▶Book Description
Knowing that experienced hackers are itching to test your skills makes security one of the most difficult and high-pressured concerns of creating an application. The complexity of properly securing an application is compounded when you must also integrate this factor with existing code, new technologies, and other frameworks. Use this book to easily secure your Java application with the tried and trusted Spring Security framework, a powerful and highly customizable authentication and access-control framework.
The book starts by integrating a variety of authentication mechanisms. It then demonstrates how to properly restrict access to your application. It also covers tips on integrating with some of the more popular web frameworks. An example of how Spring Security defends against session fixation, moves into concurrency control, and how you can utilize session management for administrative functions is also included.
It concludes with advanced security scenarios for RESTful webservices and microservices, detailing the issues surrounding stateless authentication, and demonstrates a concise, step-by-step approach to solving those issues. And, by the end of the book, readers can rest assured that integrating version 4.2 of Spring Security will be a seamless endeavor from start to finish.
▶What You Will Learn
- Understand common security vulnerabilities and how to resolve them
- Learn to perform initial penetration testing to uncover common security vulnerabilities
- Implement authentication and authorization
- Learn to utilize existing corporate infrastructure such as LDAP, Active Directory, Kerberos, CAS, OpenID, and OAuth
- Integrate with popular frameworks such as Spring, Spring-Boot, Spring-Data, JSF, Vaaden, jQuery, and AngularJS.
- Gain deep understanding of the security challenges with RESTful webservices and microservice architectures
- Integrate Spring with other security infrastructure components like LDAP, Apache Directory server and SAML
▶About This Book
- Architect solutions that leverage the full power of Spring Security while remaining loosely coupled.
- Implement various scenarios such as supporting existing user stores, user sign up, authentication, and supporting AJAX requests,
- Integrate with popular Microservice and Cloud services such as Zookeeper, Eureka, and Consul, along with advanced techniques, including OAuth, JSON Web Token's (JWS), Hashing, and encryption algorithms
▶Who This Book Is For
This book is intended for Java Web and/or RESTful webservice developers and assumes a basic understanding of creating Java 8, Java Web and/or RESTful webservice applications, XML, and the Spring Framework. You are not expected to have any previous experience with Spring Security.
▶Style and approach
This practical step-by-step tutorial has plenty of example code coupled with the necessary screenshots and clear narration so that grasping content is made easier and quicker.
▶What this book covers
- Chapter 1, Anatomy of an Unsafe Application, covers a hypothetical security audit of our calendar application, illustrating common issues that can be resolved through the proper application of Spring Security. You will learn about some basic security terminology and review some prerequisites for getting the sample application up and running.
- Chapter 2, Getting Started with Spring Security, demonstrates the "Hello World" installation of Spring Security. After the chapter walks the reader through some of the most common customizations of Spring Security.
- Chapter 3, Custom Authentication, incrementally explains Spring Security's authentication architecture by customizing key pieces of the authentication infrastructure to address realworld problems. Through these customizations, you will gain an understanding of how Spring Security authentication works and how you can integrate with existing and new authentication mechanisms.
- Chapter 4, JDBC-Based Authentication, covers authenticating against a database using Spring Security's built-in JDBC support. We then discuss how we can secure our passwords using Spring Security's new cryptography module.
- Chapter 5, Authentication with Spring Data, covers authenticating against a database using Spring Security's integration with Spring Data JPA and Spring Data MongoDB.
- Chapter 6, LDAP Directory Services, provides a guide to application integration with an LDAP directory server.
- Chapter 7, Remember-Me Services, demonstrates the use of the remember-me feature in Spring Security and how to configure it. We also explore additional considerations to bear in mind when using it.
- Chapter 8, Client Certificate Authentication with TLS, makes X.509 certificate-based authentication a clear alternative for certain business scenarios, where managed certificates can add an additional layer of security to our application.
- Chapter 9, Opening up to OAuth 2, covers OAuth 2-enabled login and user attribute exchange, as well as a high-level overview of the logical flow of the OAuth 2 protocol, including Spring OAuth 2 and Spring social integration.
- Chapter 10, Single Sign-on with Central Authentication Service, shows how integrating with Central Authentication Service (CAS) can provide Single Sign-On and single logout support to your Spring Security-enabled applications. It also demonstrates how you can use CAS proxy ticket support with stateless services.
- Chapter 11, Fine-Grained Access Control, covers in-page authorization checking (partial page rendering) and business-layer security using Spring Security's method security capabilities.
- Chapter 12, Access Control Lists, covers the concepts and basic implementation of business object-level security using the Spring Security ACL module—.a powerful module with a very flexible applicability to challenging business security problems.
- Chapter 13, Custom Authorization, explains how Spring Security's authorization works by writing custom implementations of key parts of Spring Security's authorization infrastructure.
- Chapter 14, Session Management, discusses how Spring Security manages and secures user sessions. The chapter starts by explaining session fixation attacks and how Spring Security defends against them. It then discusses how you can manage logged-in users and restrict the number of concurrent sessions a single user has. Finally, we describe how Spring Security associates a user to HttpSession and how to customize this behavior.
- Chapter 15, Additional Spring Security Features, covers other Spring Security features, including common security vulnerabilities such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), synchronizer tokens, and Clickjacking, and how to protect against them.
- Chapter 16, Migration to Spring Security 4.2, provides a migration path from Spring Security 3, including notable configuration changes, class and package migrations, and important new features. It also highlights the new features that can be found in Spring Security 4.2 and provides references to examples of the features in the book.
- Chapter 17, Microservice Security with OAuth 2 and JSON Web Tokens, looks at microservicebased architectures and how OAuth 2 with JWT play a role in securing microservices in a Spring-based application.
- Appendix, Additional Reference Material, contains some reference material that is not directly related to Spring Security, but is still relevant to the topics covered in this book. Most importantly, it contains a section that assists in running the sample code included with the book.
