Spring Security 3.1

Spring Security 3.1
eBook: $29.99
Formats: PDF, PacktLib, ePub and Mobi formats
save 15%!
Print + free eBook + free PacktLib access to the book: $79.98    Print cover: $49.99
save 6%!
Free Shipping!
UK, US, Europe and selected countries in Asia.
Also available on:
Table of Contents
Sample Chapters
  • Learn to leverage the power of Spring Security to keep intruders at bay through simple examples that illustrate real world problems
  • Each sample demonstrates key concepts allowing you to build your knowledge of the architecture in a practical and incremental way
  • Filled with samples that clearly illustrate how to integrate with the technologies and frameworks of your choice

Book Details

Language : English
Paperback : 456 pages [ 235mm x 191mm ]
Release Date : December 2012
ISBN : 1849518262
ISBN 13 : 9781849518260
Author(s) : Robert Winch, Peter Mularien
Topics and Technologies : All Books, Application Development, Java, Open Source

Table of Contents

Chapter 1: Anatomy of an Unsafe Application
Chapter 2: Getting Started with Spring Security
Chapter 3: Custom Authentication
Chapter 4: JDBC-based Authentication
Chapter 5: LDAP Directory Services
Chapter 6: Remember-me Services
Chapter 7: Client Certificate Authentication
Chapter 8: Opening up to OpenID
Chapter 9: Single Sign-on with Central Authentication Service
Chapter 10: Fine-grained Access Control
Chapter 11: Access Control Lists
Chapter 12: Custom Authorization
Chapter 13: Session Management
Chapter 14: Integrating with Other Frameworks
Chapter 15: Migration to Spring Security 3.1
Appendix: Additional Reference Material
  • Chapter 1: Anatomy of an Unsafe Application
    • Security audit
    • About the sample application
    • The JBCP calendar application architecture
    • Application technology
    • Reviewing the audit results
    • Authentication
    • Authorization
    • Database credential security
    • Sensitive information
    • Transport-level protection
    • Using Spring Security 3.1 to address security concerns
    • Why Spring Security
    • Summary
    • Chapter 2: Getting Started with Spring Security
      • Hello Spring Security
        • Importing the sample application
        • Updating your dependencies
          • Using Spring 3.1 and Spring Security 3.1
        • Implementing a Spring Security XML configuration file
        • Updating your web.xml file
          • ContextLoaderListener
          • ContextLoaderListener versus DispatcherServlet
          • springSecurityFilterChain
          • DelegatingFilterProxy
          • FilterChainProxy
        • Running a secured application
        • Common problems
      • A little bit of polish
        • Customizing login
          • Configuring logout
          • The page isn't redirecting properly
          • Basic role-based authorization
          • Expression-based authorization
          • Conditionally displaying authentication information
          • Customizing the behavior after login
      • Summary
      • Chapter 3: Custom Authentication
        • JBCP Calendar architecture
          • CalendarUser
          • Event
          • CalendarService
          • UserContext
          • SpringSecurityUserContext
        • Logging in new users using SecurityContextHolder
          • Managing users in Spring Security
          • Logging in a new user to an application
          • Updating SignupController
        • Creating a custom UserDetailsService object
          • CalendarUserDetailsService
          • Configuring UserDetailsService
          • Removing references to UserDetailsManager
          • CalendarUserDetails
          • SpringSecurityUserContext simplifications
            • Displaying custom user attributes
        • Creating a custom AuthenticationProvider object
          • CalendarUserAuthenticationProvider
          • Configuring CalendarUserAuthenticationProvider
          • Authenticating with different parameters
            • DomainUsernamePasswordAuthenticationToken
            • Updating CalendarUserAuthenticationProvider
            • Adding domain to the login page
            • DomainUsernamePasswordAuthenticationFilter
            • Updating our configuration
        • Which authentication method to use
        • Summary
        • Chapter 4: JDBC-based Authentication
          • Using Spring Security's default JDBC authentication
            • Required dependencies
            • Using the H2 database
            • Provided JDBC scripts
            • Configuring the H2-embedded database
            • Configuring JDBC UserDetailsManager
            • Spring Security's default user schema
            • Defining users
            • Defining user authorities
          • UserDetailsManager
            • What other features does UserDetailsManager provide out of the box
          • Group-based access control
            • Configuring group-based access control
            • Configuring JdbcUserDetailsManager to use groups
            • Utilize the GBAC JDBC scripts
              • Group-based schema
              • Group authority mappings
          • Support for a custom schema
            • Determining the correct JDBC SQL queries
            • Updating the SQL scripts that are loaded
            • CalendarUser authority SQL
            • Insert custom authorities
            • Configuring the JdbcUserDetailsManager to use custom SQL queries
          • Configuring secure passwords
            • PasswordEncoder
            • Configuring password encoding
              • Configuring the PasswordEncoder
              • Making Spring Security aware of the PasswordEncoder
              • Hashing the stored passwords
              • Hashing a new user's passwords
            • Not quite secure
            • Would you like some salt with that password
              • Using salt in Spring Security
          • Summary
          • Chapter 5: LDAP Directory Services
            • Understanding LDAP
            • LDAP
            • Common LDAP attribute names
