Spring Security 3

Spring Security 3
eBook: $29.99
Formats: PDF, PacktLib, ePub and Mobi formats
save 15%!
Print + free eBook + free PacktLib access to the book: $79.98    Print cover: $49.99
save 6%!
Anytime, Anywhere
Unlimited eBook downloads and up to 50% off the print version!
Free Shipping!
UK, US, Europe and selected countries in Asia.
Also available on:
Table of Contents
Sample Chapters
  • Make your web applications impenetrable.
  • Implement authentication and authorization of users.
  • Integrate Spring Security 3 with common external security providers.
  • Packed full with concrete, simple, and concise examples.

Book Details

Language : English
Paperback : 396 pages [ 235mm x 191mm ]
Release Date : May 2010
ISBN : 1847199747
ISBN 13 : 9781847199744
Author(s) : Peter Mularien
Topics and Technologies : All Books, Application Development, Security and Testing, Java, Open Source

Table of Contents

Chapter 1: Anatomy of an Unsafe Application
Chapter 2: Getting Started with Spring Security
Chapter 3: Enhancing the User Experience
Chapter 4: Securing Credential Storage
Chapter 5: Fine-Grained Access Control
Chapter 6: Advanced Configuration and Extension
Chapter 7: Access Control Lists
Chapter 8: Opening up to OpenID
Chapter 9: LDAP Directory Services
Chapter 10: Single Sign On with Central Authentication Service
Chapter 11: Client Certificate Authentication
Chapter 12: Spring Security Extensions
Chapter 13: Migration to Spring Security 3
Appendix: Additional Reference Material
  • Chapter 1: Anatomy of an Unsafe Application
    • Security audit
    • About the sample application
      • The JBCP pets application architecture
      • Application technology
    • Reviewing the audit results
      • Authentication
      • Authorization
      • Database Credential Security
      • Sensitive Information
      • Transport-Level Protection
    • Using Spring Security 3 to address security concerns
      • Why Spring Security?
    • Summary
  • Chapter 2: Getting Started with Spring Security
    • Core security concepts
      • Authentication
      • Authorization
    • Securing our application in three easy steps
      • Implementing a Spring Security XML configuration file
      • Adding the Spring DelegatingFilterProxy to your web.xml file
      • Adding the Spring Security XML configuration file reference to web.xml
      • Mind the gaps!
        • Common problems
    • Security is complicated: The architecture of secured web requests
      • How requests are processed?
      • What does auto-config do behind the scenes?
      • How users are authenticated?
        • What is spring_security_login and how did we get here?
        • Where do the user's credentials get validated?
        • When good authentication goes bad?
      • How requests are authorized?
        • Configuration of access decision aggregation
        • Access configuration using spring expression language
    • Summary
  • Chapter 3: Enhancing the User Experience
    • Customizing the login page
      • Implementing a custom login page
        • Implementing the login controller
        • Adding the login JSP
        • Configuring Spring Security to use our Spring MVC login page
    • Understanding logout functionality
      • Adding a Log Out link to the site header
      • How logout works
        • Changing the logout URL
        • Logout configuration directives
    • Remember me
      • Implementing the remember me option
      • How remember me works
        • Remember me and the user lifecycle
        • Remember me configuration directives
      • Is remember me secure?
        • Authorization rules differentiating remembered and fully authenticated sessions
        • Building an IP-aware remember me service
        • Customizing the remember me signature
    • Implementing password change management
      • Extending the in-memory credential store to support password change
        • Extending InMemoryDaoImpl with InMemoryChangePasswordDaoImpl
        • Configuring Spring Security to use InMemoryChangePasswordDaoImpl
        • Building a change password page
        • Adding a change password handler to AccountController
        • Exercise notes
    • Summary
  • Chapter 4: Securing Credential Storage
    • Database-backed authentication with Spring Security
      • Configuring a database-resident authentication store
        • Creating the default Spring Security schema
        • Configuring the HSQL embedded database
        • Configuring JdbcDaoImpl authentication store
        • Adding user definitions to the schema
      • How database-backed authentication works
      • Implementing a custom JDBC UserDetailsService
        • Creating a custom JDBC UserDetailsService class
        • Adding a Spring Bean declaration for the custom UserDetailsService
      • Out of the box JDBC-based user management
    • Advanced configuration of JdbcDaoImpl
      • Configuring group-based authorization
        • Configuring JdbcDaoImpl to use groups
        • Modifying the initial load SQL script
        • Modifying the embedded database creation declaration
      • Using a legacy or custom schema with database-resident authentication
        • Determining the correct JDBC SQL queries
        • Configuring the JdbcDaoImpl to use customSQL queries
    • Configuring secure passwords
      • Configuring password encoding
        • Configuring the PasswordEncoder
        • Configuring the AuthenticationProvider
        • Writing the database bootstrap password encoder
        • Configuring the bootstrap password encoder
      • Would you like some salt with that password?
      • Configuring a salted password
        • Declaring the SaltSource Spring bean
        • Wiring the PasswordEncoder to the SaltSource
        • Augmenting DatabasePasswordSecurerBean
      • Enhancing the change password functionality
      • Configuring a custom salt source
        • Extending the database schema
        • Tweaking configuration of the CustomJdbcDaoImpl UserDetails service
        • Overriding the baseline UserDetails implementation
        • Extending the functionality of CustomJdbcDaoImpl
    • Moving remember me to the database
