Objectives of the training
Enable developers and architects to design, implement and test a robust security strategy in a Java application based on Spring Boot, by mastering authentication, authorization and protection mechanisms against common vulnerabilities. Know how to adapt this strategy according to the type of client (web, SPA, API REST) and in the context of distributed architectures (SSO, microservices).Targeted audience
Developers and architects.Prerequisite
This course requires a sound knowledge of the basics of Java programming (principles of object-oriented programming, generic types, annotations, lambda expressions) and experience of working with Eclipse or IntelliJ.Trainers
Benefits for Participants
- Choose an authentication protocol;
- Assess the qualities of a password hashing algorithm;
- Protect a web application against CSRF attacks;
- Securing a REST API with JWT;
- Couple a web application to an OpenID Connect server;
- Apply authorization rules;
- Test a secure application.
Course architecture
Introduction
Authentication modes: basic, login form, session, token, kerberos.
Presentation of the SecurityFilterChain bean and its component filters.
Beans created automatically by Spring Boot.
Representing user identity: the Principal interface.
CSRF and XSS attacks.
Declaring a user repository
Concepts: user, role, authority.
UserManager and GroupManager interfaces.
Declaring a UserDetailsService bean to respond to authentication requests.
Choosing a password hashing algorithm.
Practical application: declaring a database as a user and role repository.
Session-based security
Cookies as a means of establishing sessions.
Protection against XSS and CSRF attacks.
Implementation for a REST API.
MVC GUI implementation.
External storage of session information to make the application stateless.
Practical application: activation of session security on a Spring MVC frontend, protection against CSRF attacks.
Token-based security
Introduction to the JWT standard.
The JwtDecoder bean.
Issuing and signing tokens: symmetrical or asymmetrical keys.
Coupling with an OpenID Connect server.
Sensitive points: revocations, role management.
Protection against token theft by XSS attack in a single page application.
The token relay pattern in a microservices architecture.
Putting it into practice: coupling Spring with an OpenID Connect server, applying a refusal strategy for revoked tokens.
Authorizations
Route access rules.
Method access rules.
Access rules for view elements.
Practical application: securing web application routes and MVC frontend pages.
Testing
Testing a method or API as an authenticated user.
The role of SecurityMockMvcRequestPostProcessors.
Practical application: using spring-security-test to test the previously secured application.
Pedagogical details
Training architecture
Explanation, for each concept, of the problem it claims to solve, Putting a concept into practice immediately after it has been presented, Validation of each step by execution of unit tests, Exercise “fil rouge” to obtain a complete application at the end of the course, End-of-chapter MCQs to ensure knowledge acquisition.
Type of training
Private or personalized training
If you have more than 8 people to sign up for a particular course, it can be delivered as a private session right at your offices. Contact us for more details.
Request a quotePrivate or personalized training
If you have more than 8 people to sign up for a particular course, it can be delivered as a private session right at your offices. Contact us for more details.
Request a quote