My Account Log in

1 option

Spring Security : Effectively Secure Your Web Apps, RESTful Services, Cloud Apps, and Microservice Architectures / Badr Nasslahsen.

Ebook Central College Complete Available online

View online
Format:
Book
Author/Creator:
Nasslahsen, Badr, author.
Language:
English
Subjects (All):
Computer security.
Internet--Security measures.
Internet.
Java (Computer program language).
Physical Description:
1 online resource (596 pages)
Edition:
Fourth edition.
Place of Publication:
Birmingham : Packt Publishing Ltd., [2024]
Biography/History:
Nasslahsen Badr: Badr Nasslahsen is a lead security and cloud architect with over 17 years of experience. He holds an executive master's degree from Ecole Centrale Paris and an engineering degree from Telecom SudParis. He is an Oracle Certified Java SE 11 Professional, CISSP, TOGAF, CKA, and Scrum Master. Badr has extensive experience with public cloud providers such as AWS, Azure, GCP, Oracle, and IBM. He is also the author of the springdoc-openapi project.
Summary:
Leverage the power of Spring Security 6 to protect your modern Java applications from hackersKey FeaturesArchitect solutions that leverage Spring Security while remaining loosely coupledImplement authentication and authorization with SAML2, OAuth 2, hashing, and encryption algorithmsIntegrate Spring Security with technologies such as microservices, Kubernetes, the cloud, and GraalVM native imagesPurchase of the print or Kindle book includes a free PDF eBookBook DescriptionKnowing that experienced hackers are constantly on the prowl to attack your apps can make security one of the most challenging concerns of creating an app. The complexity of properly securing an app is compounded when you must also integrate this factor with legacy code, new technologies, and other frameworks. This book will help you easily secure your Java apps with Spring Security, a trusted and highly customizable authentication and access control framework. The book starts by showing you how to implement different authentication mechanisms before demonstrating how to properly restrict access to your app. You’ll then cover tips for integrating Spring Security with popular web frameworks such as Thymeleaf. The book also features an example of how Spring Security defends against session fixation, moves into concurrency control, and how you can use session management for administrative functions. This fourth edition aligns with Java 17/21 and Spring Security 6, covering advanced security scenarios for RESTful web services and microservices. This ensures you gain a complete understanding of the issues surrounding stateless authentication and discover a concise approach to solving those issues. By the end of this book, you’ll be able to integrate Spring Security 6 with GraalVM native images seamlessly, from start to finish.What you will learnUnderstand common security vulnerabilities and how to resolve themImplement authentication and authorization and learn how to map users to rolesIntegrate Spring Security with LDAP, Kerberos, SAML 2, OpenID, and OAuthGet to grips with the security challenges of RESTful web services and microservicesConfigure Spring Security to use Spring Data for authenticationIntegrate Spring Security with Spring Boot, Spring Data, and web applicationsProtect against common vulnerabilities like XSS, CSRF, and ClickjackingWho this book is forIf you’re a Java web developer or an architect with fundamental knowledge of Java 17/21, web services, and the Spring Framework, this book is for you. No previous experience with Spring Security is needed to get started with this book.
Contents:
Cover
Title Page
Copyright and Credits
Dedication
Contributors
Table of Contents
Preface
Part 1: Fundamentals of Application Security
Chapter 1: Anatomy of an Unsafe Application
Exploring software architecture styles
Monolithic architecture
N-Tier architecture (layered architecture)
SOA
Microservices architecture
Choosing between traditional web applications and Single-Page Applications
Understanding security audit
Exploring the example application
The JBCP calendar application architecture
Reviewing the audit results
Addressing the security audit findings
Authentication
Authorization
Database credential security
Sensitive information
Transport-level protection
Using Spring Security 6 to address security concerns
Technical requirements
Summary
Chapter 2: Getting Started with Spring Security
Hello Spring Security
Importing the sample application
Updating your dependencies
Implementing a Spring Security configuration
Updating your web configuration
Running a secured application
Common problems
A little bit of polish
Customizing login
Chapter 3: Custom Authentication
Authentication architecture in Spring Security
The SecurityContextHolder class
The SecurityContext interface
The Authentication interface
The AuthenticationManager interface
The ProviderManager class
The AuthenticationProvider interface
Exploring the JBCP calendar architecture
The CalendarUser object
The Event object
The CalendarService interface
The UserContext interface
The SpringSecurityUserContext interface
Logging in new users using SecurityContextHolder
Managing users in Spring Security
Logging in a new user to an application
Updating SignupController
Creating a custom UserDetailsService object.
The CalendarUserDetailsService class
Configuring UserDetailsService
Removing references to UserDetailsManager
The CalendarUserDetails object
The SpringSecurityUserContext simplifications
Creating a custom AuthenticationProvider object
Creating CalendarUserAuthenticationProvider
Configuring the CalendarUserAuthenticationProvider object
Authenticating with different parameters
Which authentication method should you use?
Part 2: Authentication Techniques
Chapter 4: JDBC-based Authentication
Installing the required dependencies
Using the H2 database
Provided JDBC scripts
Configuring the H2 embedded database
Configuring a JDBC UserDetailsManager implementation
The default user schema of Spring Security
Defining users
Defining user authorities
Exploring UserDetailsManager interface
Group-based access control
Configuring group-based access control
Support for a custom schema
Determining the correct JDBC SQL queries
Updating the SQL scripts that are loaded
The CalendarUser authority SQL
Inserting custom authorities
Configuring JdbcUserDetailsManager to use custom SQL queries