            • Updating our dependencies
            • Configuring embedded LDAP integration
            • Configuring an LDAP server reference
              • Enabling the LDAP AuthenticationProviderNext interface
            • Troubleshooting embedded LDAP
            • Understanding how Spring LDAP authentication works
            • Authenticating user credentials
              • Demonstrating authentication with Apache Directory Studio
            • Binding anonymously to LDAP
            • Searching for the user
            • Binding as a user to LDAP
            • Determining user role membership
              • Determining roles with Apache Directory Studio
            • Mapping additional attributes of UserDetails
            • Advanced LDAP configuration
            • Sample JBCP LDAP users
              • Password comparison versus bind authentication
            • Configuring basic password comparison
            • LDAP password encoding and storage
              • The drawbacks of a password comparison authenticator
            • Configuring UserDetailsContextMapper
              • Implicit configuration of UserDetailsContextMapper
            • Viewing additional user details
            • Using an alternate password attribute
            • Using LDAP as UserDetailsService
            • Configuring LdapUserDetailsService
              • Updating AccountController to use LdapUserDetailsService
            • Integrating with an external LDAP server
            • Explicit LDAP bean configuration
              • Configuring an external LDAP server reference
            • Configuring LdapAuthenticationProvider
              • Delegating role discovery to UserDetailsService
            • Integrating with Microsoft Active Directory via LDAP
              • Built-In Active Directory support in Spring Security 3.1
            • Summary
            • Chapter 6: Remember-me Services
              • What is remember-me
              • Dependencies
              • The token-based remember-me feature
                • Configuring the token-based remember-me feature
                • How the token-based remember-me feature works
                  • MD5
                  • Remember-me signature
                • Token-based remember-me configuration directives
              • Is remember-me secure
                • Authorization rules for remember-me
              • Persistent remember-me
                • Using the persistent-based remember-me feature
                  • Adding SQL to create the remember-me schema
                  • Initializing the data source with the remember-me schema
                  • Configuring the persistent-based remember-me feature
                • How does the persistent-based remember-me feature work
                • Are database-backed persistent tokens more secure
                • Cleaning up the expired remember-me sessions
              • Remember-me architecture
                • Remember-me and the user lifecycle
              • Restricting the remember-me feature to an IP address
                • Custom cookie and HTTP parameter names
              • Summary
              • Chapter 7: Client Certificate Authentication
                • How client certificate authentication works
                • Setting up client certificate authentication infrastructure
                  • Understanding the purpose of a public key infrastructure
                  • Creating a client certificate key pair
                  • Configuring the Tomcat trust store
                  • Importing the certificate key pair into a browser
                    • Using Firefox
                    • Using Chrome
                    • Using Internet Explorer
                  • Wrapping up testing
                  • Troubleshooting client certificate authentication
                • Configuring client certificate authentication in Spring Security
                  • Configuring client certificate authentication using the security namespace
                  • How Spring Security uses certificate information
                  • How Spring Security certificate authentication works
                    • Handling unauthenticated requests with AuthenticationEntryPoint
                    • Supporting dual-mode authentication
                • Configuring client certificate authentication using Spring Beans
                  • Additional capabilities of bean-based configuration
                • Considerations when implementing Client Certificate authentication
                • Summary
                • Chapter 8: Opening up to OpenID
                  • The promising world of OpenID
                  • Signing up for an OpenID
                  • Enabling OpenID authentication with Spring Security
                  • Additional required dependencies
                    • Configuring OpenID support in Spring Security
                    • Adding OpenID users
                    • CalendarUserDetailsService lookup by OpenID
                  • The OpenID user registration problem
                    • How are OpenID identifiers resolved
                  • Implementing user registration with OpenID
                    • Registering OpenIDAuthenticationUserDetailsService
                  • Attribute Exchange
                    • Enabling AX in Spring Security OpenID
                    • Configuring different attributes for each OpenID Provider
                  • Usability enhancements
                  • Automatic redirection to the OpenID Provider
                    • Conditional automatic redirection
                  • Is OpenID Secure
                  • Summary
                  • Chapter 9: Single Sign-on with Central Authentication Service
                    • Introducing Central Authentication Service
                      • High-level CAS authentication flow
                      • Spring Security and CAS
                      • Required dependencies
                      • CAS installation and configuration
