Symbols

@Async annotation 116

@Autowired annotation 111

@Bean annotation 45

@Component annotation 109, 111

@ComponentScan annotation 36

@Configuration annotation 45, 319

@Controller annotation 130

@CrossOrigin annotation 240-242

@Deprecated annotation 47

@DisplayName annotation 497

@Enable-AuthorizationServer annotation 319

@EnableAsync annotation 116

@EnableReactiveMethodSecurity annotation 484

@EnableResourceServer annotation 342-343

@FunctionalInterface annotation 67

@GetMapping annotation 36, 179, 418

@Order annotation 58

@PostAuthorize annotation 397-399, 401-402, 410, 413, 416, 484

@PostFilter annotation 417, 421, 423, 425-426, 428, 430-431, 455, 484

@PostMapping annotation 179

@PreAuthorize annotation 394, 397, 401, 407-408, 410, 413, 416, 461, 484

@PreFilter annotation 415, 417, 425, 484

@RequestMapping annotation 179

@ResponseBody annotation 238

@RestController annotation 36, 130

@SpringBootApplication annotation 36, 116, 210, 515

@SpringBootTest annotation 495

@Transactional annotation 391

@WithCustomUser annotation 503-504

@WithMockUser annotation 497-498, 502, 505-506, 512

@WithSecurityContext annotation 502, 504

@WithUserDetails annotation 501-502, 505, 507

A

access_token 292

Access-Control-Allow-Headers 237

Access-Control-Allow-Methods 237

Access-Control-Allow-Origin 237

AccessDeniedException 126, 505

AccessTokenConverter 383-384

AccountRepository 23

ADMIN role 165, 173

ANT matchers 173, 185-189

AOP (aspect-oriented programming) 389

API keys 29

application-level security 9

asymmetric key pair 372

asymmetric keys, tokens signed with, using with JWTs 370-380

generating key pair 372-373

implementing authorization server that uses private keys 373-374

implementing resource server that uses public keys 375-376

using endpoints to expose public keys 377

asynchronous calls, using holding strategy for 116-118

AUD (audience claim) 449

authentication

implementing 62-65, 102-134

form-based login authentications 127-133

HTTP Basic 124, 127

testing 507, 509

vulnerabilities in 15

Authentication objects

custom, using for testing 501, 505

step 1) defining custom annotation 503

step 2) creating factory class for mock SecurityContext 504

step 3) linking custom annotation to factory class 504-505

implementing, in separation of responsibilities example 268-269

authentication server 245

AuthenticationEntryPoint 126

AuthenticationException 75, 126, 505

AuthenticationFailureHandler 130, 132

AuthenticationFilter 63, 136

AuthenticationLoggingFilter 203

AuthenticationManager 63, 108, 136, 275-277, 280, 321-322

AuthenticationManagerBuilder parameter 50, 52

AuthenticationProvider 41, 104-111, 494, 501, 505, 507

applying custom authentication logic 108-111

implementing AuthenticationProvider objects in separation of responsibilities example 272-273