      • Configuring database-resident remember me tokens
        • Adding SQL to create the remember me schema
        • Adding new SQL script to the embedded database declaration
        • Configuring remember me services to persist to the database
      • Are database-backed persistent tokens more secure?
    • Securing your site with SSL
      • Setting up Apache Tomcat for SSL
        • Generating a server key store
        • Configuring Tomcat's SSL Connector
      • Automatically securing portions of the site
        • Secure port mapping
    • Summary
  • Chapter 5: Fine-Grained Access Control
    • Re-thinking application functionality and security
      • Planning for application security
      • Planning user roles
      • Planning page-level security
    • Methods of Fine-Grained authorization
      • Using Spring Security Tag Library to conditionally render content
        • Conditional rendering based on URL access rules
        • Conditional rendering based on Spring EL Expressions
        • Conditionally rendering the Spring Security 2 way
      • Using controller logic to conditionally render content
        • Adding conditional display of the Log In link
        • Populating model data based on user credentials
      • What is the best way to configure in-page authorization?
    • Securing the business tier
      • The basics of securing business methods
        • Adding @PreAuthorize method annotation
        • Instructing Spring Security to use method annotations
        • Validating method security
      • Several flavors of method security
        • JSR-250 compliant standardized rules
        • Method security using Spring's @Secured annotation
        • Method security rules using Aspect Oriented Programming
        • Comparing method authorization types
      • How does method security work?
    • Advanced method security
      • Method security rules using bean decorators
      • Method security rules incorporating method parameters
      • How method parameter binding works
      • Securing method data through Role-based filtering
        • Adding Role-based data filtering with @PostFilter
        • Pre-filtering collections with method @PreFilter
        • Why use a @PreFilter at all?
      • A fair warning about method security
    • Summary
  • Chapter 6: Advanced Configuration and Extension
    • Writing a custom security filter
      • IP filtering at the servlet filter level
        • Writing our custom servlet filter
        • Configuring the IP servlet filter
        • Adding the IP servlet filter to the Spring Security filter chain
    • Writing a custom AuthenticationProvider
      • Implementing simple single sign-on with an AuthenticationProvider
        • Customizing the authentication token
        • Writing the request header processing servlet filter
        • Writing the request header AuthenticationProvider
      • Combining AuthenticationProviders
      • Simulating single sign-on with request headers
      • Considerations when writing a custom AuthenticationProvider
    • Session management and concurrency
      • Configuring session fixation protection
        • Understanding session fixation attacks
        • Preventing session fixation attacks with Spring Security
        • Simulating a session fixation attack
        • Comparing session-fixation-protection options
      • Enhancing user protection with concurrent session control
        • Configuring concurrent session control
        • Understanding concurrent session control
        • Testing concurrent session control
        • Configuring expired session redirect
      • Other benefits of concurrent session control
        • Displaying a count of active users
        • Displaying information about all users
    • Understanding and configuring exception handling
      • Configuring "Access Denied" handling
        • Configuring an "Access Denied" destination URL
        • Adding controller handling of AccessDeniedException
        • Writing the Access Denied page
      • What causes an AccessDeniedException
      • The importance of the AuthenticationEntryPoint
    • Configuring Spring Security infrastructure beans manually
      • A high level overview of Spring Security bean dependencies
      • Reconfiguring the web application
      • Configuring a minimal Spring Security environment
        • Configuring a minimal servlet filter set
        • Configuring a minimal supporting object set
    • Advanced Spring Security bean-based configuration
      • Adjusting factors related to session lifecycle
      • Manual configuration of other common services
        • Declaring remaining missing filters
        • LogoutFilter
        • RememberMeAuthenticationFilter
        • ExceptionTranslationFilter
      • Explicit configuration of the SpEL expression evaluator and Voter
      • Bean-based configuration of method security
      • Wrapping up explicit configuration
      • Which type of configuration should I choose?
    • Authentication event handling
      • Configuring an authentication event listener
        • Declaring required bean dependencies
        • Building a custom application event listener
        • Out of the box ApplicationListeners
      • Multitudes of application events
    • Building a custom implementation of an SpEL expression handler
    • Summary
  • Chapter 7: Access Control Lists
    • Using Access Control Lists for business object security
      • Access Control Lists in Spring Security
    • Basic configuration of Spring Security ACL support
      • Defining a simple target scenario
      • Adding ACL tables to the HSQL database
      • Configuring the Access Decision Manager
      • Configuring supporting ACL beans
      • Creating a simple ACL entry
    • Advanced ACL topics
      • How permissions work
      • Custom ACL permission declaration
      • ACL-Enabling your JSPs with the Spring Security JSP tag library
      • Spring Expression Language support for ACLs
      • Mutable ACLs and authorization
        • Configuring a Spring transaction manager
        • Interacting with the JdbcMutableAclService
      • Ehcache ACL caching
        • Configuring Ehcache ACL caching
