TI274
Information technology

Spring Security: end-to-end security for your Java applications

Master API authentication, authorization and protection with Spring
Print


In a context of modern architectures (API REST, SPA, microservices), application security is more strategic than ever. Spring Security is the reference framework for managing authentication, authorization and protection against common threats within the Spring Boot ecosystem. This training course takes you step-by-step through the fundamental concepts: identity and roles, security filters, common attacks (CSRF, XSS), and shows you how to apply best practices to combat these vulnerabilities. You'll learn how to secure different types of applications (MVC frontend, REST API, JavaScript clients) using various authentication modes (form, session, JWT, OpenID Connect) and applying fine-grained rights management. Concrete workshops will enable you to connect the application to a user base, implement an adaptable strategy according to the type of client, and validate your configuration through automated tests via spring-security-test. A key course for any developer or architect wishing to deliver truly secure Java applications.

Objectives

Enable developers and architects to design, implement and test a robust security strategy in a Java application based on Spring Boot, by mastering authentication, authorization and protection mechanisms against common vulnerabilities. Know how to adapt this strategy according to the type of client (web, SPA, API REST) and in the context of distributed architectures (SSO, microservices).

Is it for you ?

Developers and architects.

Prerequisite

This course requires a sound knowledge of the basics of Java programming (principles of object-oriented programming, generic types, annotations, lambda expressions) and experience of working with Eclipse or IntelliJ.

Your benefits

  • Choose an authentication protocol;
  • Assess the qualities of a password hashing algorithm;
  • Protect a web application against CSRF attacks;
  • Securing a REST API with JWT;
  • Couple a web application to an OpenID Connect server;
  • Apply authorization rules;
  • Test a secure application.

    • Content

    Module 1 – Introduction

    • Authentication modes: basic, login form, session, token, kerberos.
    • Presentation of the SecurityFilterChain bean and its component filters.
    • Beans created automatically by Spring Boot.
    • Representing user identity: the Principal interface.
    • CSRF and XSS attacks.
    Détails + / -

    Module 2 – Declaring a user repository

    • Concepts: user, role, authority.
    • UserManager and GroupManager interfaces.
    • Declaring a UserDetailsService bean to respond to authentication requests.
    • Choosing a password hashing algorithm.

    Practical application: declaring a database as a user and role repository.

    Module 3 – Session-based security

    • Cookies as a means of establishing sessions.
    • Protection against XSS and CSRF attacks.
    • Implementation for a REST API.
    • MVC GUI implementation.
    • External storage of session information to make the application stateless.

    Practical application: activation of session security on a Spring MVC frontend, protection against CSRF attacks.

    Module 4 – Token-based security

    • Introduction to the JWT standard.
    • The JwtDecoder bean.
    • Issuing and signing tokens: symmetrical or asymmetrical keys.
    • Coupling with an OpenID Connect server.
    • Sensitive points: revocations, role management.
    • Protection against token theft by XSS attack in a single page application.
    • The token relay pattern in a microservices architecture.

    Practical application: coupling Spring with an OpenID Connect server, applying a refusal strategy for revoked tokens.

    Module 5 – Authorizations

    • Route access rules.
    • Method access rules.
    • Access rules for view elements.

    Practical application: securing web application routes and MVC frontend pages.

    Module 6 – Testing

    • Testing a method or API as an authenticated user.
    • The role of SecurityMockMvcRequestPostProcessors.

    Practical application: using spring-security-test to test the previously secured application.

    💡 Useful information

    Our training sessions are offered in Montreal or Quebec City, in person or in virtual format. Dates and locations are provided when you select your session below. If you have any questions regarding registration, schedules, the language of instruction, or cancellation policies, please consult our FAQ .

    Duration
    1 day
    Schedule
    See training dates for details
    Regular fee
    $625
    Preferential fee A preferential rate is offered to public institutions, to members of certain professional organizations as well as to companies that do a certain amount of business with Technologia. To know more, please read the "Registration and rates" section on our FAQ page. Please note that preferential rates are not available for online training courses. Discounts cannot be combined with other offers.
    $560
    Private or personalized training

    Do you have several employees interested in the same training course? Whether in person at your offices or remotely in virtual mode, we offer private training courses tailored to your team's needs. Group rates are available. Contact us for more details or request a quote online.

    Request a quote

    Request in-company training

    Do you have several employees interested in the same training course? Whether in person at your offices or remotely in virtual mode, we offer private training courses tailored to your team's needs. Group rates are available. Contact us for more details or request a quote online.

    Tell us more

    Similar trainings

    See all Languages and application development environment trainings
    Added to cart View my cart