| Foreword |
|
xv | |
| Preface |
|
xvii | |
| Acknowledgments |
|
xix | |
| About this book |
|
xx | |
| About the author |
|
xxvi | |
| About the cover illustration |
|
xxvii | |
|
|
|
1 | (2) |
|
|
|
3 | (30) |
|
1.1 Spring Security: The what and the why |
|
|
5 | (2) |
|
1.2 What is software security? |
|
|
7 | (5) |
|
1.3 Why is security important? |
|
|
12 | (2) |
|
1.4 Common security vulnerabilities in web applications |
|
|
14 | (10) |
|
Vulnerabilities in authentication and authorization |
|
|
15 | (1) |
|
What is session fixation? |
|
|
16 | (1) |
|
What is cross-site scripting (XSS)? |
|
|
16 | (2) |
|
What is cross-site request forgery (CSRF)? |
|
|
18 | (1) |
|
Understanding injection vulnerabilities in web applications |
|
|
18 | (1) |
|
Dealing with the exposure of sensitive data |
|
|
19 | (3) |
|
What is the lack of method access control? |
|
|
22 | (1) |
|
Using dependencies with known vulnerabilities |
|
|
23 | (1) |
|
1.5 Security applied in various architectures |
|
|
24 | (7) |
|
Designing a one-piece web application |
|
|
24 | (2) |
|
Designing security for a backend/firontend separation |
|
|
26 | (1) |
|
Understanding the OAuth 2 flow |
|
|
27 | (2) |
|
Using API keys, cryptographic signatures, and IP validation to secure requests |
|
|
29 | (2) |
|
1.6 What will you learn in this book? |
|
|
31 | (2) |
|
|
|
33 | (26) |
|
2.1 Starting with the first project |
|
|
34 | (4) |
|
2.2 Which are the default configurations? |
|
|
38 | (5) |
|
2.3 Overriding default configurations |
|
|
43 | (16) |
|
Overriding the UserDetailsService component |
|
|
44 | (4) |
|
Overriding the endpoint authorization configuration |
|
|
48 | (2) |
|
Setting the configuration in different ways |
|
|
50 | (3) |
|
Overriding the AuthenticationProvider implementation |
|
|
53 | (3) |
|
Using multiple configuration classes in your project |
|
|
56 | (3) |
|
|
|
59 | (2) |
|
|
|
61 | (1) |
|
3.1 Implementing authentication in Spring Security |
|
|
62 | (3) |
|
|
|
65 | (9) |
|
Demystifying the definition of the UserDetails contract |
|
|
65 | (1) |
|
Detailing on the GrantedAuthority contract |
|
|
66 | (1) |
|
Writing a minimal implementation of UserDetails |
|
|
67 | (3) |
|
Using a builder to create instances of the UserDetails type |
|
|
70 | (1) |
|
Combining multiple responsibilities related to the user |
|
|
71 | (3) |
|
3.3 Instructing Spring Security on how to manage users |
|
|
74 | (12) |
|
Understanding the UserDetailsService contract |
|
|
74 | (1) |
|
Implementing the UserDetailsService contract |
|
|
75 | (3) |
|
Implementing the UserDetailsManager contract |
|
|
78 | (8) |
|
|
|
86 | (16) |
|
4.1 Understanding the PasswordEncoder contract |
|
|
86 | (11) |
|
The definition of the PasswordEncoder contract |
|
|
87 | (1) |
|
Implementing the PasswordEncoder contract |
|
|
88 | (2) |
|
Choosing from the provided implementations of PasswordEncoder |
|
|
90 | (3) |
|
Multiple encoding strategies with DelegatingPasswordEncoder |
|
|
93 | (4) |
|
4.2 More about the Spring Security Crypto module |
|
|
97 | (5) |
|
|
|
97 | (2) |
|
Using encryptors for encryption and decryption operations |
|
|
99 | (3) |
|
5 Implementing authentication |
|
|
102 | (51) |
|
5.1 Understanding the AuthenticationProvider |
|
|
104 | (9) |
|
Representing the request during authentication |
|
|
105 | (1) |
|
Implementing custom authentication logic |
|
|
106 | (2) |
|
Applying custom authentication logic |
|
|
108 | (5) |
|
5.2 Using the SecurityContext |
|
|
113 | (11) |
|
Using a holding strategy for the security context |
|
|
114 | (2) |
|
Using a holding strategy for asynchronous calls |
|
|
116 | (2) |
|
Using a holding strategy for standalone applications |
|
|
118 | (1) |
|
Forwarding the security context with DelegatingSecurityContextRunnable |
|
|
119 | (2) |
|
Forwarding the security context with DelegatingSecurityContext-ExecutorService |
|
|
121 | (3) |
|
5.3 Understanding HTTP Basic and form-based login authentications |
