Spring Security

This 2-day course offers hands-on experience with the major features of Spring Security, which includes configuration, authentication, authorization, password handling, testing, protecting against security threats, and the OAuth2 support to secure applications. On completion, participants will have a foundation for securing enterprise and microservices applications.

Objectives

By the end of the course, you should be able to meet the following objectives:

• Use Spring Security in Spring and Spring Boot applications
• Configure the Spring Security filter chain
• Protect HTTP endpoints with expression-based access control and the AuthorizationManager API
• Protect method execution
• Utilize different authentication mechanisms
• Handle passwords in an efficient way
• Integrate Spring Security with Junit 5 and MockMVC to test HTTP and method security
• Protect against common vulnerabilities and threats
• Understand what OAuth2 is
• Use and configure the Spring Authorization Server
• Implement a resource server and client

Intended Audience

Application developers who want to increase their understanding of Spring Security with hands-on experience and build secure Spring and Spring Boot applications.

Prerequisites

Developer experience building applications with Spring Boot, experience using an IDE (Eclipse, Spring Tools, IntelliJ, or VS Code), and experience using build tools such as Maven or Gradle.

Course Outline

1 Security Introduction

• Why security
• Basic security concepts
• Common security vulnerabilities

2 Spring Security Basics

• Introduction to Spring Security
• Spring Security architecture overview
• Understanding security filters and the filter chain
• Explaining the SecurityContext
• Configuring Spring Security and Spring Boot auto-configuration

3 Securing Web Applications

• Configuring HTTP security
• Access control with AccessDecisionsManager
• Access control with AuthorizationManager
• Bypassing security

4  Method Security

• Explaining method security architecture
• Implementing declarative method security with annotations

5 Customizing Authentication

• Using and customizing authentication building blocks (AuthenticationManager, AuthenticationProvider, UserDetailsService)
• Username and password-based authentication mechanisms
• Other authentication mechanisms
• Authentication events

6 Handling Passwords

• Password hashing
• PasswordEncoder abstraction
• Upgrading passwords

7 Security Testing

• Using MockMvc to test security
• Using Security mock annotations and meta-annotations
• Testing method security

8 Protecting Against Common Vulnerabilities

• Protecting against CSRF attacks
• Using security headers
• Configuring transport layer security

9 OAuth2 Concepts

• What is OAuth2
• Defining Spring Security OAuth2 support
• Explaining authorization grant types
• Using Access and ID tokens (Opaque vs JWT)
• Understanding Scopes

10 The Spring Authorization Server

• Describing the role of the Authorization Server
• Configuring the Authorization Server

11 Protecting and accessing resources with OAuth2

• Configuring OAuth2 login
• Configuring the Resource Server
• Implementing a client using the WebClient