Spring Security in Action, Second Edition

Praise for the first edition
Spring Security in Action
Copyright
contents
front matter
foreword
preface
acknowledgments
about this book
Who should read this book?
How this book is organized: A roadmap
About the code
liveBook discussion forum
about the author
about the cover illustration
Part 1. Say hello to Spring Security
1 Security today
1.1 Discovering Spring Security
1.2 What is software security?
1.3 Why is security important?
1.4 What will you learn in this book?
Summary
2 Hello, Spring Security
2.1 Starting your first project
2.2 The big picture of Spring Security class design
2.3 Overriding default configurations
2.3.1 Customizing user details management
2.3.2 Applying authorization at the endpoint level
2.3.3 Configuring in different ways
2.3.4 Defining custom authentication logic
2.3.5 Using multiple configuration classes
Summary
Part 2. Configuring authentication
3 Managing users
3.1 Implementing authentication in Spring Security
3.2 Describing the user
3.2.1 Describing users with the UserDetails contract
3.2.2 Detailing on the GrantedAuthority contract
3.2.3 Writing a minimal implementation of UserDetails
3.2.4 Using a builder to create instances of the UserDetails type
3.2.5 Combining multiple responsibilities related to the user
3.3 Instructing Spring Security on how to manage users
3.3.1 Understanding the UserDetailsService contract
3.3.2 Implementing the UserDetailsService contract
3.3.3 Implementing the UserDetailsManager contract
Summary
4 Managing passwords
4.1 Using password encoders
4.1.1 The PasswordEncoder contract
4.1.2 Implementing your PasswordEncoder
4.1.3 Choosing from the provided PasswordEncoder implementations
4.1.4 Multiple encoding strategies with DelegatingPasswordEncoder
4.2 Taking advantage of the Spring Security Crypto module
4.2.1 Using key generators
4.2.2 Encrypting and decrypting secrets using encryptors
Summary
5 A web app’s security begins with filters
5.1 Implementing filters in the Spring Security architecture
5.2 Adding a filter before an existing one in the chain
5.3 Adding a filter after an existing one in the chain
5.4 Adding a filter at the location of another in the chain
5.5 Filter implementations provided by Spring Security
Summary
6 Implementing authentications
6.1 Understanding the AuthenticationProvider
6.1.1 Representing the request during authentication
6.1.2 Implementing custom authentication logic
6.1.3 Applying custom authentication logic
6.2 Using the SecurityContext
6.2.1 Using a holding strategy for the security context
6.2.2 Using a holding strategy for asynchronous calls
6.2.3 Using a holding strategy for standalone applications
6.2.4 Forwarding the security context with DelegatingSecurityContextRunnable
6.2.5 Forwarding the security context with DelegatingSecurityContextExecutorService
6.3 Understanding HTTP Basic and form-based login authentications
6.3.1 Using and configuring HTTP Basic
6.3.2 Implementing authentication with form-based login
Summary
Part 3. Configuring authorization
7 Configuring endpoint-level authorization: Restricting access
7.1 Restricting access based on authorities and roles
7.1.1 Restricting access for all endpoints based on user authorities
7.1.2 Restricting access for all endpoints based on user roles
7.1.3 Restricting access to all endpoints
Summary
8 Configuring endpoint-level authorization: Applying restrictions
8.1 Using the requestMatchers() method to select endpoints
8.2 Selecting requests to apply authorization restrictions
8.3 Using regular expressions with request matchers
Summary
9 Configuring CSRF protection
9.1 How CSRF protection works in Spring Security
9.2 Using CSRF protection in practical scenarios
9.3 Customizing CSRF protection
Summary
10 Configuring CORS
10.1 How does CORS work?
10.2 Applying CORS policies with the @CrossOrigin annotation
10.3 Applying CORS using a CorsConfigurer
Summary
11 Implementing authorization at the method level
11.1 Enabling method security
11.1.1 Understanding call authorization
11.1.2 Enabling method security in your project
11.2 Applying preauthorization rules
11.3 Applying postauthorization rules
11.4 Implementing permissions for methods
Summary
12 Implementing filtering at the method level
12.1 Applying prefiltering for method authorization
12.2 Applying postfiltering for method authorization
12.3 Using filtering in Spring Data repositories
Summary
Part 4. Implementing OAuth 2 and OpenID Connect
13 What are OAuth 2 and OpenID Connect?
13.1 The big picture of OAuth 2 and OpenID Connect
13.2 Using various token implementations
13.2.1 Using opaque tokens
13.2.2 Using non-opaque tokens
13.3 Obtaining tokens through various grant types
13.3.1 Getting a token using the authorization code grant type
13.3.2 Applying PKCE protection to the authorization code grant type
13.3.3 Getting a token with the client credentials grant type
13.3.4 Using refresh tokens to get new access tokens
13.4 What OpenID Connect brings to OAuth 2
13.5 The sins of OAuth 2
Summary
14 Implementing an OAuth 2 authorization server
14.1 Implementing basic authentication using JSON web tokens
14.2 Running the authorization code grant type
14.3 Running the client credentials grant type
14.4 Using opaque tokens and introspection
14.5 Revoking tokens
Summary
15 Implementing an OAuth 2 resource server
15.1 Configuring JWT validation
15.2 Using customized JWTs
15.3 Configuring token validation through introspection
15.4 Implementing multitenant systems
Summary
16 Implementing an OAuth 2 client
16.1 Implementing OAuth 2 login
16.1.1 Implementing authentication with a common provider
16.1.2 Giving the user more possibilities
16.1.3 Using a custom authorization server
16.1.4 Adding flexibility to your configurations
16.1.5 Managing authorization for an OAuth 2 login
16.2 Implementing an OAuth 2 client
Summary
Part 5. Going reactive
17 Implementing security in reactive applications
17.1 What are reactive apps?
17.2 User management in reactive apps
17.3 Configuring authorization rules in reactive apps
17.3.1 Applying authorization at the endpoint layer in reactive apps
17.3.2 Using method security in reactive apps
17.4 Creating a reactive OAuth 2 resource server
Summary
Part 6. Testing security configurations
18 Testing security configurations
18.1 Using mock users for tests
18.2 Testing with users from a UserDetailsService
18.3 Using custom Authentication objects for testing
18.4 Testing method security
18.5 Testing authentication
18.6 Testing CSRF configurations
18.7 Testing CORS configurations
18.8 Testing reactive Spring Security implementations
Summary
Appendix A. Links to official documentation
Appendix B. Further reading
For Spring Framework in general
Spring in Action, Sixth Edition by Craig Walls (Manning, 2022)
Spring Boot Up & Running by Mark Heckler (O’Reilly Media, 2022)
Spring Start Here by Laurențiu Spilcă (Manning, 2021)
To help you learn more about building your Java app’s persistence layer
High-Performance Java Persistence by Vlad Mihalcea (self-published, 2019)
Java Persistence with Spring Data and Hibernate, Third Edition by Cătălin Tudose (Manning, 2023)
JUnit in Action, Third Edition by Cătălin Tudose (Manning, 2021)
index