implementing custom authentication logic 106-108

overriding implementation 53-56

representing request during authentication 105-106

AuthenticationServerProxy 270

AuthenticationSuccessHandler 130, 508

AuthenticationWebFilter 474

authorities keys 64, 450

authority 45, 156

Authority entity 142-143

authorization code grant 289-293, 327-332

authorization configuration 153-171

applying restrictions 172-194

selecting requests for authorization using ANT matchers 185-189

selecting requests for authorization using MVC matchers 178-185

selecting requests for authorization using regex matchers 190-194

using Matcher methods to select endpoints 173-178

restricting access based on authorities and roles 155-170

for all endpoints based on user authorities 157-164

for all endpoints based on user roles 165-168

to all endpoints 169-170

authorization rules, configuring in reactive apps 477-486

applying authorization at endpoint layer in reactive apps 477-483

using method security in reactive apps 484-486

authorization server

configuring Keycloak as 436-452

adding users and obtaining access tokens 444-448

defining users' roles 448-452

registering client for system 441

specifying client scopes 442

configuring to add custom details in token 381-383

implementation in OAuth 2 316-337

authorization code grant 327-332

client credentials grant 333-334

password grant 325-327

refresh token grant 335-336

registering clients with authorization server 322-325

user management, defining 319-322

writing own 318-319

implementing to issue JWTs 363-367

managing for SSO application 300-302

that uses private keys, implementing 373-374

authorization vulnerabilities 15

authorization_code 292

AuthorizationContext 482

AuthorizationDecision 482

AuthorizationWebFilter 483

B

backend/frontend separation, designing security for 26

BasicAuthenticationFilter 198, 209

bcrypt key 93

BCryptPasswordEncoder 90, 92-93, 95, 256, 262

bearer 348

blackboarding 340, 350-358

business logic server implementation 263-282

Authentication objects, implementing 268-269

AuthenticationProvider objects, implementing 272-273

filters, implementing 274-278

proxy to authentication server, implementing 270-272

security configurations, writing 280

testing whole system 281-282

ByteEncryptor 99

BytesEncryptor 99

BytesKeyGenerator 98

C

CA (certification authority) 41

call authorization 388

CBC (Cipher Block Chaining) 100

certification authority (CA) 41

check_token URI 349

client 245, 288

client credentials grant 295-297, 333-334

client_id 290, 292, 295-296, 298, 313

client_secret 292, 295-296, 298

ClientDetails 323-324

ClientDetailsService 323-324

ClientRegistration 304-306, 309-310

ClientRegistrationRepository 307-310

CORS (cross-origin resource sharing) 18, 198, 202, 235

applying CORS policies with @CrossOrigin annotation 240-242

applying, using CorsConfigurer 242-243

overview 236-240

testing configurations 511

CorsConfiguration 243

CorsConfigurationSource 243

CorsConfigurer, applying CORS using 242-243

CorsFilter 198

cross-site scripting (XSS) 16, 242

cryptographic signatures 29

CSRF (cross-site request forgery) 13, 18, 179, 198, 202, 291, 299

applying in applications 213, 220-235

customizing CSRF protection 226-235

how CSRF protection works in Spring Security 214-220

using CSRF protection in practical scenarios 225

testing configurations 510

CsrfConfigurer 233

CsrfFilter 198, 215, 217, 224

CsrfToken 229

CsrfTokenLogger 217-218

CsrfTokenRepository 216-217, 219-220, 228-231, 233

custom authentication logic

applying 108-111

implementing 106-108, 146-148

custom Authentication objects, using for testing 501, 505

step 1) defining custom annotation 503

step 2) creating factory class for mock SecurityContext 504

step 3) linking custom annotation to factory class 504-505

CustomCsrfTokenRepository 231-232

CustomEntryPoint 127

Customizer instance 349

Customizer object 226, 242, 309, 370

CustomUserDetails 144

D

DataSource 81

DDoS (distributed denial of service) attack 4, 16

default configurations

overriding 43-58

AuthenticationProvider implementation 53-56

endpoint authorization configuration 48-49

multiple configuration classes 56-58

setting configuration in different ways 50-53

UserDetailsService component 44-47

overview 38-41

DefaultCsrfToken 229

DefaultMethodSecurityExpressionHandler 405

DelegatingPasswordEncoder 152

DelegatingSecurityContextCallable 120-121, 123

DelegatingSecurityContextExecutor 123

DelegatingSecurityContextExecutorService 121-123

