@Component annotation 109, 111
@Configuration annotation 45, 319
@CrossOrigin annotation 240-242
@Enable-AuthorizationServer annotation 319
@EnableReactiveMethodSecurity annotation 484
@EnableResourceServer annotation 342-343
@FunctionalInterface annotation 67
@GetMapping annotation 36, 179, 418
@PostAuthorize annotation 397-399, 401-402, 410, 413, 416, 484
@PostFilter annotation 417, 421, 423, 425-426, 428, 430-431, 455, 484
@PreAuthorize annotation 394, 397, 401, 407-408, 410, 413, 416, 461, 484
@PreFilter annotation 415, 417, 425, 484
@RequestMapping annotation 179
@RestController annotation 36, 130
@SpringBootApplication annotation 36, 116, 210, 515
@SpringBootTest annotation 495
@WithCustomUser annotation 503-504
@WithMockUser annotation 497-498, 502, 505-506, 512
@WithSecurityContext annotation 502, 504
@WithUserDetails annotation 501-502, 505, 507
Access-Control-Allow-Headers 237
Access-Control-Allow-Methods 237
Access-Control-Allow-Origin 237
AccessDeniedException 126, 505
AOP (aspect-oriented programming) 389
asymmetric keys, tokens signed with, using with JWTs 370-380
implementing authorization server that uses private keys 373-374
implementing resource server that uses public keys 375-376
using endpoints to expose public keys 377
asynchronous calls, using holding strategy for 116-118
form-based login authentications 127-133
custom, using for testing 501, 505
step 1) defining custom annotation 503
step 2) creating factory class for mock SecurityContext 504
step 3) linking custom annotation to factory class 504-505
implementing, in separation of responsibilities example 268-269
AuthenticationException 75, 126, 505
AuthenticationFailureHandler 130, 132
AuthenticationLoggingFilter 203
AuthenticationManager 63, 108, 136, 275-277, 280, 321-322
AuthenticationManagerBuilder parameter 50, 52
AuthenticationProvider 41, 104-111, 494, 501, 505, 507
applying custom authentication logic 108-111
implementing AuthenticationProvider objects in separation of responsibilities example 272-273
implementing custom authentication logic 106-108
overriding implementation 53-56
representing request during authentication 105-106
AuthenticationSuccessHandler 130, 508
authorization code grant 289-293, 327-332
authorization configuration 153-171
selecting requests for authorization using ANT matchers 185-189
selecting requests for authorization using MVC matchers 178-185
selecting requests for authorization using regex matchers 190-194
using Matcher methods to select endpoints 173-178
restricting access based on authorities and roles 155-170
for all endpoints based on user authorities 157-164
for all endpoints based on user roles 165-168
authorization rules, configuring in reactive apps 477-486
applying authorization at endpoint layer in reactive apps 477-483
using method security in reactive apps 484-486
configuring Keycloak as 436-452
adding users and obtaining access tokens 444-448
registering client for system 441
configuring to add custom details in token 381-383
implementation in OAuth 2 316-337
authorization code grant 327-332
client credentials grant 333-334
registering clients with authorization server 322-325
user management, defining 319-322
implementing to issue JWTs 363-367
managing for SSO application 300-302
that uses private keys, implementing 373-374
authorization vulnerabilities 15
backend/frontend separation, designing security for 26
BasicAuthenticationFilter 198, 209
BCryptPasswordEncoder 90, 92-93, 95, 256, 262
business logic server implementation 263-282
Authentication objects, implementing 268-269
AuthenticationProvider objects, implementing 272-273
proxy to authentication server, implementing 270-272
security configurations, writing 280
CA (certification authority) 41
CBC (Cipher Block Chaining) 100
certification authority (CA) 41
client credentials grant 295-297, 333-334
client_id 290, 292, 295-296, 298, 313
client_secret 292, 295-296, 298
ClientRegistration 304-306, 309-310
ClientRegistrationRepository 307-310
CORS (cross-origin resource sharing) 18, 198, 202, 235
applying CORS policies with @CrossOrigin annotation 240-242
applying, using CorsConfigurer 242-243
CorsConfigurer, applying CORS using 242-243
cross-site scripting (XSS) 16, 242
CSRF (cross-site request forgery) 13, 18, 179, 198, 202, 291, 299
applying in applications 213, 220-235
customizing CSRF protection 226-235
how CSRF protection works in Spring Security 214-220
