1 option
Spring Security : Effectively Secure Your Web Apps, RESTful Services, Cloud Apps, and Microservice Architectures / Badr Nasslahsen.
- Format:
- Book
- Author/Creator:
- Nasslahsen, Badr, author.
- Language:
- English
- Subjects (All):
- Computer security.
- Internet--Security measures.
- Internet.
- Java (Computer program language).
- Physical Description:
- 1 online resource (596 pages)
- Edition:
- Fourth edition.
- Place of Publication:
- Birmingham : Packt Publishing Ltd., [2024]
- Biography/History:
- Nasslahsen Badr: Badr Nasslahsen is a lead security and cloud architect with over 17 years of experience. He holds an executive master's degree from Ecole Centrale Paris and an engineering degree from Telecom SudParis. He is an Oracle Certified Java SE 11 Professional, CISSP, TOGAF, CKA, and Scrum Master. Badr has extensive experience with public cloud providers such as AWS, Azure, GCP, Oracle, and IBM. He is also the author of the springdoc-openapi project.
- Summary:
- Leverage the power of Spring Security 6 to protect your modern Java applications from hackersKey FeaturesArchitect solutions that leverage Spring Security while remaining loosely coupledImplement authentication and authorization with SAML2, OAuth 2, hashing, and encryption algorithmsIntegrate Spring Security with technologies such as microservices, Kubernetes, the cloud, and GraalVM native imagesPurchase of the print or Kindle book includes a free PDF eBookBook DescriptionKnowing that experienced hackers are constantly on the prowl to attack your apps can make security one of the most challenging concerns of creating an app. The complexity of properly securing an app is compounded when you must also integrate this factor with legacy code, new technologies, and other frameworks. This book will help you easily secure your Java apps with Spring Security, a trusted and highly customizable authentication and access control framework. The book starts by showing you how to implement different authentication mechanisms before demonstrating how to properly restrict access to your app. You’ll then cover tips for integrating Spring Security with popular web frameworks such as Thymeleaf. The book also features an example of how Spring Security defends against session fixation, moves into concurrency control, and how you can use session management for administrative functions. This fourth edition aligns with Java 17/21 and Spring Security 6, covering advanced security scenarios for RESTful web services and microservices. This ensures you gain a complete understanding of the issues surrounding stateless authentication and discover a concise approach to solving those issues. By the end of this book, you’ll be able to integrate Spring Security 6 with GraalVM native images seamlessly, from start to finish.What you will learnUnderstand common security vulnerabilities and how to resolve themImplement authentication and authorization and learn how to map users to rolesIntegrate Spring Security with LDAP, Kerberos, SAML 2, OpenID, and OAuthGet to grips with the security challenges of RESTful web services and microservicesConfigure Spring Security to use Spring Data for authenticationIntegrate Spring Security with Spring Boot, Spring Data, and web applicationsProtect against common vulnerabilities like XSS, CSRF, and ClickjackingWho this book is forIf you’re a Java web developer or an architect with fundamental knowledge of Java 17/21, web services, and the Spring Framework, this book is for you. No previous experience with Spring Security is needed to get started with this book.
- Contents:
- Cover
- Title Page
- Copyright and Credits
- Dedication
- Contributors
- Table of Contents
- Preface
- Part 1: Fundamentals of Application Security
- Chapter 1: Anatomy of an Unsafe Application
- Exploring software architecture styles
- Monolithic architecture
- N-Tier architecture (layered architecture)
- SOA
- Microservices architecture
- Choosing between traditional web applications and Single-Page Applications
- Understanding security audit
- Exploring the example application
- The JBCP calendar application architecture
- Reviewing the audit results
- Addressing the security audit findings
- Authentication
- Authorization
- Database credential security
- Sensitive information
- Transport-level protection
- Using Spring Security 6 to address security concerns
- Technical requirements
- Summary
- Chapter 2: Getting Started with Spring Security
- Hello Spring Security
- Importing the sample application
- Updating your dependencies
- Implementing a Spring Security configuration
- Updating your web configuration
- Running a secured application
- Common problems
- A little bit of polish
- Customizing login
- Chapter 3: Custom Authentication
- Authentication architecture in Spring Security
- The SecurityContextHolder class
- The SecurityContext interface
- The Authentication interface
- The AuthenticationManager interface
- The ProviderManager class
- The AuthenticationProvider interface
- Exploring the JBCP calendar architecture
- The CalendarUser object
- The Event object
- The CalendarService interface
- The UserContext interface
- The SpringSecurityUserContext interface
- Logging in new users using SecurityContextHolder
- Managing users in Spring Security
- Logging in a new user to an application
- Updating SignupController
- Creating a custom UserDetailsService object.
