Home Page Icon
Home Page
Table of Contents for
Cover
Close
Cover
by Laurentiu Spilca
Spring Security in Action
Spring Security in Action
Copyright
contents
front matter
foreword
preface
acknowledgments
about this book
Who should read this book?
How this book is organized: A roadmap
About the code
The liveBook discussion forum
Other online resources
about the author
about the cover illustration
Part 1. First Steps
1 Security today
1.1 Spring Security: The what and the why
1.2 What is software security?
1.3 Why is security important?
1.4 Common security vulnerabilities in web applications
1.4.1 Vulnerabilities in authentication and authorization
1.4.2 What is session fixation?
1.4.3 What is cross-site scripting (XSS)?
1.4.4 What is cross-site request forgery (CSRF)?
1.4.5 Understanding injection vulnerabilities in web applications
1.4.6 Dealing with the exposure of sensitive data
1.4.7 What is the lack of method access control?
1.4.8 Using dependencies with known vulnerabilities
1.5 Security applied in various architectures
1.5.1 Designing a one-piece web application
1.5.2 Designing security for a backend/frontend separation
1.5.3 Understanding the OAuth 2 flow
1.5.4 Using API keys, cryptographic signatures, and IP validation to secure requests
1.6 What will you learn in this book?
Summary
2 Hello Spring Security
2.1 Starting with the first project
2.2 Which are the default configurations?
2.3 Overriding default configurations
2.3.1 Overriding the UserDetailsService component
2.3.2 Overriding the endpoint authorization configuration
2.3.3 Setting the configuration in different ways
2.3.4 Overriding the AuthenticationProvider implementation
2.3.5 Using multiple configuration classes in your project
Summary
Part 2. Implementation
3 Managing users
3.1 Implementing authentication in Spring Security
3.2 Describing the user
3.2.1 Demystifying the definition of the UserDetails contract
3.2.2 Detailing on the GrantedAuthority contract
3.2.3 Writing a minimal implementation of UserDetails
3.2.4 Using a builder to create instances of the UserDetails type
3.2.5 Combining multiple responsibilities related to the user
3.3 Instructing Spring Security on how to manage users
3.3.1 Understanding the UserDetailsService contract
3.3.2 Implementing the UserDetailsService contract
3.3.3 Implementing the UserDetailsManager contract
Using a JdbcUserDetailsManager for user management
Using an LdapUserDetailsManager for user management
Summary
4 Dealing with passwords
4.1 Understanding the PasswordEncoder contract
4.1.1 The definition of the PasswordEncoder contract
4.1.2 Implementing the PasswordEncoder contract
4.1.3 Choosing from the provided implementations of PasswordEncoder
4.1.4 Multiple encoding strategies with DelegatingPasswordEncoder
4.2 More about the Spring Security Crypto module
4.2.1 Using key generators
4.2.2 Using encryptors for encryption and decryption operations
Summary
5 Implementing authentication
5.1 Understanding the AuthenticationProvider
5.1.1 Representing the request during authentication
5.1.2 Implementing custom authentication logic
5.1.3 Applying custom authentication logic
5.2 Using the SecurityContext
5.2.1 Using a holding strategy for the security context
5.2.2 Using a holding strategy for asynchronous calls
5.2.3 Using a holding strategy for standalone applications
5.2.4 Forwarding the security context with DelegatingSecurityContextRunnable
5.2.5 Forwarding the security context with DelegatingSecurityContextExecutorService
5.3 Understanding HTTP Basic and form-based login authentications
5.3.1 Using and configuring HTTP Basic
5.3.2 Implementing authentication with form-based login
Summary
6 Hands-on: A small secured web application
6.1 Project requirements and setup
6.2 Implementing user management
6.3 Implementing custom authentication logic
6.4 Implementing the main page
6.5 Running and testing the application
Summary
7 Configuring authorization: Restricting access
7.1 Restricting access based on authorities and roles
7.1.1 Restricting access for all endpoints based on user authorities
7.1.2 Restricting access for all endpoints based on user roles
7.1.3 Restricting access to all endpoints
Summary
8 Configuring authorization: Applying restrictions
8.1 Using matcher methods to select endpoints
8.2 Selecting requests for authorization using MVC matchers
8.3 Selecting requests for authorization using Ant matchers
8.4 Selecting requests for authorization using regex matchers
Summary
9 Implementing filters
9.1 Implementing filters in the Spring Security architecture
9.2 Adding a filter before an existing one in the chain
9.3 Adding a filter after an existing one in the chain
9.4 Adding a filter at the location of another in the chain
9.5 Filter implementations provided by Spring Security
Summary
10 Applying CSRF protection and CORS
10.1 Applying cross-site request forgery (CSRF) protection in applications
10.1.1 How CSRF protection works in Spring Security
10.1.2 Using CSRF protection in practical scenarios
10.1.3 Customizing CSRF protection
10.2 Using cross-origin resource sharing
10.2.1 How does CORS work?
10.2.2 Applying CORS policies with the @CrossOrigin annotation
10.2.3 Applying CORS using a CorsConfigurer
Summary
11 Hands-on: A separation of responsibilities
11.1 The scenario and requirements of the example
11.2 Implementing and using tokens
11.2.1 What is a token?