using CSRF protection in practical scenarios 225
CsrfTokenRepository 216-217, 219-220, 228-231, 233
custom Authentication objects, using for testing 501, 505
step 1) defining custom annotation 503
step 2) creating factory class for mock SecurityContext 504
step 3) linking custom annotation to factory class 504-505
CustomCsrfTokenRepository 231-232
Customizer object 226, 242, 309, 370
DDoS (distributed denial of service) attack 4, 16
AuthenticationProvider implementation 53-56
endpoint authorization configuration 48-49
multiple configuration classes 56-58
setting configuration in different ways 50-53
UserDetailsService component 44-47
DefaultMethodSecurityExpressionHandler 405
DelegatingSecurityContextCallable 120-121, 123
DelegatingSecurityContextExecutor 123
DelegatingSecurityContextExecutorService 121-123
DelegatingSecurityContextRunnable 119-121
dependencies, using with vulnerabilities 23
dependencyManagement tag 318, 342
distributed denial of service (DDoS) attack 4, 16
applying authorization at endpoint layer in reactive apps 477-483
overriding endpoint authorization configuration 49
based on user authorities 157-164
using Matcher methods to select 173-178
using to expose public keys 377-380
ERD (entity relationship diagram) 138
ExceptionTranslationManager 126
creating for mock SecurityContext 504
linking custom annotation to 504-505
adding after existing filter in chain 203-205
adding at location of another filter in chain 205-210
adding before existing filter in chain 199-203
applying post-filtering for method authorization 420-425
applying pre-filtering for method authorization 414-420
implementations provided by Spring Security 210-211
in separation of responsibilities example 274-278
in Spring Security architecture 198-199
using filtering in Spring Data repositories 425-431
form-based login authentications 127-133
GDPR (General Data Protection Regulations) 7
global method security 387-412
applying post-authorization 397-401
applying pre-authorization for authorities and roles 392-397
applying post-filtering for method authorization 420-425
applying pre-filtering for method authorization 414-420
using filtering in Spring Data repositories 425-431
implementing permissions for methods 401-409
grant_type 292, 295-296, 298, 326
GrantedAuthority contract 62, 64, 66-68, 97, 145, 156
using for asynchronous calls 116-118
using for security context 114-116
using for standalone applications 118-119
HttpSecurity object 227, 243, 304
InMemoryClientDetailsService 323-324
InMemoryClientRegistrationRepository 308
InMemoryUserDetailsManager 44-45, 62, 75, 78, 158, 173, 180, 308, 321
interface segregation principle 64
Java JSON Web Token (JJWT) 253
JdbcClientDetailsService 323-324
JdbcTokenStore 350, 353, 357-358, 364
JdbcUserDetailsManager 62, 78-83, 353
JJWT (Java JSON Web Token) 253
JpaRepository contract 137, 142, 149, 231
JWS (JSON Web Token Signed) 361
JwtAccessTokenConverter 364, 373, 383-384
JWTs (JSON Web Tokens) 252-253, 360-386
adding custom details to 380-385
configuring authorization server to add custom details in token 381-383
configuring resource server to read custom details of JWTs 383-385
using tokens signed with asymmetric keys with 370-380
implementing authorization server that uses private keys 373-374
implementing resource server that uses public keys 375-376
using endpoints to expose public keys 377-380
using tokens signed with symmetric keys with 361-369
implementing authorization server to issue JWTs 363-367
implementing resource server that uses JWTs 367-369
Keycloak, configuring as authorization server 436-452
adding users and obtaining access tokens 444-448
registering client for system 441
LDIF (LDAP Data Interchange Format) 83
MainPageController 137-138, 150
MapReactiveUserDetailsService 473
Matcher methods, using to select endpoints 173-178
method access control, lack of 22
applying post-filtering for 420-425
applying pre-filtering for 414-420
implementing permissions for 401-409
MethodSecurityExpressionHandler 404-405
MFA (multi-factor authentication) 246
mock users, using for testing 493, 500
MODE_INHERITABLETHREADLOCAL 114, 117-119
MODE_THREADLOCAL 114, 116, 119
multi-factor authentication (MFA) 246
multiple configuration classes 56-58
NoOpPasswordEncoder 47, 89, 91, 94-95, 321
NullPointerException 20, 117, 121
OAuth 2 application example 433-466
application's scenario 434-436
configuring Keycloak as authorization server 436-452