DelegatingSecurityContextRunnable 119-121

dependencies, using with vulnerabilities 23

dependencyManagement tag 318, 342

DispatcherServlet 25

distributed denial of service (DDoS) attack 4, 16

E

email parameter 191

encoding 96

encryption 96

EncryptionAlgorithm 143

encryptors 99-100

endpoints

applying authorization at endpoint layer in reactive apps 477-483

overriding endpoint authorization configuration 49

restricting access to

all endpoints 169-170

based on user authorities 157-164

based on user roles 165-168

using Matcher methods to select 173-178

using to expose public keys 377-380

ERD (entity relationship diagram) 138

ExceptionTranslationManager 126

ExecutorService 120, 122

F

factory class

creating for mock SecurityContext 504

linking custom annotation to 504-505

FilterChain parameter 198

filterObject 416-417, 423

filters 195-212, 413, 432

adding after existing filter in chain 203-205

adding at location of another filter in chain 205-210

adding before existing filter in chain 199-203

applying post-filtering for method authorization 420-425

applying pre-filtering for method authorization 414-420

implementations provided by Spring Security 210-211

in separation of responsibilities example 274-278

in Spring Security architecture 198-199

using filtering in Spring Data repositories 425-431

first project 34-38

Flux 470

form-based login authentications 127-133

FormLoginConfigurer 132

G

GCM (Galois/Counter Mode) 100

GDPR (General Data Protection Regulations) 7

github 310

global method security 387-412

applying post-authorization 397-401

applying pre-authorization for authorities and roles 392-397

enabling 388-392

call authorization 389-391

in your project 391-392

filtering 413-432

applying post-filtering for method authorization 420-425

applying pre-filtering for method authorization 414-420

using filtering in Spring Data repositories 425-431

implementing permissions for methods 401-409

grant_type 292, 295-296, 298, 326

GrantedAuthority contract 62, 64, 66-68, 97, 145, 156

grants 316

H

hashing 96

holding strategy

using for asynchronous calls 116-118

using for security context 114-116

using for standalone applications 118-119

HTTP Basic 124, 127

HttpSecurity object 227, 243, 304

HttpSecurity parameter 128

HttpServletRequest 126, 211

HttpServletResponse 126, 211

I

iframe 236

implicit grant type 292

injection vulnerabilities 18

InMemoryClientDetailsService 323-324

InMemoryClientRegistrationRepository 308

InMemoryTokenStore 352

InMemoryUserDetailsManager 44-45, 62, 75, 78, 158, 173, 180, 308, 321

INSERT queries 140

interface segregation principle 64

introspection token URI 349

J

Java JSON Web Token (JJWT) 253

JdbcClientDetailsService 323-324

JdbcTokenStore 350, 353, 357-358, 364

JdbcUserDetailsManager 62, 78-83, 353

JJWT (Java JSON Web Token) 253

JpaRepository contract 137, 142, 149, 231

JpaTokenRepository 231

JpaUserDetailsService 142

JSESSIONID 220

JwkTokenStore 458

JWS (JSON Web Token Signed) 361

JwtAccessTokenConverter 364, 373, 383-384

JwtAuthenticationFilter 278

JwtDecoder 370, 376

JWTs (JSON Web Tokens) 252-253, 360-386

adding custom details to 380-385

configuring authorization server to add custom details in token 381-383

configuring resource server to read custom details of JWTs 383-385

using tokens signed with asymmetric keys with 370-380

generating key pair 372-373

implementing authorization server that uses private keys 373-374

implementing resource server that uses public keys 375-376

using endpoints to expose public keys 377-380

using tokens signed with symmetric keys with 361-369

implementing authorization server to issue JWTs 363-367

implementing resource server that uses JWTs 367-369

using JWTs 361-363

JwtTokenStore 363-364, 373

K

key generators 97-99

key pair, generating 372-373

key set 459

Keycloak, configuring as authorization server 436-452

adding users and obtaining access tokens 444-448

defining users' roles 448-452

registering client for system 441

specifying client scopes 442

L

LDAPUserDetailsManager 83-85

LdapUserDetailsManager 62

LDIF (LDAP Data Interchange Format) 83

M

MainPageController 137-138, 150

MANAGER role 165, 173

MapReactiveUserDetailsService 473

Matcher methods, using to select endpoints 173-178

method access control, lack of 22

methods

authorization

applying post-filtering for 420-425

applying pre-filtering for 414-420

implementing permissions for 401-409

testing security 505, 507

MethodSecurityExpressionHandler 404-405