                    • Configuring basic CAS integration
                      • Creating the CAS ServiceProperties object
                      • Adding the CasAuthenticationEntryPoint
                      • Enabling CAS ticket verification
                      • Proving authenticity with the CasAuthenticationProvider
                    • Single logout
                      • Configuring single logout
                      • Clustered environments
                    • Proxy ticket authentication for stateless services
                      • Configuring proxy ticket authentication
                      • Using proxy tickets
                      • Authenticating proxy tickets
                    • Customizing the CAS Server
                      • CAS Maven WAR Overlay
                      • How CAS internal authentication works
                      • Configuring CAS to connect to our embedded LDAP server
                    • Getting UserDetails from a CAS assertion
                      • Returning LDAP attributes in the CAS Response
                        • Mapping LDAP attributes to CAS attributes
                        • Authorizing CAS Services to access custom attributes
                      • Getting UserDetails from a CAS assertion
                        • GrantedAuthorityFromAssertionAttributesUser Details Service
                        • Alternative ticket authentication using SAML 1.1
                      • How is attribute retrieval useful
                    • Additional CAS capabilities
                    • Summary
                    • Chapter 10: Fine-grained Access Control
                      • Maven dependencies
                      • Spring Expression Language (SpEL) integration
                        • WebSecurityExpressionRoot
                          • Using the request attribute
                          • Using hasIpAddress
                        • MethodSecurityExpressionRoot
                      • Page-level authorization
                        • Conditional rendering with Spring Security tag library
                          • Conditional rendering based on URL access rules
                          • Conditional rendering using SpEL
                        • Using controller logic to conditionally render content
                          • WebInvocationPrivilegeEvaluator
                        • What is the best way to configure in-page authorization
                      • Method-level security
                        • Why we secure in layers
                        • Securing the business tier
                          • Adding @PreAuthorize method annotation
                          • Instructing Spring Security to use method annotations
                          • Validating method security
                          • Interface-based proxies
                          • JSR-250 compliant standardized rules
                          • Method security using Spring's @Secured annotation
                          • Method security rules using aspect-oriented programming
                          • Method security rules using bean decorators
                          • Method security rules incorporating method parameters
                          • Method security rules incorporating returned values
                          • Securing method data through role-based filtering
                          • Pre-filtering collections with @PreFilter
                          • Comparing method authorization types
                        • Practical considerations for annotation-based security
                        • Method security on Spring MVC controllers
                          • Class-based proxies
                          • Class-based proxy limitations
                      • Summary
                      • Chapter 11: Access Control Lists
                        • Using access control lists for business object security
                          • Access control lists in Spring Security
                        • Basic configuration of Spring Security ACL support
                          • Maven dependencies
                          • Defining a simple target scenario
                          • Adding ACL tables to the H2 database
                          • Configuring SecurityExpressionHandler
                            • AclPermissionCacheOptimizer
                            • PermissionEvaluator
                            • JdbcMutableAclService
                            • BasicLookupStrategy
                            • EhCacheBasedAclCache
                            • ConsoleAuditLogger
                            • AclAuthorizationStrategyImpl
                          • Creating a simple ACL entry
                        • Advanced ACL topics
                          • How permissions work
                        • Custom ACL permission declaration
                          • Enabling your JSPs with the Spring Security JSP tag library through ACL
                        • Mutable ACLs and authorization
                          • Adding ACLs to newly created Events
                        • Considerations for a typical ACL deployment
                          • About ACL scalability and performance modelling
                          • Do not discount custom development costs
                        • Should I use Spring Security ACL
                        • Summary
                        • Chapter 12: Custom Authorization
                          • How requests are authorized
                            • Configuration of access decision aggregation
                          • Configuring to use a UnanimousBased access decision manager
                            • Expression-based request authorization
                          • Customizing request authorization
                            • Dynamically defining access control to URLs
                              • JdbcRequestConfigMappingService