|
|
124 | (12) |
|
Using and configuring HTTP Basic |
|
|
124 | (3) |
|
Implementing authentication with form-based login |
|
|
127 | (8) |
|
Hands-on: A small secured web application |
|
|
135 | (1) |
|
6.1 Project requirements and setup |
|
|
136 | (5) |
|
6.2 Implementing user management |
|
|
141 | (5) |
|
6.3 Implementing custom authentication logic |
|
|
146 | (2) |
|
6.4 Implementing the main page |
|
|
148 | (3) |
|
6.5 Running and testing the application |
|
|
151 | (2) |
|
7 Configuring authorization: Restricting access |
|
|
153 | (19) |
|
7.1 Restricting access based on authorities and roles |
|
|
155 | (17) |
|
Restricting access for all endpoints based on user authorities |
|
|
157 | (8) |
|
Restricting access for all endpoints based on user roles |
|
|
165 | (4) |
|
Restricting access to all endpoints |
|
|
169 | (3) |
|
8 Configuring authorization: Applying restrictions |
|
|
172 | (23) |
|
8.1 Using matcher methods to select endpoints |
|
|
173 | (5) |
|
8.2 Selecting requests for authorization using MVC matchers |
|
|
178 | (7) |
|
8.3 Selecting requests for authorization using Ant matchers |
|
|
185 | (5) |
|
8.4 Selecting requests for authorization using regex matchers |
|
|
190 | (5) |
|
|
|
195 | (18) |
|
9.1 Implementing filters in the Spring Security architecture |
|
|
198 | (1) |
|
9.2 Adding a filter before an existing one in the chain |
|
|
199 | (4) |
|
9.3 Adding a filter after an existing one in the chain |
|
|
203 | (2) |
|
9.4 Adding a filter at the location of another in the chain |
|
|
205 | (5) |
|
9.5 Filter implementations provided by Spring Security |
|
|
210 | (3) |
|
10 Applying CSRF protection and CORS |
|
|
213 | (31) |
|
10.1 Applying cross-site request forgery (CSRF) protection in applications |
|
|
213 | (22) |
|
How CSRF protection works in Spring Security |
|
|
214 | (6) |
|
Using CSRF protection in practical scenarios |
|
|
220 | (6) |
|
Customizing CSRF protection |
|
|
226 | (9) |
|
10.2 Using cross-origin resource sharing |
|
|
235 | (9) |
|
|
|
236 | (4) |
|
Applying CORS policies with the @CrossOrigin annotation |
|
|
240 | (2) |
|
Applying CORS using a CorsConfigurer |
|
|
242 | (2) |
|
11 Hands-on: A separation of responsibilities |
|
|
244 | (40) |
|
11.1 The scenario and requirements of the example |
|
|
245 | (3) |
|
11.2 Implementing and using tokens |
|
|
248 | (5) |
|
|
|
248 | (4) |
|
What is a JSON Web Token? |
|
|
252 | (1) |
|
11.3 Implementing the authentication server |
|
|
253 | (10) |
|
11.4 Implementing the business logic server |
|
|
263 | (21) |
|
Implementing the Authentication objects |
|
|
268 | (2) |
|
Implementing the proxy to the authentication server |
|
|
270 | (2) |
|
Implementing the AuthenticationProvider interface |
|
|
272 | (2) |
|
|
|
274 | (6) |
|
Writing the security configurations |
|
|
280 | (1) |
|
|
|
281 | (3) |
|
12 How does OAuth 2 work? |
|
|
284 | (32) |
|
12.1 The OAuth 2 framework |
|
|
285 | (2) |
|
12.2 The components of the OAuth 2 authentication architecture |
|
|
287 | (1) |
|
12.3 Implementation choices with OAuth 2 |
|
|
288 | (11) |
|
Implementing the authorization code grant type |
|
|
289 | (4) |
|
Implementing the password grant type |
|
|
293 | (2) |
|
Implementing the client credentials grant type |
|
|
295 | (2) |
|
Using refresh tokens to obtain new access tokens |
|
|
297 | (2) |
|
|
|
299 | (1) |
|
12.5 Implementing a simple single sign-on application |
|
|
299 | (17) |
|
Managing the authorization server |
|
|
300 | (3) |
|
Starting the implementation |
|
|
303 | (1) |
|
Implementing ClientRegistration |
|
|
304 | (3) |
|
Implementing ClientRegistrationRepository |
|
|
307 | (2) |
|
The pure magic of Spring Boot configuration |
|
|
309 | (2) |
|
Obtaining details about an authenticated user |
|
|
311 | (1) |
|
|
|
311 | (5) |
|
13 OAuth 2: Implementing the authorization server |
|
|
316 | (22) |
|
13.1 Writing your own authorization server implementation |
|
|
318 | (1) |
|
13.2 Defining user management |
|
|
319 | (3) |
|
13.3 Registering clients with the authorization server |
|
|
322 | (3) |
|
13.4 Using the password grant type |
|
|
325 | (2) |
|
13.5 Using the authorization code grant type |
|
|
327 | (6) |
|
13.6 Using the client credentials grant type |
|
|
333 | (2) |
|
13.7 Using the refresh token grant type |
|
|
335 | (3) |
|
14 OAuth 2: Implementing the resource server |
|
|
338 | (22) |
|
14.1 Implementing a resource server |
|
|
341 | (2) |
|
14.2 Checking the token remotely |
|
|
343 | (7) |
|
14.3 Implementing blackboarding with a JdbcTokenStore |
|
|
350 | (8) |
|
14.4 A short comparison of approaches |
|
|
358 | (2) |
|
15 OAuth 2: UsingJWT and cryptographic signatures |
|
|
360 | (27) |
|
15.1 Using tokens signed with symmetric keys with JWT |
|
|
361 | (9) |
|
|
|
361 | (2) |
|
Implementing an authorization server to issue JWTs |
|
|
363 | (4) |
|
Implementing a resource server that uses JWT |
|
|
367 | (3) |
|
15.2 Using tokens signed with asymmetric keys with JWT |
|
|
370 | (10) |
|
|
|
372 | (1) |
|
Implementing an authorization server that uses private keys |
|
|
373 | (2) |
|
Implementing a resource server that uses public keys |
|
|
375 | (2) |
|
Using an endpoint to expose the public key |
|
|
377 | (3) |
|
15.3 Adding custom details to the JWT |
|
|
380 | (7) |
|
Configuring the authorization server to add custom details to tokens |
|
|
381 | (2) |
|
Configuring the resource server to read the custom details of a JWT |
|
|
383 | (4) |
|
16 Global method security: Pre- and postauthorizations |
|
|
387 | (26) |
|
16.1 Enabling global method security |
|
|
388 | (4) |
|
Understanding call authorization |
|
|
389 | (2) |
|
Enabling global method security in your project |
|
|
391 | (1) |
|
16.2 Applying preauthorization for authorities and roles |
|
|
392 | (5) |
|
16.3 Applying postauthorization |
|
|
397 | (4) |
|
16.4 Implementing permissions for methods |
|
|
401 | (12) |
|
17 Global method security: Pre- and postfiltering |
|
|
413 | (20) |
|
17.1 Applying prefiltering for method authorization |
|
|
414 | (6) |
|
17.2 Applying postfiltering for method authorization |
|
|
420 | (5) |
|
17.3 Using filtering in Spring Data repositories |
|
|
425 | (8) |
|
18 Hands-on: An OAuth 2 application |
|
|
433 | (34) |
|
18.1 The application scenario |
|
|
434 | (2) |
|
18.2 Configuring Keycloak as an authorization server |
|
|
436 | (17) |
|
Registering a client for our system |
|
|
441 | (1) |
|
|
|
442 | (2) |
|
Adding users and obtaining access tokens |
|
|
444 | (4) |
|
|
|
448 | (5) |
|
18.3 Implementing the resource server |
|
|
453 | (9) |
|
18.4 Testing the application |
|
|
462 | (5) |
|
Proving an authenticated user can only add a record for themself |
|
|
462 | (2) |
|
Proving that a user can only retrieve their own records |
|
|
464 | (1) |
|
Proving that only admins can delete records |
|
|
465 | (2) |
|
19 Spring Security for reactive apps |
|
|
467 | (23) |
|
19.1 What are reactive apps? |
|
|
468 | (5) |
|
19.2 User management in reactive apps |
|
|
473 | (4) |
|
19.3 Configuring authorization rules in reactive apps |
|
|
477 | (9) |
|
Applying authorization at the endpoint layer in reactive apps |
|
|
477 | (7) |
|
Using method security in reactive apps |
|
|
484 | (2) |
|
19.4 Reactive apps and OAuth 2 |
|
|
486 | (4) |
|
20 Spring Security testing |
|
|
490 | (25) |
|
20.1 Using mock users for tests |
|
|
493 | (7) |
|
20.2 Testing with users from a UserDetailsService |
|
|
500 | (1) |
|
20.3 Using custom Authentication objects for testing |
|
|
501 | (4) |
|
20.4 Testing method security |
|
|
505 | (2) |
|
20.5 Testing authentication |
|
|
507 | (3) |
|
20.6 Testing CSRF configurations |
|
|
510 | (1) |
|
20.7 Testing CORS configurations |
|
|
511 | (1) |
|
20.8 Testing reactive Spring Security implementations |
|
|
512 | (3) |
| Appendix A Creating a Spring Boot project |
|
515 | (4) |
| Index |
|
519 | |
Lisainfo e-raamatute kohta