adding users and obtaining access tokens 444-448
OAuth 2 application example (continued)
registering client for system 441
implementing application's resource server 453-460
proving authenticated user can only add record for themselves 462-464
proving user can only retrieve their records 464-465
OAuth 2 framework 284-315, 338-359
authentication architecture, components of 287
authorization server implementation 316-337
authorization code grant 327-332
client credentials grant 333-334
registering clients with authorization server 322-325
user management, defining 319-322
implementation choices with 288-298
authorization code grant type 289-293
client credentials grant type 295-297
password grant type, analogy for 295
password grant type, implementing 293-294
password grant type, requesting access token when using 295
password grant type, using access token to call resources when using 295
using refresh tokens to obtain new access tokens 297-298
checking token remotely 343, 348
implementing blackboarding with JdbcTokenStore 350-358
short comparison of approaches 358
simple SSO (Single Sign-On) application implementation 299-314
ClientRegistrationRepository 307-309
managing authorization server 300-302
obtaining details about authenticated user 311
Spring Boot configuration 309-311
starting implementation 303-304
See also JWTs (JSON Web Tokens)
OAuth2LoginAuthenticationFilter 304
OAuth2WebSecurityExpressionHandler 461
one-piece web application, designing 24
Open Web Application Security Project (OWASP) 14
OTP (one-time password) 205-206, 245
OtpAuthentication object 273, 277
OWASP (Open Web Application Security Project) 14
requesting access token when using 295
using access token to call resources when using 295
Password-Based Key Derivation Function 2 (PBKDF2) 90
PasswordEncoder 40-41, 43, 45-46, 50, 53, 55, 57, 62-63, 71, 81, 93, 95, 97, 106, 137, 147, 187, 320-321, 365, 393, 405, 416, 473, 475, 479
PasswordEncoder contract 86-97
choosing from provided implementations of 90-92
multiple encoding strategies with 97
SSCM (Spring Security crypto module) and 97-100
PBKDF2 (Password-Based Key Derivation Function 2) 90
PermissionEvaluator contract 403-404
permissions, implementing for methods 401-409
PKCE (Proof Key for Code Exchange) 293
using to secure method call 391
post-filtering, applying for method authorization 420-425
applying for authorities and roles 392
using to secure access to methods 390-391
pre-filtering, applying for method authorization 414-420
private keys, authorization server that uses, implementing 373-374
Proof Key for Code Exchange (PKCE) 293
public keys, resource server that uses, implementing 375-376
configuring authorization rules in 477-486
applying authorization at endpoint layer in reactive apps 477-483
using method security in reactive apps 484-486
testing Spring Security implementations with functionalities developed in 512-513
ReactiveAuthenticationManager 474, 476
ReactiveAuthorizationManager 483
ReactiveUserDetailsService 473, 475, 479
refresh tokens 297-298, 335-336
regex (regular expressions) 173, 190
RequestPostProcessor 498, 510, 512
configuring to read custom details of JWTs 383-385
that uses JWTs, implementing 367-369
that uses public keys, implementing 375-376
selecting requests for authorization using ANT matchers 185-189
selecting requests for authorization using MVC matchers 178-185
selecting requests for authorization using regex matchers 190-194
using Matcher methods to select endpoints 173-178
based on authorities and roles 155-170
for all endpoints based on user authorities 157-164
for all endpoints based on user roles 165, 168
reverse function decryption 96
roles, restricting access based on 155-170
for all endpoints based on user authorities 157-164
for all endpoints based on user roles 165, 168
scope 291, 295-296, 298, 313, 326
SCryptPasswordEncoder 90, 92, 95
applied in various architectures 24
designing one-piece web application 24
designing security for backend/frontend separation 26-27
using API keys to secure requests 29
using cryptographic signatures to secure requests 29
common vulnerabilities in web applications 14
CSRF (cross-site request forgery) 18
in authentication and authorization 15
lack of method access control 22
session fixation vulnerability 16
See also Spring Security
SecurityContext 104, 113-123, 278, 311, 319, 351, 404, 417, 471, 476-477, 493, 495, 498, 501, 512