MFA (multi-factor authentication) 246

microservice system 11

mock users, using for testing 493, 500

MODE_GLOBAL 114, 118-119

MODE_INHERITABLETHREADLOCAL 114, 117-119

MODE_INHERITEDTHREADLOCAL 119

MODE_THREADLOCAL 114, 116, 119

Mono 470-471

monolithic architecture 11

multi-factor authentication (MFA) 246

multiple configuration classes 56-58

MVC matchers 173, 178-185

MvcRequestMatcher 228

mysql-connector-java 141

N

NameService 394

noop key 93

NoOpPasswordEncoder 47, 89, 91, 94-95, 321

NullPointerException 20, 117, 121

O

OAuth 2 application example 433-466

application's scenario 434-436

configuring Keycloak as authorization server 436-452

adding users and obtaining access tokens 444-448

OAuth 2 application example (continued)

defining users' roles 448-452

registering client for system 441

specifying client scopes 442

implementing application's resource server 453-460

testing application 462-466

proving authenticated user can only add record for themselves 462-464

proving user can only retrieve their records 464-465

OAuth 2 framework 284-315, 338-359

authentication architecture, components of 287

authorization flow 27

authorization server implementation 316-337

authorization code grant 327-332

client credentials grant 333-334

password grant 325-327

refresh token grant 335-336

registering clients with authorization server 322-325

user management, defining 319-322

writing own 318-319

implementation choices with 288-298

authorization code grant type 289-293

client credentials grant type 295-297

password grant type, analogy for 295

password grant type, implementing 293-294

password grant type, requesting access token when using 295

password grant type, using access token to call resources when using 295

using refresh tokens to obtain new access tokens 297-298

implementing resource server

checking token remotely 343, 348

implementing blackboarding with JdbcTokenStore 350-358

overview 341-343

short comparison of approaches 358

overview 285-287

simple SSO (Single Sign-On) application implementation 299-314

ClientRegistration 304-306

ClientRegistrationRepository 307-309

managing authorization server 300-302

obtaining details about authenticated user 311

Spring Boot configuration 309-311

starting implementation 303-304

testing application 311-314

sins of 299

See also JWTs (JSON Web Tokens)

OAuth2AuthenticationToken 311

OAuth2LoginAuthenticationFilter 304

OAuth2WebSecurityExpressionHandler 461

one-piece web application, designing 24

Open Web Application Security Project (OWASP) 14

OTP (one-time password) 205-206, 245

Otp entity 257

OtpAuthentication object 273, 277

/otp/check endpoint 254

OutOfMemoryError 425

OWASP (Open Web Application Security Project) 14

P

password grant type 325-327

analogy for 295

implementing 293-294

requesting access token when using 295

using access token to call resources when using 295

Password-Based Key Derivation Function 2 (PBKDF2) 90

PasswordEncoder 40-41, 43, 45-46, 50, 53, 55, 57, 62-63, 71, 81, 93, 95, 97, 106, 137, 147, 187, 320-321, 365, 393, 405, 416, 473, 475, 479

passwords 86-101

PasswordEncoder contract 86-97

choosing from provided implementations of 90-92

definition of 87-88

implementing 88

multiple encoding strategies with 97

SSCM (Spring Security crypto module) and 97-100

encryptors, using 99-100

key generators 97-99

PBKDF2 (Password-Based Key Derivation Function 2) 90

Pbkdf2PasswordEncoder 90-92

PermissionEvaluator contract 403-404

permissions, implementing for methods 401-409

PKCE (Proof Key for Code Exchange) 293

PlainTextPasswordEncoder 91

post-authorization 390

applying 397-401

using to secure method call 391

post-filtering, applying for method authorization 420-425

pre-authorization 390-397

applying for authorities and roles 392

using to secure access to methods 390-391

pre-filtering, applying for method authorization 414-420

preflight request 240

private keys, authorization server that uses, implementing 373-374

ProductController 222

ProductRepository 149

ProductService 138

project tag 318

Proof Key for Code Exchange (PKCE) 293

public keys, resource server that uses, implementing 375-376

Q

queryable text 100

R

reactive apps 467-489

configuring authorization rules in 477-486

applying authorization at endpoint layer in reactive apps 477-483

using method security in reactive apps 484-486

OAuth 2 and 486-488

overview 468-472

testing Spring Security implementations with functionalities developed in 512-513

