Securing the application is one of the most delicate procedures because of so many vulnerabilities that need to be considered, such as poor user authentication, unreliable authorization processes, lack of logging mechanisms, and fail-top-open error handling. At the application level, Spring offers a configurable and customizable security framework that can easily enable login authentication and authorization procedures for protection against session fixation, cross-site scripting (XSS) attacks, clickjacking, denial of service attacks, session fixation attacks, and cross-site request forgery (CSRF).

Spring Security 4.2.2 also provides an easy way to build Access Control List (ACL) comprising of users, roles, and permissions that will be the basis of user authorization. Users and roles have options to be created in-memory or through the database storage. Their restrictions, which are based on roles, are applicable to request handlers, view pages, and service methods, which shows how flexible and configurable its architecture is.

On the other hand, Spring Security has several ways to manage the user details for screening and validation purposes. It also has wide support for password encryption with or without salt or hash functions.

This chapter will provide a series of recipes related to how to install, configure, and extend Spring Security 4.2.2 for Spring 5.0 MVC applications.

In this chapter, we will cover the following topics:

• Configuring Spring Security 4.2.2
• Mapping sessions to channels and ports
• Customizing the authentication process
• Implementing authentication filters, login success, and failure handlers
• Creating user details
• Generating encrypted passwords
• Applying Security to MVC methods
• Creating roles and permissions from the database
• Managing and storing sessions
• Solving Cross-Site Request Forgery (CSRF) and session fixation attacks
• Solving Cross-Site Scripting (XSS) and clickjacking attacks
• Creating interceptors for login data validation