TI274
Information technology

Spring Security: end-to-end security for your Java applications

Master API authentication, authorization and protection with Spring

In a context of modern architectures (API REST, SPA, microservices), application security is more strategic than ever. Spring Security is the reference framework for managing authentication, authorization and protection against common threats within the Spring Boot ecosystem.
This training course takes you step-by-step through the fundamental concepts: identity and roles, security filters, common attacks (CSRF, XSS), and shows you how to apply best practices to combat these vulnerabilities. You'll learn how to secure different types of applications (MVC frontend, REST API, JavaScript clients) using various authentication modes (form, session, JWT, OpenID Connect) and applying fine-grained rights management.
Concrete workshops will enable you to connect the application to a user base, implement an adaptable strategy according to the type of client, and validate your configuration through automated tests via spring-security-test.
A key course for any developer or architect wishing to deliver truly secure Java applications.

Is it for you ?

Developers and architects.

Prerequisites

This course requires a sound knowledge of the basics of Java programming (principles of object-oriented programming, generic types, annotations, lambda expressions) and experience of working with Eclipse or IntelliJ.

What You'll Walk Away With

  • Choose an authentication protocol;
  • Assess the qualities of a password hashing algorithm;
  • Protect a web application against CSRF attacks;
  • Securing a REST API with JWT;
  • Couple a web application to an OpenID Connect server;
  • Apply authorization rules;
  • Test a secure application.

Training content

1 Introduction

  • Authentication modes: basic, login form, session, token, kerberos.
  • Presentation of the SecurityFilterChain bean and its component filters.
  • Beans created automatically by Spring Boot.
  • Representing user identity: the Principal interface.
  • CSRF and XSS attacks.

2 Declaring a user repository

  • Concepts: user, role, authority.
  • UserManager and GroupManager interfaces.
  • Declaring a UserDetailsService bean to respond to authentication requests.
  • Choosing a password hashing algorithm.
  • Practical application: declaring a database as a user and role repository.

3 Session-based security

  • Cookies as a means of establishing sessions.
  • Protection against XSS and CSRF attacks.
  • Implementation for a REST API.
  • MVC GUI implementation.
  • External storage of session information to make the application stateless.
  • Practical application: activation of session security on a Spring MVC frontend, protection against CSRF attacks.

4 Token-based security

  • Introduction to the JWT standard.
  • The JwtDecoder bean.
  • Issuing and signing tokens: symmetrical or asymmetrical keys.
  • Coupling with an OpenID Connect server.
  • Sensitive points: revocations, role management.
  • Protection against token theft by XSS attack in a single page application.
  • The token relay pattern in a microservices architecture.
  • Putting it into practice: coupling Spring with an OpenID Connect server, applying a refusal strategy for revoked tokens.

5 Authorizations

  • Route access rules.
  • Method access rules.
  • Access rules for view elements.
  • Practical application: securing web application routes and MVC frontend pages.

6 Testing

  • Testing a method or API as an authenticated user.
  • The role of SecurityMockMvcRequestPostProcessors.
  • Practical application: using spring-security-test to test the previously secured application.
See more

📌 Practical information

Our training sessions are offered in Montreal or Quebec City, in person or in a virtual classroom. Dates and locations are specified when you select your session below. If you have any questions, check out our FAQ.

Duration
1 day
Schedule
See training dates for details
Regular fee
$625
Preferential fee A preferential rate is offered to public institutions, to members of certain professional organizations as well as to companies that do a certain amount of business with Technologia. To know more, please read the "Registration and rates" section on our FAQ page. Please note that preferential rates are not available for online training courses. Discounts cannot be combined with other offers.
$560
Private or personalized training

Do you have several employees interested in the same training course? Whether in person at your offices or remotely in virtual mode, we offer private training courses tailored to your team's needs. Group rates are available. Contact us for more details or request a quote online.

Request a quote

Request in-company training

Do you have several employees interested in the same training course? Whether in person at your offices or remotely in virtual mode, we offer private training courses tailored to your team's needs. Group rates are available. Contact us for more details or request a quote online.

Tell us more
Added to cart View my cart