user management in 473-477

ReactiveAuthenticationManager 474, 476

ReactiveAuthorizationManager 483

ReactiveUserDetailsService 473, 475, 479

read authority 45

redirect_uri 290, 292

refresh tokens 297-298, 335-336

refresh_token 298

regex (regular expressions) 173, 190

regex matchers 173, 190-194

regression testing 491

replaying tokens 299

request identifier 131

Request-Id header 199

RequestMatcher 228

RequestPostProcessor 498, 510, 512

RequestValidationFilter 200

resource owner 287

resource server 287

configuring to read custom details of JWTs 383-385

that uses JWTs, implementing 367-369

that uses public keys, implementing 375-376

response_type 290, 313

restricting access

applying restrictions 172-194

selecting requests for authorization using ANT matchers 185-189

selecting requests for authorization using MVC matchers 178-185

selecting requests for authorization using regex matchers 190-194

using Matcher methods to select endpoints 173-178

based on authorities and roles 155-170

for all endpoints based on user authorities 157-164

for all endpoints based on user roles 165, 168

to all endpoints 169-170

RestTemplate 270-272

reverse function decryption 96

ROLE_ prefix 166-168

roles, restricting access based on 155-170

for all endpoints based on user authorities 157-164

for all endpoints based on user roles 165, 168

to all endpoints 169-170

RuntimeException 75

S

scalability 27

scope 291, 295-296, 298, 313, 326

SCryptPasswordEncoder 90, 92, 95

SecureRandom 92

security 3

applied in various architectures 24

designing one-piece web application 24

designing security for backend/frontend separation 26-27

OAuth 2 flow 27

using API keys to secure requests 29

using cryptographic signatures to secure requests 29

common vulnerabilities in web applications 14

CSRF (cross-site request forgery) 18

security (continued)

dependencies, using with 23

exposure of sensitive data 19

in authentication and authorization 15

injection vulnerabilities 18

lack of method access control 22

session fixation vulnerability 16

XSS (cross-site scripting) 16

importance of 12

overview 7

See also Spring Security

SecurityContext 104, 113-123, 278, 311, 319, 351, 404, 417, 471, 476-477, 493, 495, 498, 501, 512

forwarding security context with DelegatingSecurityContextExecutorService 121-123

