Master API authentication, authorization and protection with Spring
In a context of modern architectures (API REST, SPA, microservices), application security is more strategic than ever. Spring Security is the reference framework for managing authentication, authorization and protection against common threats within the Spring Boot ecosystem.
This training course takes you step-by-step through the fundamental concepts: identity and roles, security filters, common attacks (CSRF, XSS), and shows you how to apply best practices to combat these vulnerabilities. You'll learn how to secure different types of applications (MVC frontend, REST API, JavaScript clients) using various authentication modes (form, session, JWT, OpenID Connect) and applying fine-grained rights management.
Concrete workshops will enable you to connect the application to a user base, implement an adaptable strategy according to the type of client, and validate your configuration through automated tests via spring-security-test.
A key course for any developer or architect wishing to deliver truly secure Java applications.
Is it for you ?
Developers and architects.
Prerequisites
This course requires a sound knowledge of the basics of Java programming (principles of object-oriented programming, generic types, annotations, lambda expressions) and experience of working with Eclipse or IntelliJ.
What You'll Walk Away With
- ✓ Choose an authentication protocol;
- ✓ Assess the qualities of a password hashing algorithm;
- ✓ Protect a web application against CSRF attacks;
- ✓ Securing a REST API with JWT;
- ✓ Couple a web application to an OpenID Connect server;
- ✓ Apply authorization rules;
- ✓ Test a secure application.
Training content
1 Introduction
- Authentication modes: basic, login form, session, token, kerberos.
- Presentation of the SecurityFilterChain bean and its component filters.
- Beans created automatically by Spring Boot.
- Representing user identity: the Principal interface.
- CSRF and XSS attacks.
2 Declaring a user repository
- Concepts: user, role, authority.
- UserManager and GroupManager interfaces.
- Declaring a UserDetailsService bean to respond to authentication requests.
- Choosing a password hashing algorithm.
- Practical application: declaring a database as a user and role repository.
3 Session-based security
- Cookies as a means of establishing sessions.
- Protection against XSS and CSRF attacks.
- Implementation for a REST API.
- MVC GUI implementation.
- External storage of session information to make the application stateless.
- Practical application: activation of session security on a Spring MVC frontend, protection against CSRF attacks.
4 Token-based security
- Introduction to the JWT standard.
- The JwtDecoder bean.
- Issuing and signing tokens: symmetrical or asymmetrical keys.
- Coupling with an OpenID Connect server.
- Sensitive points: revocations, role management.
- Protection against token theft by XSS attack in a single page application.
- The token relay pattern in a microservices architecture.
- Putting it into practice: coupling Spring with an OpenID Connect server, applying a refusal strategy for revoked tokens.
5 Authorizations
- Route access rules.
- Method access rules.
- Access rules for view elements.
- Practical application: securing web application routes and MVC frontend pages.
6 Testing
- Testing a method or API as an authenticated user.
- The role of SecurityMockMvcRequestPostProcessors.
- Practical application: using spring-security-test to test the previously secured application.
📌 Practical information
Our training sessions are offered in Montreal or Quebec City, in person or in a virtual classroom. Dates and locations are specified when you select your session below. If you have any questions, check out our FAQ.