Spring security : secure your web applications, RESTful services, and microservice architectures / Mick Knutson, Robert Winch, Peter Mularien.

Format:

Book

Author/Creator:

Knutson, Mick, author.

Winch, Robert, author.

Mularien, Peter, author.

Language:

English

Subjects (All):

Spring (Software framework).

Physical Description:

1 online resource (1 volume) : illustrations

Edition:

Third edition.

Place of Publication:

Birmingham, England ; Mumbai, [India] : Packt Publishing, 2017.

System Details:

text file

Summary:

Learn how to secure your Java applications from hackers using Spring Security 4.2 About This Book Architect solutions that leverage the full power of Spring Security while remaining loosely coupled. Implement various scenarios such as supporting existing user stores, user sign up, authentication, and supporting AJAX requests, Integrate with popular Microservice and Cloud services such as Zookeeper, Eureka, and Consul, along with advanced techniques, including OAuth, JSON Web Token's (JWS), Hashing, and encryption algorithms Who This Book Is For This book is intended for Java Web and/or RESTful webservice developers and assumes a basic understanding of creating Java 8, Java Web and/or RESTful webservice applications, XML, and the Spring Framework. You are not expected to have any previous experience with Spring Security. What You Will Learn Understand common security vulnerabilities and how to resolve them Learn to perform initial penetration testing to uncover common security vulnerabilities Implement authentication and authorization Learn to utilize existing corporate infrastructure such as LDAP, Active Directory, Kerberos, CAS, OpenID, and OAuth Integrate with popular frameworks such as Spring, Spring-Boot, Spring-Data, JSF, Vaaden, jQuery, and AngularJS. Gain deep understanding of the security challenges with RESTful webservices and microservice architectures Integrate Spring with other security infrastructure components like LDAP, Apache Directory server and SAML In Detail Knowing that experienced hackers are itching to test your skills makes security one of the most difficult and high-pressured concerns of creating an application. The complexity of properly securing an application is compounded when you must also integrate this factor with existing code, new technologies, and other frameworks. Use this book to easily secure your Java application with the tried and trusted Spring Security framework, a powerful and highly customizable authentication and access-control framework. The book starts by integrating a variety of authentication mechanisms. It then demonstrates how to properly restrict access to your application. It also covers tips on integrating with some of the more popular web frameworks. An example of how Spring Security defends against session fixation, moves into concurrency control, and how you can utilize session management for administrative functions is also included. It concludes with advanced security scenarios for REST...

Contents:

Cover

Copyright

Credits

About the Authors

About the Reviewers

www.Packtpub.com

Customer Feedback

Table of Contents

Preface

Chapter 1: Anatomy of an Unsafe Application

Security audit

About the sample application

The JBCP calendar application architecture

Application technology

Reviewing the audit results

Authentication

Authorization

Database credential security

Sensitive information

Transport-level protection

Using Spring Security 4.2 to address security concerns

Why Spring Security?

Summary

Chapter 2: Getting Started with Spring Security

Hello Spring Security

Importing the sample application

Updating your dependencies

Using Spring 4.3 and Spring Security 4.2

Implementing a Spring Security XML configuration file

Updating your web.xml file

The ContextLoaderListener class

ContextLoaderListener versus DispatcherServlet

The springSecurityFilterChain filter

The DelegatingFilterProxy class

The FilterChainProxy class

Running a secured application

Common problems

A little bit of polish

Customizing login

Configuring logout

The page isn't redirecting properly

Basic role-based authorization

Expression-based authorization

Conditionally displaying authentication information

Customizing behavior after login

Chapter 3: Custom Authentication

JBCP calendar architecture

The CalendarUser object

The Event object

The CalendarService interface

The UserContext interface

The SpringSecurityUserContext interface

Logging in new users using SecurityContextHolder

Managing users in Spring Security

Logging in a new user to an application

Updating SignupController

Creating a custom UserDetailsService object

The CalendarUserDetailsService class

Configuring UserDetailsService.

Removing references to UserDetailsManager

The CalendarUserDetails object

The SpringSecurityUserContext simplifications

Displaying custom user attributes

Creating a custom AuthenticationProvider object

CalendarUserAuthenticationProvider

Configuring the CalendarUserAuthenticationProvider object

Authenticating with different parameters

The DomainUsernamePasswordAuthenticationToken class

Updating CalendarUserAuthenticationProvider

Adding domain to the login page

The DomainUsernamePasswordAuthenticationFilter class

Updating our configuration

Which authentication method to use?

Chapter 4: JDBC-Based Authentication

Required dependencies

Using the H2 database

Provided JDBC scripts

Configuring the H2 embedded database

Configuring a JDBC UserDetailsManager implementation

The default user schema of Spring Security

Defining users

Defining user authorities

The UserDetailsManager interface

Group-based access control

Configuring group-based access control

Configuring JdbcUserDetailsManager to use groups

Utilizing GBAC JDBC scripts

The group-based schema

Group authority mappings

Support for a custom schema

Determining the correct JDBC SQL queries

Updating the SQL scripts that are loaded

The CalendarUser authority SQL

Inserting custom authorities

Configuring JdbcUserDetailsManager to use custom SQL queries

Configuring secure passwords

The PasswordEncoder method

Configuring password encoding

Configuring the PasswordEncoder method

Making Spring Security aware of the PasswordEncoder method

Hashing the stored passwords

Hashing the passwords of new users

Not quite secure

Using salt in Spring Security

Updating the Spring Security configuration

Migrating existing passwords

Updating DefaultCalendarUserService.