forwarding security context with DelegatingSecurityContextRunnable 119-121

using holding strategy for asynchronous calls 116-118

using holding strategy for security context 114-116

using holding strategy for standalone applications 118-119

SecurityContextHolder 114, 119, 476

SecurityEvaluationContextExtension 430, 460

SecurityExpressionHandler 461

SecurityMockMvcRequestPostProcessors 498

SecurityWebFilterChain 478-479, 481, 487

sensitive data, exposure of 19

separation of responsibilities example 244-283

authentication server implementation 253-263

business logic server implementation 263-282

Authentication objects, implementing 268-269

AuthenticationProvider objects, implementing 272-273

filters, implementing 274-278

proxy to authentication server, implementing 270-272

security configurations, writing 280

testing whole system 281-282

tokens 248, 253

JWT (JSON Web Token) 252-253

overview 248-251

ServerHttpSecurity 479

ServletRequest parameter 198

ServletResponse parameter 198

session fixation vulnerability 16

signatures. See cryptographic signatures

small secured web application project 135-152

implementing custom authentication logic 146-148

implementing main page 148-150

implementing user management 141-145

project requirements and setup 136-141

running and testing application 151-152

SpEL (Spring Expression Language) 7, 158, 161, 394, 484

Spring Boot

configuration in SSO application implementation 309-311

project 515, 517

creating from start.spring.io 515-516

creating with STS (Spring Tool Suite) 517

Spring Data repositories, using filtering in 425-431

Spring Security

default configurations 38-41

default configurations, overriding 43-58

AuthenticationProvider implementation 53-56

endpoint authorization configuration 49

multiple configuration classes 56-58

setting configuration in different ways 50-53

UserDetailsService component 44-47

first project 34-38

overview 5-7

Spring Tool Suite (STS), creating Spring Boot project with 517

spring-boot-starter-data-jpa dependency 140, 426

spring-boot-starter-jdbc dependency 356

spring-boot-starter-security 35, 140, 158

spring-boot-starter-thymeleaf 141

spring-boot-starter-web 35, 141, 158

spring-cloud-dependencies artifact ID 318, 342

spring.security.oauth2.client.provider 310

encryptors, using 99-100

key generators 97-99

SSO (Single Sign-On) application implementation 299-314

ClientRegistration 304-306

ClientRegistrationRepository 307-309

managing authorization server 300-302

obtaining details about authenticated user 311

Spring Boot configuration 309-311

starting implementation 303-304

testing application 311-314

StandardPasswordEncoder 90-91

start.spring.io, creating Spring Boot project from 515-516

state 291, 313

stealing client credentials 299

StringKeyGenerator 98

STS (Spring Tool Suite), creating Spring Boot project with 517

Subscriber 470

symmetric keys, tokens signed with, using with JWTs 361-369

implementing authorization server to issue JWTs 363-367

implementing resource server that uses JWTs 367, 369

using JWTs 361-363

T

testing 490, 503, 514

authentication 507, 509

CORS (cross-origin resource sharing) configurations 511

CSRF (cross-site request forgery) configurations 510

method security 505, 507

reactive Spring Security implementations 512-513

small secured web application project 151-152

SSO application 311-314

using custom Authentication objects for 501, 505

step 1) defining custom annotation 503

step 2) creating factory class for mock SecurityContext 504

step 3) linking custom annotation to factory class 504-505

using mock users for 493, 500

with users from UserDetailsService 500-501

TestWebClient 512

TextEncryptors 99-100

ThreadLocal 114, 471

throws clause 75

token hijacking 299

TokenEnhancer 381-382

tokens 248-253

checking remotely 343, 348

overview 248-251

signed with symmetric keys, using with JWTs 361

using refresh tokens to obtain new access tokens 297-298

See also JWTs (JSON Web Tokens)

TokenStore 319, 350, 353, 357, 363, 367, 458

TransactionController 23

U

User entity 142-143, 257

user management 61-85

describing user 65-74

combining multiple responsibilities related to user 71-74

detailing on GrantedAuthority contract 66-67

UserDetails contract, definition of 65-66

using builder to create instances of User-Details type 70-71

writing minimal implementation of UserDetails 67-69

implementing authentication 62-65

in reactive apps 473-477

in small secured web application project 141-145

/user/add endpoint 254

/user/auth endpoint 254

UserDetails 62, 64-66, 72, 74, 77, 86, 97, 110, 142, 144, 156, 305, 308, 319, 323-324

using builder to create instances of 70-71

writing minimal implementation of 67-69

UserDetailsManager 62, 74, 78, 83, 97, 319

user management 78-85

using an LDAPUserDetailsManager for user management 83-85

using JdbcUserDetailsManager for user management 78-83

UserDetailsService 40-41, 43, 47, 50, 52-53, 55, 57, 62-63, 74, 77, 79, 81, 86, 97, 106, 110, 129, 141-142, 144, 146, 158, 173, 180, 210, 221, 319-321, 324-325, 365, 393, 405, 416, 473, 493, 500

implementing 75-78

overview 74-75

UsernameNotFoundException 75, 77, 145

UsernamePassword-AuthenticationToken 146

UsernamePasswordAuthentication 269, 272

UsernamePasswordAuthenticationProvider 272

UserRepository 142

UserService 260

UUID (universally unique identifier) 40, 216, 248

V

valueToEncrypt 100

varargs parameter 160

vulnerabilities in web applications 14

CSRF (cross-site request forgery) 18

dependencies, using with 23

exposure of sensitive data 19

in authentication and authorization 15

injection vulnerabilities 18

lack of method access control 22

session fixation vulnerability 16

XSS (cross-site scripting) 16

W

WebTestClient 512

WebTestClientConfigurer 512

WRITE authority 159, 162

X

XSS (cross-site scripting) 16, 242