- The CalendarUserDetailsService class
- Configuring UserDetailsService
- Removing references to UserDetailsManager
- The CalendarUserDetails object
- The SpringSecurityUserContext simplifications
- Creating a custom AuthenticationProvider object
- Creating CalendarUserAuthenticationProvider
- Configuring the CalendarUserAuthenticationProvider object
- Authenticating with different parameters
- Which authentication method should you use?
- Part 2: Authentication Techniques
- Chapter 4: JDBC-based Authentication
- Installing the required dependencies
- Using the H2 database
- Provided JDBC scripts
- Configuring the H2 embedded database
- Configuring a JDBC UserDetailsManager implementation
- The default user schema of Spring Security
- Defining users
- Defining user authorities
- Exploring UserDetailsManager interface
- Group-based access control
- Configuring group-based access control
- Support for a custom schema
- Determining the correct JDBC SQL queries
- Updating the SQL scripts that are loaded
- The CalendarUser authority SQL
- Inserting custom authorities
- Configuring JdbcUserDetailsManager to use custom SQL queries
- Configuring secure passwords
- Exploring the PasswordEncoder interface
- The DelegatingPasswordEncoder implementation
- Configuring password encoding
- Configuring the PasswordEncoder method
- Making Spring Security aware of the PasswordEncoder method
- Using salt in Spring Security
- Updating the Spring Security configuration
- Migrating existing passwords
- Updating DefaultCalendarUserService
- Trying out salted passwords
- Chapter 5: Authentication with Spring Data
- Spring Data JPA
- Updating our dependencies
- Reconfiguring the database configuration
- Initializing the database
- Refactoring from SQL to ORM
- Mapping domain objects using JPA.
- Spring Data repositories
- Data access objects
- Application services
- The UserDetailsService object
- Refactoring from an RDBMS to a document database
- Document database implementation with MongoDB
- Reconfiguring the database configuration in MongoDB
- Initializing the MongoDB database
- Mapping domain objects with MongoDB
- Data access objects in MongoDB
- Chapter 6: LDAP Directory Services
- Understanding LDAP
- LDAP
- Troubleshooting embedded LDAP
- Understanding how Spring LDAP authentication works
- Authenticating user credentials
- Demonstrating authentication with JXplorer
- Determining roles with Jxplorer
- Mapping additional attributes of UserDetails
- Advanced LDAP configuration
- LDAP password encoding and storage
- Configuring the UserDetailsContextMapper object
- Implicit configuration of UserDetailsContextMapper
- Viewing additional user details
- Configuring LdapUserDetailsService
- Updating AccountController to use LdapUserDetailsService
- Integrating Spring Security with an external LDAP server
- Explicit LDAP bean configuration
- Configuring an external LDAP server reference
- Performing a search to locate the user in the LDAP directory
- Delegating role discovery to UserDetailsService
- Integrating with Microsoft Active Directory via LDAP
- Built-in AD support in Spring Security 6.1
- Chapter 7: Remember-me Services
- What is remember-me?
- Dependencies
- The token-based remember-me feature
- SHA-256 Algorithm
- Remember-me signature
- Is remember-me secure?
- Authorization rules for remember-me
- Persistent remember-me
- Configuring the persistent-based remember-me feature
- How does the persistent-based remember-me feature work?