                              • FilterInvocationServiceSecurityMetadataSource
                              • BeanPostProcessor to extend namespace configuration
                              • Removing our <intercept-url> elements
                            • Creating a custom expression
                              • CustomWebSecurityExpressionRoot
                              • CustomWebSecurityExpressionHandler
                              • Configuring and using CustomWebSecurityExpressionHandler
                            • How does method security work
                          • Creating a custom PermissionEvaluator
                            • CalendarPermissionEvaluator
                            • Configuring CalendarPermissionEvaluator
                            • Securing our CalendarService
                            • Benefits of a custom PermissionEvaluator
                          • Summary
                          • Chapter 13: Session Management
                            • Configuring session fixation protection
                              • Understanding session fixation attacks
                              • Preventing session fixation attacks with Spring Security
                              • Simulating a session fixation attack
                              • Comparing session-fixation-protection options
                            • Restricting the number of concurrent sessions per user
                              • Configuring concurrent session control
                              • Understanding concurrent session control
                              • Testing concurrent session control
                              • Configuring expired session redirect
                              • Common problems with concurrency control
                              • Preventing authentication instead of forcing logout
                              • Other benefits of concurrent session control
                                • Displaying active sessions for a user
                            • How Spring Security uses the HttpSession
                              • HttpSessionSecurityContextRepository
                              • Configuring how Spring Security uses HttpSession
                              • Debugging with Spring Security's DebugFilter
                            • Summary
                            • Chapter 14: Integrating with Other Frameworks
                              • Integrating with Java Server Faces (JSF)
                                • Customizations to support AJAX
                                  • DelegatingAuthenticationEntryPoint
                                  • AjaxRequestMatcher
                                  • Http401EntryPoint
                                  • Configuration updates
                                  • JavaScript updates
                                • Proxy-based authorization with JSF
                                • Custom login page in JSF
                                • Spring Security Facelets tag library
                              • Google Web Toolkit (GWT) integration
                                • Spring Roo and GWT
                                • Spring Security setup
                                • GwtAuthenticationEntryPoint
                                • GWT client updates
                                  • AuthRequestTransport
                                  • AuthRequiredEvent
                                  • LoginOnAuthRequired
                                • Configuring GWT
                                • Spring Security configuration
                                • Method security
                                  • Method security with Spring Roo
                                  • Authorization with AspectJ
                              • Summary
                              • Chapter 15: Migration to Spring Security 3.1
                                • Migrating from Spring Security 2
                                • Enhancements in Spring Security 3
                                • Changes to configuration in Spring Security 3
                                  • Rearranged AuthenticationManager configuration
                                  • New configuration syntax for session management options
                                  • Changes to custom filter configuration
                                • Changes to CustomAfterInvocationProvider
                                  • Minor configuration changes
                                • Changes to packages and classes
                                • Updates in Spring Security 3.1
                                • Summary
                                • Appendix: Additional Reference Material
                                  • Getting started with the JBCP Calendar sample code
                                    • Creating a new workspace
                                    • Sample code structure
                                    • Importing the samples
                                    • Running the samples in Spring Tool Suite
                                      • Creating a Tomcat v7.0 server
                                      • Starting the samples within Spring Tool Suite
                                      • Shutting down the samples within Spring Tool Suite
                                      • Removing previous versions of the samples
                                      • Using HTTPS within Spring Tool Suite
                                  • Default URLs processed by Spring Security
                                  • Logical filter names migration reference
                                  • HTTPS setup in Tomcat
                                    • Generating a server certificate
                                    • Configuring Tomcat Connector to use SSL
                                  • Basic Tomcat SSL termination guide
                                  • Supplimentary materials

