1.1 Spring Security: The what and the why
1.2 What is software security?
1.3 Why is security important?
1.4 Common security vulnerabilities in web applications
Vulnerabilities in authentication and authorization
What is cross-site scripting (XSS)?
What is cross-site request forgery (CSRF)
Understanding injection vulnerabilities in web applications
Dealing with the exposure of sensitive data
What is the lack of method access control?
Using dependencies with known vulnerabilities
1.5 Security applied in various architectures
Designing a one-piece web application
Designing security for a backend/frontend separation
Understanding the OAuth 2 flow
Using API keys, cryptographic signatures, and IP validation to secure requests
1.6 What will you learn in this book?
2.1 Starting with the first project
2.2 Which are the default configurations?
2.3 Overriding default configurations
Overriding the UserDetailsService component
Overriding the endpoint authorization configuration
Setting the configuration in different ways
Overriding the AuthenticationProvider implementation
Using multiple configuration classes in your project
3.1 Implementing authentication in Spring Security
Demystifying the definition of the UserDetails contract
Detailing on the GrantedAuthority contract
Writing a minimal implementation of UserDetails
Using a builder to create instances of the UserDetails type
Combining multiple responsibilities related to the user
3.3 Instructing Spring Security on how to manage users
Understanding the UserDetailsService contract
Implementing the UserDetailsService contract
Implementing the UserDetailsManager contract
4.1 Understanding the PasswordEncoder contract
The definition of the PasswordEncoder contract
Implementing the PasswordEncoder contract
Choosing from the provided implementations of PasswordEncoder
Multiple encoding strategies with DelegatingPasswordEncoder
4.2 More about the Spring Security Crypto module
Using encryptors for encryption and decryption operations
5.1 Understanding the AuthenticationProvider
Representing the request during authentication
Implementing custom authentication logic
Applying custom authentication logic
Using a holding strategy for the security context
Using a holding strategy for asynchronous calls
Using a holding strategy for standalone applications
Forwarding the security context with DelegatingSecurityContextRunnable
Forwarding the security context with DelegatingSecurityContext-ExecutorService
5.3 Understanding HTTP Basic and form-based login authentications
Using and configuring HTTP Basic
Implementing authentication with form-based login
6 Hands-on: A small secured web application
6.1 Project requirements and setup
6.2 Implementing user management
6.3 Implementing custom authentication logic
6.4 Implementing the main page
6.5 Running and testing the application
7 Configuring authorization: Restricting access
7.1 Restricting access based on authorities and roles
Restricting access for all endpoints based on user authorities
Restricting access for all endpoints based on user roles
Restricting access to all endpoints
8 Configuring authorization: Applying restrictions
8.1 Using matcher methods to select endpoints
8.2 Selecting requests for authorization using MVC matchers
8.3 Selecting requests for authorization using Ant matchers
8.4 Selecting requests for authorization using regex matchers
9.1 Implementing filters in the Spring Security architecture
9.2 Adding a filter before an existing one in the chain
9.3 Adding a filter after an existing one in the chain
9.4 Adding a filter at the location of another in the chain
9.5 Filter implementations provided by Spring Security
10 Applying CSRF protection and CORS
10.1 Applying cross-site request forgery (CSRF) protection in applications
How CSRF protection works in Spring Security
Using CSRF protection in practical scenarios
10.2 Using cross-origin resource sharing
Applying CORS policies with the @CrossOrigin annotation
Applying CORS using a CorsConfigurer
11 Hands-on: A separation of responsibilities
11.1 The scenario and requirements of the example
11.2 Implementing and using tokens
11.3 Implementing the authentication server
11.4 Implementing the business logic server
Implementing the Authentication objects
Implementing the proxy to the authentication server
Implementing the AuthenticationProvider interface
Writing the security configurations 280Testing the whole system
12.2 The components of the OAuth 2 authentication architecture
12.3 Implementation choices with OAuth 2
Implementing the authorization code grant type
Implementing the password grant type
Implementing the client credentials grant type
Using refresh tokens to obtain new access tokens
12.4 The sins of OAuth 2
12.5 Implementing a simple single sign-on application
Managing the authorization server
Implementing ClientRegistration
Implementing ClientRegistrationRepository
The pure magic of Spring Boot configuration
Obtaining details about an authenticated user
13 OAuth 2: Implementing the authorization server
13.1 Writing your own authorization server implementation
13.3 Registering clients with the authorization server
13.4 Using the password grant type
13.5 Using the authorization code grant type
13.6 Using the client credentials grant type
13.7 Using the refresh token grant type
14 OAuth 2: Implementing the resource server
14.1 Implementing a resource server
14.2 Checking the token remotely
14.3 Implementing blackboarding with a JdbcTokenStore
14.4 A short comparison of approaches
15 OAuth 2: Using JWT and cryptographic signatures
15.1 Using tokens signed with symmetric keys with JWT
Implementing an authorization server to issue JWTs
Implementing a resource server that uses JWT
15.2 Using tokens signed with asymmetric keys with JWT
Implementing an authorization server that uses private keys
Implementing a resource server that uses public keys
Using an endpoint to expose the public key
15.3 Adding custom details to the JWT
Configuring the authorization server to add custom details to tokens
Configuring the resource server to read the custom details of a JWT
16 Global method security: Pre- and postauthorizations
16.1 Enabling global method security
Understanding call authorization
Enabling global method security in your project
16.2 Applying preauthorization for authorities and roles
16.3 Applying postauthorization
16.4 Implementing permissions for methods
17 Global method security: Pre- and postfiltering
17.1 Applying prefiltering for method authorization
17.2 Applying postfiltering for method authorization
17.3 Using filtering in Spring Data repositories
18 Hands-on: An OAuth 2 application
18.2 Configuring Keycloak as an authorization server
Registering a client for our system
Adding users and obtaining access tokens 444Defining the user roles
18.3 Implementing the resource server
Proving an authenticated user can only add a record for themself
Proving that a user can only retrieve their own records
Proving that only admins can delete records
19 Spring Security for reactive apps
19.2 User management in reactive apps
19.3 Configuring authorization rules in reactive apps
Applying authorization at the endpoint layer in reactive apps
Using method security in reactive apps
19.4 Reactive apps and OAuth 2
20.1 Using mock users for tests
20.2 Testing with users from a UserDetailsService
20.3 Using custom Authentication objects for testing
20.6 Testing CSRF configurations
20.7 Testing CORS configurations
20.8 Testing reactive Spring Security implementations
appendix A. Creating a Spring Boot project