        • How Spring ACL uses Ehcache
    • Considerations for a typical ACL deployment
      • About ACL scalability and performance modelling
      • Do not discount custom development costs
      • Should I use Spring Security ACL?
    • Summary
  • Chapter 8: Opening up to OpenID
    • The promising world of OpenID
      • Signing up for an OpenID
    • Enabling OpenID authentication with Spring Security
      • Writing an OpenID login form
      • Configuring OpenID support in Spring Security
      • Adding OpenID users
    • The OpenID user registration problem
      • How OpenID identifiers are resolved
      • Implementing user registration with OpenID
        • Adding the OpenID registration option
        • Differentiating between a login and registration request
        • Configuring a custom authentication failure handler
        • Adding the OpenID registration functionality to the controller
    • Attribute Exchange
      • Enabling AX in Spring Security OpenID
      • Real-world AX support and limitations
      • Google OpenID support
    • Is OpenID secure?
    • Summary
  • Chapter 9: LDAP Directory Services
    • Understanding LDAP
      • LDAP
      • Common LDAP attribute names
      • Running an embedded LDAP server
    • Configuring basic LDAP integration
      • Configuring an LDAP server reference
      • Enabling the LDAP AuthenticationProvider
      • Troubleshooting embedded LDAP
    • Understanding how Spring LDAP authentication works
      • Authenticating user credentials
      • Determining user role membership
      • Mapping additional attributes of UserDetails
    • Advanced LDAP configuration
      • Sample JBCP LDAP users
      • Password comparison versus Bind authentication
        • Configuring basic password comparison
        • LDAP password encoding and storage
        • The drawbacks of a Password Comparison Authenticator
      • Configuring the UserDetailsContextMapper
        • Implicit configuration of a UserDetailsContextMapper
        • Viewing additional user details
      • Using an alternate password attribute
      • Using LDAP as a UserDetailsService
        • Notes about remember me with an LDAP UserDetailsService
        • Configuration for an In-Memory remember me service
    • Integrating with an external LDAP server
    • Explicit LDAP bean configuration
      • Configuring an external LDAP server reference
      • Configuring an LdapAuthenticationProvider
      • Integrating with Microsoft Active Directory via LDAP
      • Delegating role discovery to a UserDetailsService
    • Summary
  • Chapter 10: Single Sign On with Central Authentication Service
    • Introducing Central Authentication Service
      • High level CAS authentication flow
      • Spring Security and CAS
      • CAS installation and configuration
    • Configuring basic CAS integration
      • Adding the CasAuthenticationEntryPoint
      • Enabling CAS ticket verification
      • Proving authenticity with the CasAuthenticationProvider
    • Advanced CAS configuration
      • Retrieval of attributes from CAS assertion
        • How CAS internal authentication works
        • Configuring CAS to connect to our embedded LDAP server
        • Getting UserDetails from a CAS assertion
        • Examining the CAS assertion
        • Mapping LDAP attributes to CAS attributes
        • Finally, returning the attributes in the CAS assertion
        • Alternative Ticket authentication using SAML 1.1
      • How is Attribute Retrieval useful?
      • Additional CAS capabilities
    • Summary
  • Chapter 11: Client Certificate Authentication
    • How Client Certificate authentication works
    • Setting up a Client Certificate authentication infrastructure
      • Understanding the purpose of a public key infrastructure
      • Creating a client certificate key pair
      • Configuring the Tomcat trust store
      • Importing the certificate key pair into a browser
        • Using Firefox
        • Using Internet Explorer
      • Wrapping up testing
      • Troubleshooting Client Certificate authentication
    • Configuring Client Certificate authentication in Spring Security
      • Configuring Client Certificate authentication using the security namespace
      • How Spring Security uses certificate information
      • How Spring Security certificate authentication works
      • Other loose ends
      • Supporting Dual-Mode authentication
    • Configuring Client Certificate authentication using Spring Beans
      • Additional capabilities of bean-based configuration
    • Considerations when implementing Client Certificate authentication
    • Summary
  • Chapter 12: Spring Security Extensions
    • Spring Security Extensions
    • A primer on Kerberos and SPNEGO authentication
    • Kerberos authentication in Spring Security
      • Overall Kerberos Spring Security authentication flow
      • Getting prepared
        • Assumptions for our examples
        • Creating a keytab file
      • Configuring Kerberos-related Spring beans
      • Wiring SPNEGO beans to the security namespace
      • Adding the Application Server machine to a Kerberos realm
      • Special considerations for Firefox users
      • Troubleshooting
        • Verifying connectivity with standard tools
        • Enabling Java GSS-API debugging
        • Other troubleshooting steps
    • Configuring LDAP UserDetailsService with Kerberos
    • Using form login with Kerberos
    • Summary
  • Chapter 13: Migration to Spring Security 3
    • Migrating from Spring Security 2
    • Enhancements in Spring Security 3
    • Changes to configuration in Spring Security 3
      • Rearranged AuthenticationManager configuration
      • New configuration syntax for session management options
      • Changes to custom filter configuration
      • Changes to CustomAfterInvocationProvider
      • Minor configuration changes
    • Changes to packages and classes
    • Summary
  • Appendix: Additional Reference Material
    • Getting started with JBCP Pets sample code
    • Available application events
    • Spring Security virtual URLs
    • Method security explicit bean configuration
    • Logical filter names migration reference