                                  Robert Winch

                                  Robert Winch is currently a Senior Software Engineer at VMware and is the project lead of the Spring Security framework. In the past he has worked as a Software Architect at Cerner, the largest provider of electronic medical systems in the US. Throughout his career he has developed hands on experience in integrating Spring Security with an array of security standards (i.e. LDAP, SAML, CAS, OAuth, etc). Before he was employed at Cerner, he worked as an independent web contractor in proteomics research at Loyola University, Chicago, and on the Globus Toolkit at Argonne National Laboratory.

                                  Peter Mularien

                                  Peter Mularien is an experienced software architect and engineer, and the author of the book Spring Security 3, Packt Publishing. Peter currently works for a large financial services company and has over 12 years consulting and product experience in Java, Spring, Oracle, and many other enterprise technologies. He is also the reviewer of this book.

                                  Sorry, we don't have any reviews for this title yet.

                                  Code Downloads

                                  Download the code and support files for this book.

                                  Submit Errata

                                  Please let us know if you have found any errors not listed on this list by completing our errata submission form. Our editors will check them and add them to this list. Thank you.


                                  - 1 submitted: last submission 28 Mar 2013

                                  Errata type: Code| Page number: 115 | Errata date: 25-2-2013


                                  Enter the DN from our search result as Bind DN. The value should be      
                                  However the DN from the search result (from page 114) is "DN:  
                                  We cannot use admin1 to successfully authenticate



                                  Sample chapters

                                  You can view our sample chapters and prefaces of this title on PacktLib or download sample chapters in PDF format.

                                  Frequently bought together

                                  Spring Security 3.1 +    Microsoft Dynamics GP 2013 Reporting - Second Edition =
                                  50% Off
                                  the second eBook
                                  Price for both: $45.60

                                  Buy both these recommended eBooks together and get 50% off the cheapest eBook.

                                  What you will learn from this book

                                  • Understand common security vulnerabilities and how to resolve them
                                  • Implement authentication and authorization
                                  • Learn to utilize existing corporate infrastructure such as LDAP, Active Directory, Kerberos, and CAS
                                  • Integrate with popular frameworks such as Spring, JSF, GWT, Maven, and Spring Roo
                                  • Architect solutions that leverage the full power of Spring Security while remaining loosely coupled
                                  • Implement common scenarios such as supporting existing user stores, user sign up, and supporting AJAX requests

                                  In Detail

                                  Knowing that experienced hackers are itching to test your skills makes security one of the most difficult and high-pressure concerns of creating an application. The complexity of properly securing an application is compounded when you must also integrate this factor with existing code, new technologies, and other frameworks. Use this book to easily secure your Java application with the tried and trusted Spring Security framework, a powerful and highly customizable authentication and access-control framework.

                                  "Spring Security 3.1" is an incremental guide that will teach you how to protect your application from malicious users. You will learn how to cleanly integrate Spring Security into your application using the latest technologies and frameworks with the help of detailed examples.

                                  This book is centred around a security audit of an insecure application and then modifying the sample to resolve the issues found in the audit.

                                  The book starts by integrating a variety of authentication mechanisms. It then demonstrates how to properly restrict access to your application. It concludes with tips on integrating with some of the more popular web frameworks. An example of how Spring Security defends against session fixation, moves into concurrency control, and how you can utilize session management for administrative functions is also included.

                                  "Spring Security 3.1" will ensure that integrating with Spring Security is seamless from start to finish.


                                  This practical step-by-step tutorial has plenty of example code coupled with the necessary screenshots and clear narration so that grasping content is made easier and quicker.

                                  Who this book is for

                                  This book is intended for Java web developers and assumes a basic understanding of creating Java web applications, XML, and the Spring Framework. You are not assumed to have any previous experience with Spring Security.

                                  Code Download and Errata
                                  Packt Anytime, Anywhere
                                  Register Books
                                  Print Upgrades
                                  eBook Downloads
                                  Video Support
                                  Contact Us
                                  Awards Voting Nominations Previous Winners
                                  Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
                                  Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software