

Customer Reviews