- JPA-based PersistentTokenRepository
- Custom RememberMeServices.
- Are database-backed persistent tokens more secure?
- Cleaning up the expired remember-me sessions
- The remember-me architecture
- Remember-me and the user life cycle
- Restricting the remember-me feature to an IP address
- Custom cookie and HTTP parameter names
- Chapter 8: Client Certificate Authentication with TLS
- How does client certificate authentication work?
- Setting up the client certificate authentication infrastructure
- Importing the certificate key pair into a browser
- Troubleshooting client certificate authentication
- Configuring client certificate authentication in Spring Security
- Configuring client certificate authentication using the security namespace
- Configuring client certificate authentication using Spring beans
- Additional capabilities of bean-based configuration
- Considerations when implementing client certificate authentication
- Part 3: Exploring OAuth 2 and SAML 2
- Chapter 9: Opening up to OAuth 2
- The Promising World of OAuth 2
- Why do we need OpenID Connect?
- How OpenID Connect Works
- Signing up for an OAuth 2 application
- Enabling OAuth 2.0 Login with Spring Security
- Customize the Login Page
- Additional OAuth 2 providers
- Configuring Custom Provider Properties
- Enabling Proof Key for Code Exchange (PKCE) support
- OpenID Connect 1.0 Logout
- Automatic User Registration
- Mapping User Authorities
- Is OAuth 2 secure?
- Chapter 10: SAML 2 Support
- What is SAML?
- SAML 2.0 Login with Spring Security
- Add a SAML application on OKTA
- Creating the user principal in OKTA
- Additional required dependencies
- Specifying IdP Metadata
- Retrieving the SAML 2 Authenticated Principal
- Parsing SAML 2 metadata
- Generating SAML 2 Metadata
- Adapting RelyingPartyRegistration lookup
- Overriding SAML Spring Boot Auto Configuration.
- Creating a custom RelyingPartyRegistrationRepository
- Creating custom authorities with Spring Security SAML
- Performing Single Logout
- Part 4: Enhancing Authorization Mechanisms
- Chapter 11: Fine-Grained Access Control
- Integrating Spring Expression Language (SpEL)
- The WebSecurityExpressionRoot class
- The MethodSecurityExpressionRoot class
- Page-level authorization
- Conditional rendering with the Thymeleaf Spring Security tag library
- Conditional rendering based on URL access rules
- Conditional rendering using SpEL
- Using controller logic to conditionally render content
- The WebInvocationPrivilegeEvaluator class
- What is the best way to configure in-page authorization?
- Method-level security
- Interface-based proxies
- JSR-250 compliant standardized rules
- Gradle dependencies
- Method security using Spring's @Secured annotation
- Method security rules incorporating method parameters
- Method security rules incorporating returned values
- Securing method data using role-based filtering
- Prefiltering collections with @PreFilter
- Comparing method authorization types
- Practical considerations for annotation-based security
- Chapter 12: Access Control Lists
- The conceptual module of an ACL
- ACLs in Spring Security
- Basic configuration of Spring Security ACL support
- Defining a simple target scenario
- Adding ACL tables to the H2 database
- Configuring SecurityExpressionHandler
- The AclPermissionCacheOptimizer object
- Optimizing AclPermission Cache
- The JdbcMutableAclService object
- The BasicLookupStrategy class
- Creating a simple ACL entry
- Advanced ACL topics
- How permissions work
- The custom ACL permission declaration
- Enabling ACL permission evaluation
- Mutable ACLs and authorization
- Considerations for a typical ACL deployment.
- ACL scalability and performance modeling.
- Notes:
- Description based on publisher supplied metadata and other sources.
- Description based on print version record.
- Other Format:
- Print version: Nasslahsen, Badr Spring Security
- ISBN:
- 9781835460115
- OCLC:
- 1438671014
The Penn Libraries is committed to describing library materials using current, accurate, and responsible language. If you discover outdated or inaccurate language, please fill out this feedback form to report it and suggest alternative language.