Book description
While creating secure applications is critically important, it can also be tedious and time-consuming to stitch together the required collection of tools. For Java developers, the powerful Spring Security framework makes it easy for you to bake security into your software from the very beginning. Filled with code samples and practical examples, Spring Security in Action teaches you how to secure your apps from the most common threats, ranging from injection attacks to lackluster monitoring. In it, you'll learn how to manage system users, configure secure endpoints, and use OAuth2 and OpenID Connect for authentication and authorization.About the Technology
Security is non-negotiable. You rely on Spring applications to transmit data, verify credentials, and prevent attacks. Adopting "secure by design" principles will protect your network from data theft and unauthorized intrusions.
About the Book
Spring Security in Action shows you how to prevent cross-site scripting and request forgery attacks before they do damage. You’ll start with the basics, simulating password upgrades and adding multiple types of authorization. As your skills grow, you'll adapt Spring Security to new architectures and create advanced OAuth2 configurations. By the time you're done, you'll have a customized Spring Security configuration that protects against threats both common and extraordinary.
What's Inside
- Encoding passwords and authenticating users
- Securing endpoints
- Automating security testing
- Setting up a standalone authorization server
About the Reader
For experienced Java and Spring developers.
About the Author
Laurențiu Spilcă is a dedicated development lead and trainer at Endava, with over ten years of Java experience.
Quotes
An indispensable guide to Spring Security that belongs on the desk of every serious Spring developer.
- Nathan B. Crocker, Galaxy Digital
A gold mine of knowledge, sound advice, and practical applications. I wish I had something like this years ago when I was learning about Spring Security.
- Alain Lompo, ISO-Gruppe
Everything you need to know about Spring Security to protect your Java enterprise applications from common threats and attacks.
- Harinath Kuntamukkala, Cognizant Technology Solutions
The definitive guide to secure your Spring applications. A must-read.
- Ubaldo Pescatore, Generali Business Solutions
Publisher resources
Table of contents
- Spring Security in Action
- Copyright
- contents
- front matter
- Part 1. First Steps
-
1 Security today
- 1.1 Spring Security: The what and the why
- 1.2 What is software security?
- 1.3 Why is security important?
-
1.4 Common security vulnerabilities in web applications
- 1.4.1 Vulnerabilities in authentication and authorization
- 1.4.2 What is session fixation?
- 1.4.3 What is cross-site scripting (XSS)?
- 1.4.4 What is cross-site request forgery (CSRF)?
- 1.4.5 Understanding injection vulnerabilities in web applications
- 1.4.6 Dealing with the exposure of sensitive data
- 1.4.7 What is the lack of method access control?
- 1.4.8 Using dependencies with known vulnerabilities
- 1.5 Security applied in various architectures
- 1.6 What will you learn in this book?
- Summary
- 2 Hello Spring Security
- Part 2. Implementation
- 3 Managing users
- 4 Dealing with passwords
-
5 Implementing authentication
- 5.1 Understanding the AuthenticationProvider
-
5.2 Using the SecurityContext
- 5.2.1 Using a holding strategy for the security context
- 5.2.2 Using a holding strategy for asynchronous calls
- 5.2.3 Using a holding strategy for standalone applications
- 5.2.4 Forwarding the security context with DelegatingSecurityContextRunnable
- 5.2.5 Forwarding the security context with DelegatingSecurityContextExecutorService
- 5.3 Understanding HTTP Basic and form-based login authentications
- Summary
- 6 Hands-on: A small secured web application
- 7 Configuring authorization: Restricting access
- 8 Configuring authorization: Applying restrictions
- 9 Implementing filters
- 10 Applying CSRF protection and CORS
- 11 Hands-on: A separation of responsibilities
-
12 How does OAuth 2 work?
- 12.1 The OAuth 2 framework
- 12.2 The components of the OAuth 2 authentication architecture
- 12.3 Implementation choices with OAuth 2
- 12.4 The sins of OAuth 2
- 12.5 Implementing a simple single sign-on application
- Summary
-
13 OAuth 2: Implementing the authorization server
- 13.1 Writing your own authorization server implementation
- 13.2 Defining user management
- 13.3 Registering clients with the authorization server
- 13.4 Using the password grant type
- 13.5 Using the authorization code grant type
- 13.6 Using the client credentials grant type
- 13.7 Using the refresh token grant type
- Summary
- 14 OAuth 2: Implementing the resource server
- 15 OAuth 2: Using JWT and cryptographic signatures
- 16 Global method security: Pre- and postauthorizations
- 17 Global method security: Pre- and postfiltering
- 18 Hands-on: An OAuth 2 application
- 19 Spring Security for reactive apps
-
20 Spring Security testing
- 20.1 Using mock users for tests
- 20.2 Testing with users from a UserDetailsService
- 20.3 Using custom Authentication objects for testing
- 20.4 Testing method security
- 20.5 Testing authentication
- 20.6 Testing CSRF configurations
- 20.7 Testing CORS configurations
- 20.8 Testing reactive Spring Security implementations
- Summary
- appendix A. Creating a Spring Boot project
- index
Product information
- Title: Spring Security in Action
- Author(s):
- Release date: October 2020
- Publisher(s): Manning Publications
- ISBN: 9781617297731
You might also like
book
Microservices Security in Action
Unlike traditional enterprise applications, Microservices applications are collections of independent components that function as a system. …
book
Spring Boot in Practice
Go beyond the basics with Spring Boot! This practical guide presents dozens of relevant scenarios in …
book
Spring Boot: Up and Running
With over 75 million downloads per month, Spring Boot is the most widely used Java framework …
book
Spring Boot in Action
A developer-focused guide to writing applications using Spring Boot. You'll learn how to bypass the tedious …