forwarding security context with DelegatingSecurityContextExecutorService 121-123
forwarding security context with DelegatingSecurityContextRunnable 119-121
using holding strategy for asynchronous calls 116-118
using holding strategy for security context 114-116
using holding strategy for standalone applications 118-119
SecurityContextHolder 114, 119, 476
SecurityEvaluationContextExtension 430, 460
SecurityMockMvcRequestPostProcessors 498
SecurityWebFilterChain 478-479, 481, 487
sensitive data, exposure of 19
separation of responsibilities example 244-283
authentication server implementation 253-263
business logic server implementation 263-282
Authentication objects, implementing 268-269
AuthenticationProvider objects, implementing 272-273
proxy to authentication server, implementing 270-272
security configurations, writing 280
session fixation vulnerability 16
signatures. See cryptographic signatures
small secured web application project 135-152
implementing custom authentication logic 146-148
implementing main page 148-150
implementing user management 141-145
project requirements and setup 136-141
running and testing application 151-152
SpEL (Spring Expression Language) 7, 158, 161, 394, 484
configuration in SSO application implementation 309-311
creating from start.spring.io 515-516
creating with STS (Spring Tool Suite) 517
Spring Data repositories, using filtering in 425-431
default configurations, overriding 43-58
AuthenticationProvider implementation 53-56
endpoint authorization configuration 49
multiple configuration classes 56-58
setting configuration in different ways 50-53
UserDetailsService component 44-47
Spring Tool Suite (STS), creating Spring Boot project with 517
spring-boot-starter-data-jpa dependency 140, 426
spring-boot-starter-jdbc dependency 356
spring-boot-starter-security 35, 140, 158
spring-boot-starter-thymeleaf 141
spring-boot-starter-web 35, 141, 158
spring-cloud-dependencies artifact ID 318, 342
spring.security.oauth2.client.provider 310
SSO (Single Sign-On) application implementation 299-314
ClientRegistrationRepository 307-309
managing authorization server 300-302
obtaining details about authenticated user 311
Spring Boot configuration 309-311
starting implementation 303-304
start.spring.io, creating Spring Boot project from 515-516
stealing client credentials 299
STS (Spring Tool Suite), creating Spring Boot project with 517
symmetric keys, tokens signed with, using with JWTs 361-369
implementing authorization server to issue JWTs 363-367
implementing resource server that uses JWTs 367, 369
CORS (cross-origin resource sharing) configurations 511
CSRF (cross-site request forgery) configurations 510
reactive Spring Security implementations 512-513
small secured web application project 151-152
using custom Authentication objects for 501, 505
step 1) defining custom annotation 503
step 2) creating factory class for mock SecurityContext 504
step 3) linking custom annotation to factory class 504-505
with users from UserDetailsService 500-501
signed with symmetric keys, using with JWTs 361
using refresh tokens to obtain new access tokens 297-298
See also JWTs (JSON Web Tokens)
TokenStore 319, 350, 353, 357, 363, 367, 458
combining multiple responsibilities related to user 71-74
detailing on GrantedAuthority contract 66-67
UserDetails contract, definition of 65-66
using builder to create instances of User-Details type 70-71
writing minimal implementation of UserDetails 67-69
implementing authentication 62-65
in small secured web application project 141-145
UserDetails 62, 64-66, 72, 74, 77, 86, 97, 110, 142, 144, 156, 305, 308, 319, 323-324
using builder to create instances of 70-71
writing minimal implementation of 67-69
UserDetailsManager 62, 74, 78, 83, 97, 319
using an LDAPUserDetailsManager for user management 83-85
using JdbcUserDetailsManager for user management 78-83
UserDetailsService 40-41, 43, 47, 50, 52-53, 55, 57, 62-63, 74, 77, 79, 81, 86, 97, 106, 110, 129, 141-142, 144, 146, 158, 173, 180, 210, 221, 319-321, 324-325, 365, 393, 405, 416, 473, 493, 500
UsernameNotFoundException 75, 77, 145
UsernamePassword-AuthenticationToken 146
UsernamePasswordAuthentication 269, 272
UsernamePasswordAuthenticationProvider 272
UUID (universally unique identifier) 40, 216, 248
vulnerabilities in web applications 14
CSRF (cross-site request forgery) 18
in authentication and authorization 15
lack of method access control 22
session fixation vulnerability 16
18.118.200.197