Configuring secure passwords
Exploring the PasswordEncoder interface
The DelegatingPasswordEncoder implementation
Configuring password encoding
Configuring the PasswordEncoder method
Making Spring Security aware of the PasswordEncoder method
Using salt in Spring Security
Updating the Spring Security configuration
Migrating existing passwords
Updating DefaultCalendarUserService
Trying out salted passwords
Chapter 5: Authentication with Spring Data
Spring Data JPA
Updating our dependencies
Reconfiguring the database configuration
Initializing the database
Refactoring from SQL to ORM
Mapping domain objects using JPA.
Spring Data repositories
Data access objects
Application services
The UserDetailsService object
Refactoring from an RDBMS to a document database
Document database implementation with MongoDB
Reconfiguring the database configuration in MongoDB
Initializing the MongoDB database
Mapping domain objects with MongoDB
Data access objects in MongoDB
Chapter 6: LDAP Directory Services
Understanding LDAP
LDAP
Troubleshooting embedded LDAP
Understanding how Spring LDAP authentication works
Authenticating user credentials
Demonstrating authentication with JXplorer
Determining roles with Jxplorer
Mapping additional attributes of UserDetails
Advanced LDAP configuration
LDAP password encoding and storage
Configuring the UserDetailsContextMapper object
Implicit configuration of UserDetailsContextMapper
Viewing additional user details
Configuring LdapUserDetailsService
Updating AccountController to use LdapUserDetailsService
Integrating Spring Security with an external LDAP server
Explicit LDAP bean configuration
Configuring an external LDAP server reference
Performing a search to locate the user in the LDAP directory
Delegating role discovery to UserDetailsService
Integrating with Microsoft Active Directory via LDAP
Built-in AD support in Spring Security 6.1
Chapter 7: Remember-me Services
What is remember-me?
Dependencies
The token-based remember-me feature
SHA-256 Algorithm
Remember-me signature
Is remember-me secure?
Authorization rules for remember-me
Persistent remember-me
Configuring the persistent-based remember-me feature
How does the persistent-based remember-me feature work?
JPA-based PersistentTokenRepository
Custom RememberMeServices.
Are database-backed persistent tokens more secure?
Cleaning up the expired remember-me sessions
The remember-me architecture
Remember-me and the user life cycle
Restricting the remember-me feature to an IP address
Custom cookie and HTTP parameter names
Chapter 8: Client Certificate Authentication with TLS
How does client certificate authentication work?
Setting up the client certificate authentication infrastructure
Importing the certificate key pair into a browser
Troubleshooting client certificate authentication
Configuring client certificate authentication in Spring Security
Configuring client certificate authentication using the security namespace
Configuring client certificate authentication using Spring beans
Additional capabilities of bean-based configuration
Considerations when implementing client certificate authentication
Part 3: Exploring OAuth 2 and SAML 2
Chapter 9: Opening up to OAuth 2
The Promising World of OAuth 2
Why do we need OpenID Connect?
How OpenID Connect Works
Signing up for an OAuth 2 application
Enabling OAuth 2.0 Login with Spring Security
Customize the Login Page
Additional OAuth 2 providers
Configuring Custom Provider Properties
Enabling Proof Key for Code Exchange (PKCE) support
OpenID Connect 1.0 Logout
Automatic User Registration
Mapping User Authorities
Is OAuth 2 secure?
Chapter 10: SAML 2 Support
What is SAML?
SAML 2.0 Login with Spring Security
Add a SAML application on OKTA
Creating the user principal in OKTA
Additional required dependencies
Specifying IdP Metadata
Retrieving the SAML 2 Authenticated Principal
Parsing SAML 2 metadata
Generating SAML 2 Metadata
Adapting RelyingPartyRegistration lookup
Overriding SAML Spring Boot Auto Configuration.
Creating a custom RelyingPartyRegistrationRepository
Creating custom authorities with Spring Security SAML
Performing Single Logout
Part 4: Enhancing Authorization Mechanisms
Chapter 11: Fine-Grained Access Control
Integrating Spring Expression Language (SpEL)
The WebSecurityExpressionRoot class
The MethodSecurityExpressionRoot class
Page-level authorization
Conditional rendering with the Thymeleaf Spring Security tag library
Conditional rendering based on URL access rules
Conditional rendering using SpEL
Using controller logic to conditionally render content
The WebInvocationPrivilegeEvaluator class
What is the best way to configure in-page authorization?
Method-level security
Interface-based proxies
JSR-250 compliant standardized rules
Gradle dependencies
Method security using Spring's @Secured annotation
Method security rules incorporating method parameters
Method security rules incorporating returned values
Securing method data using role-based filtering
Prefiltering collections with @PreFilter
Comparing method authorization types
Practical considerations for annotation-based security
Chapter 12: Access Control Lists
The conceptual module of an ACL
ACLs in Spring Security
Basic configuration of Spring Security ACL support
Defining a simple target scenario
Adding ACL tables to the H2 database
Configuring SecurityExpressionHandler
The AclPermissionCacheOptimizer object
Optimizing AclPermission Cache
The JdbcMutableAclService object
The BasicLookupStrategy class
Creating a simple ACL entry
Advanced ACL topics
How permissions work
The custom ACL permission declaration
Enabling ACL permission evaluation
Mutable ACLs and authorization
Considerations for a typical ACL deployment.
ACL scalability and performance modeling.
Notes:
Description based on publisher supplied metadata and other sources.
Description based on print version record.
Other Format:
Print version: Nasslahsen, Badr Spring Security
ISBN:
9781835460115
OCLC:
1438671014

The Penn Libraries is committed to describing library materials using current, accurate, and responsible language. If you discover outdated or inaccurate language, please fill out this feedback form to report it and suggest alternative language.

Find

Home Release notes

My Account

Shelf Request an item Bookmarks Fines and fees Settings

Guides

Using the Find catalog Using Articles+ Using your account