Peter Mularien

Peter Mularien is an experienced software architect and engineer, and the author of the book Spring Security 3, Packt Publishing. Peter currently works for a large financial services company and has over 12 years consulting and product experience in Java, Spring, Oracle, and many other enterprise technologies. He is also the reviewer of this book.

Code Downloads

Download the code and support files for this book.

Submit Errata

Please let us know if you have found any errors not listed on this list by completing our errata submission form. Our editors will check them and add them to this list. Thank you.


- 1 submitted: last submission 06 Dec 2012

Errata type: Typo | Page number: 28 and 36

should be: <filter-class>


Sample chapters

You can view our sample chapters and prefaces of this title on PacktLib or download sample chapters in PDF format.

Frequently bought together

Spring Security 3 +    SAP HCM - A Complete Tutorial =
50% Off
the second eBook
Price for both: $45.60

Buy both these recommended eBooks together and get 50% off the cheapest eBook.

What you will learn from this book

  • Recognize design flaws that will make your applications unsafe.
  • Implement basic authorization and credential storage.
  • Move seamlessly from Spring Security 2 to Spring Security 3.
  • Provide Enterprise adaptability with LDAP, Active Directory, and NTLM.
  • Push the Boundaries of Spring Security 3 through Extension and Customization.
  • Integrate in-house applications and popular Java frameworks with Spring Security 3.
  • Plan the configuration of Spring Security 3 to accommodate the authentication and authorization requirements of your application.

In Detail

Security is of critical importance to all web applications. Vulnerable applications are easy prey for hackers. This book is the perfect tool for Java developers looking to repel attacks against their web applications using the proven Spring Security library to achieve this.

A comprehensive guide to Spring Security 3. You will learn through real world business scenarios how to guard against the latest threats. You will also learn to combine Spring Security 3 with external security providers such as LDAP, OpenID, CAS, Kerberos, and Active Directory.

The book starts by giving an overview of security concepts and techniques, as well as setup and configuration. The book then gets you working with a JSP based web application that implements a simple e-commerce website. At this point you will progressively enhance the application giving you hands on experience implementing features of Spring Security 3 in real world business scenarios.

The second half of the book is devoted to common integration scenarios that you will come accross every day. At this stage you will be in a position to solve specific, complex integration problems. The book will end by showing migration from Spring Security 2 to 3.

This practical guide will show you how to implement Spring Security 3 and protect your applications from being breached using a combination of real world, straightforward examples.


The book starts by teaching the basic fundamentals of Spring Security 3 such as setup and configuration. Later it looks at more advanced topics showing the reader how to solve complex real world security issues.

Who this book is for

This book is for Java developers who build web projects and applications. The book assumes basic familiarity with Java, XML and the Spring Framework. Newcomers to Spring Security will still be able to utilize all aspects of this book.

Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software