11.2.2 What is a JSON Web Token?
11.3 Implementing the authentication server
11.4 Implementing the business logic server
11.4.1 Implementing the Authentication objects
11.4.2 Implementing the proxy to the authentication server
11.4.3 Implementing the AuthenticationProvider interface
11.4.4 Implementing the filters
11.4.5 Writing the security configurations
11.4.6 Testing the whole system
Summary
12 How does OAuth 2 work?
12.1 The OAuth 2 framework
12.2 The components of the OAuth 2 authentication architecture
12.3 Implementation choices with OAuth 2
12.3.1 Implementing the authorization code grant type
Step 1: Making the authentication request with the authorization code grant type
Step 2: Obtaining an access token with the authorization code grant type
Step 3: Calling the protected resource with the authorization code grant type
An analogy for the grant type authorization code
12.3.2 Implementing the password grant type
Step 1: Requesting an access token when using the password grant type
Step 2: Using an access token to call resources when using the password grant type
An analogy for the password grant type
12.3.3 Implementing the client credentials grant type
Step 1: Requesting an access token with the client credential grant type
Step 2: Using an access token to call resources with the client credential grant type
12.3.4 Using refresh tokens to obtain new access tokens
12.4 The sins of OAuth 2
12.5 Implementing a simple single sign-on application
12.5.1 Managing the authorization server
12.5.2 Starting the implementation
12.5.3 Implementing ClientRegistration
12.5.4 Implementing ClientRegistrationRepository
12.5.5 The pure magic of Spring Boot configuration
12.5.6 Obtaining details about an authenticated user
12.5.7 Testing the application
Summary
13 OAuth 2: Implementing the authorization server
13.1 Writing your own authorization server implementation
13.2 Defining user management
13.3 Registering clients with the authorization server
13.4 Using the password grant type
13.5 Using the authorization code grant type
13.6 Using the client credentials grant type
13.7 Using the refresh token grant type
Summary
14 OAuth 2: Implementing the resource server
14.1 Implementing a resource server
14.2 Checking the token remotely
14.3 Implementing blackboarding with a JdbcTokenStore
14.4 A short comparison of approaches
Summary
15 OAuth 2: Using JWT and cryptographic signatures
15.1 Using tokens signed with symmetric keys with JWT
15.1.1 Using JWTs
15.1.2 Implementing an authorization server to issue JWTs
15.1.3 Implementing a resource server that uses JWT
15.2 Using tokens signed with asymmetric keys with JWT
15.2.1 Generating the key pair
Generating a private key
Obtaining the public key
15.2.2 Implementing an authorization server that uses private keys
15.2.3 Implementing a resource server that uses public keys
15.2.4 Using an endpoint to expose the public key
15.3 Adding custom details to the JWT
15.3.1 Configuring the authorization server to add custom details to tokens
15.3.2 Configuring the resource server to read the custom details of a JWT
Summary
16 Global method security: Pre- and postauthorizations
16.1 Enabling global method security
16.1.1 Understanding call authorization
Using preauthorization to secure access to methods
Using postauthorization to secure a method call
16.1.2 Enabling global method security in your project
16.2 Applying preauthorization for authorities and roles
16.3 Applying postauthorization
16.4 Implementing permissions for methods
Summary
17 Global method security: Pre- and postfiltering
17.1 Applying prefiltering for method authorization
17.2 Applying postfiltering for method authorization
17.3 Using filtering in Spring Data repositories
Summary
18 Hands-on: An OAuth 2 application
18.1 The application scenario
18.2 Configuring Keycloak as an authorization server
18.2.1 Registering a client for our system
18.2.2 Specifying client scopes
18.2.3 Adding users and obtaining access tokens
18.2.4 Defining the user roles
18.3 Implementing the resource server
18.4 Testing the application
18.4.1 Proving an authenticated user can only add a record for themself
18.4.2 Proving that a user can only retrieve their own records
18.4.3 Proving that only admins can delete records
Summary
19 Spring Security for reactive apps
19.1 What are reactive apps?
19.2 User management in reactive apps
19.3 Configuring authorization rules in reactive apps
19.3.1 Applying authorization at the endpoint layer in reactive apps
19.3.2 Using method security in reactive apps
19.4 Reactive apps and OAuth 2
Summary
20 Spring Security testing
20.1 Using mock users for tests
20.2 Testing with users from a UserDetailsService
20.3 Using custom Authentication objects for testing
Step 1: Defining a custom annotation
Step 2: Creating a factory class for the mock SecurityContext
Step 3: Linking the custom annotation to the factory class
20.4 Testing method security
20.5 Testing authentication
20.6 Testing CSRF configurations
20.7 Testing CORS configurations
20.8 Testing reactive Spring Security implementations
Summary
appendix A. Creating a Spring Boot project
A.1 Creating a project with start.spring.io
A.2 Creating a project with the Spring Tool Suite (STS)
index
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Next
Next Chapter
Spring Security in Action
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset