Spring Security

The Spring Security Training Course is designed to provide developers and IT professionals with comprehensive knowledge and practical skills in implementing security measures within Java applications using the Spring Security framework. This course covers essential concepts and advanced techniques to secure web applications effectively. The theory is supported via numerous code examples.

This course covers the following:

1. Theoretical foundations of restricting access to Enterprise applications
2. Overview of the Spring Security framework, its architecture, and core components.
3. X509 authentication, SSL certificates
4. Setting Spring Security configuration in practice. Configuring security using XML and Java annotations, integrating with Spring Boot.
5. Securing Web Applications: Protecting web applications, including form-based login, session management, and CSRF protection.
6. Using Spring Security to restrict access to various parts of the application, i.e.
1. using URL-based authorization
2. securing service layer methods using annotations and AOP
3. Doman Objects Security (ACL)
7. Using JWT tokens, the OAuth protocol
8. Using Spring Authorization Server
9. Integrating Spring Security with Keycloak server
10. Developing resource servers

Plus, the course includes numerous practical tasks.

The trainee after the course:

• Will understand the fundamentals of enterprise application security
• Will know and use the implementations of security mechanisms provided by Spring Security
• Will be acquainted with Spring Security abstractions for implementing their own security mechanisms.

Learning Objectives:

• Gain a thorough understanding of Spring Security's capabilities and features.
• Learn to implement robust authentication and authorization mechanisms.
• Acquire the skills to secure web applications against common security threats.
• Understand how to integrate Spring Security with various authentication providers and protocols.
• Develop the ability to customize and extend Spring Security to meet specific application requirements.

1. Introduction to Spring Security – 2h (theory – 2h, practice – 1h)

a. Security Tasks

b. Identification, Authentication, Authorization

c. Examples of Spring Security Configuration

d. Hands-on Lab “Spring Security Overview”

e. Spring Security Capabilities

2. Authentication – 12h (theory – 8h, practice – 3h)

• HTTP Basic Authentication

• Hands-on Lab “Setting HTTP Basic Authentication”

• Deny-by-Default / Allow-by-Default

• Main Abstractions of Spring Security

• Hands-on Lab “Adding the User Storage”

• Integration with Web, Authentication in a Web Application

• Servlets API, DelegatingFilterProxy, FilterChain, Spring Security Filters

• Form-based Authentication

• Tokens vs. Session Key

• CORS, CSRF, CSRF Token, XSS

• Hands-on Lab “Login Form”

• Anonymous Authentication

• Hands-on Lab “Adding Anonymous Authentication”

• Remember-Me Authentication

• Persistent Tokens

• Hash-based Tokens

• JWT

• Hands-on Lab “Hash-based Tokens”

• X509 Authentication

• Hands-on Lab “Authentication with X509 Certificates”

3. Authorization – 4h (theory – 3h, practice – 2h)

• Spring Security Authorization Abstractions

• URL-based Authorization

• Method-based Authorization

• @Secured, @Pre/@Post Annotations

• Domain Objects Security (ACL)

• Hands-on Lab “ACL and Method-based Authorization”

4. OAuth 2.0 – 2h and Authorization servers (theory – 3h, practice – 2h)

• OAuth 2.0 Roles

• Access and Refresh Tokens

• Grant Type: Authorization Code

• Grant Type: Password

• Grant Type: Client Credentials

• Spring authorization server

• Keycloak authorization server

• Implementing resource servers

• Lab: creating a resource server using an authorization server

Total: theory – 16h, practice – 8h