Trying out the salted passwords

Chapter 5: Authentication with Spring Data

Spring Data JPA

Updating our dependencies

Updating the JBCP calendar to use Spring Data JPA

Reconfiguring the database configuration

Initializing the database

Refactoring from SQL to ORM

Mapping domain objects using JPA

Spring Data repositories

Data access objects

Application services

The UserDetailsService object

Refactoring from an RDBMS to a document database

Document database implementation with MongoDB

Reconfiguring the database configuration in MongoDB

Initializing the MongoDB database

Mapping domain objects with MongoDB

Spring Data repositories of MongoDB

Data access objects in MongoDB

Chapter 6: LDAP Directory Services

Understanding LDAP

LDAP

Common LDAP attribute names

Configuring an LDAP server reference

Enabling the LDAP AuthenticationProviderNext interface

Troubleshooting embedded LDAP

Understanding how Spring LDAP authentication works

Authenticating user credentials

Demonstrating authentication with Apache Directory Studio

Binding anonymously to LDAP

Searching for the user

Binding as a user to LDAP

Determining user role membership

Determining roles with Apache Directory Studio

Mapping additional attributes of UserDetails

Advanced LDAP configuration

Sample JBCP LDAP users

Password comparison versus bind authentication

Configuring basic password comparison

LDAP password encoding and storage

The drawbacks of a password comparison authenticator

Configuring the UserDetailsContextMapper object

Implicit configuration of UserDetailsContextMapper

Viewing additional user details

Using an alternate password attribute

Using LDAP as UserDetailsService.

Configuring LdapUserDetailsService

Updating AccountController to use LdapUserDetailsService

Integrating Spring Security with an external LDAP server

Explicit LDAP bean configuration

Configuring an external LDAP server reference

Configuring the LdapAuthenticationProvider interface

Delegating role discovery to UserDetailsService

Integrating with Microsoft Active Directory via LDAP

Built-in AD support in Spring Security 4.2

Chapter 7: Remember-Me Services

What is remember-me?

Dependencies

The token-based remember-me feature

Configuring the token-based remember-me feature

How the token-based remember-me feature works

MD5

Remember-me signature

Token-based remember-me configuration directives

Is remember-me secure?

Authorization rules for remember-me

Persistent remember-me

Using the persistent-based remember-me feature

Adding SQL to create the remember-me schema

Initializing the data source with the remember-me schema

Configuring the persistent-based remember-me feature

How does the persistent-based remember-me feature work?

JPA-based PersistentTokenRepository

Custom RememberMeServices

Cleaning up the expired remember-me sessions

The remember-me architecture

Remember-me and the user life cycle

Restricting the remember-me feature to an IP address

Custom cookie and HTTP parameter names

Chapter 8: Client Certificate Authentication with TLS

How does client certificate authentication work?

Setting up the client certificate authentication infrastructure

Understanding the purpose of a public key infrastructure

Creating a client certificate key pair

Configuring the Tomcat trust store

Configuring Tomcat in Spring Boot

Importing the certificate key pair into a browser

Using Firefox

Using Chrome

Using Internet Explorer.

Wrapping up testing

Troubleshooting client certificate authentication

Configuring client certificate authentication in Spring Security

Configuring client certificate authentication using the security namespace

How does Spring Security use certificate information?

How Spring Security certificate authentication works

Handling unauthenticated requests with AuthenticationEntryPoint

Supporting dual-mode authentication

Configuring client certificate authentication using Spring beans

Additional capabilities of bean-based configuration

Considerations when implementing client certificate authentication

Chapter 9: Opening up to OAuth 2

The promising world of OAuth 2

Signing up for an OAuth 2 application

Enabling OAuth authentication with Spring Security

Additional required dependencies

Configuring OAuth 2 support in Spring Security

Local UserConnectionRepository

Creating local database entries for provider details

The custom UserConnectionRepository interface

The ConnectionSignup flow

Executing the OAuth 2 provider connection workflow

Adding OAuth 2 users

OAuth 2 controller sign-in flow

Automatic user authentication

Additional OAuth 2 providers

The OAuth 2 user registration problem

Registering non-standard OAuth 2 providers

Is OAuth 2 secure?

Chapter 10: Single Sign-On with the Central Authentication Service

Introducing the Central Authentication Service

High-level CAS authentication flow

Spring Security and CAS

Installing and configuring CAS

Configuring basic CAS integration

Creating the CAS ServiceProperties object

Adding the CasAuthenticationEntryPoint object

Enabling CAS ticket verification

Proving authenticity with the CasAuthenticationProvider object

Single logout

Configuring single logout.

Clustered environments.

Notes:

Includes bibliographical references at the end of each chapters and index.

Description based on online resource; title from PDF title page (EBC, viewed December 27, 2017).

ISBN:

9781787126466

1787126463

OCLC:

1018480160