Spring security secure your web applications, RESTful services, and microservice architectures
Learn how to secure your Java applications from hackers using Spring Security 4.2 About This Book Architect solutions that leverage the full power of Spring Security while remaining loosely coupled. Implement various scenarios such as supporting existing user stores, user sign up, authentication, an...
| Otros Autores: | , , |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Birmingham, England ; Mumbai, [India] :
Packt Publishing
2017.
|
| Edición: | Third edition |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009630131906719 |
Tabla de Contenidos:
- Cover
- Copyright
- Credits
- About the Authors
- About the Reviewers
- www.Packtpub.com
- Customer Feedback
- Table of Contents
- Preface
- Chapter 1: Anatomy of an Unsafe Application
- Security audit
- About the sample application
- The JBCP calendar application architecture
- Application technology
- Reviewing the audit results
- Authentication
- Authorization
- Database credential security
- Sensitive information
- Transport-level protection
- Using Spring Security 4.2 to address security concerns
- Why Spring Security?
- Summary
- Chapter 2: Getting Started with Spring Security
- Hello Spring Security
- Importing the sample application
- Updating your dependencies
- Using Spring 4.3 and Spring Security 4.2
- Implementing a Spring Security XML configuration file
- Updating your web.xml file
- The ContextLoaderListener class
- ContextLoaderListener versus DispatcherServlet
- The springSecurityFilterChain filter
- The DelegatingFilterProxy class
- The FilterChainProxy class
- Running a secured application
- Common problems
- A little bit of polish
- Customizing login
- Configuring logout
- The page isn't redirecting properly
- Basic role-based authorization
- Expression-based authorization
- Conditionally displaying authentication information
- Customizing behavior after login
- Summary
- Chapter 3: Custom Authentication
- JBCP calendar architecture
- The CalendarUser object
- The Event object
- The CalendarService interface
- The UserContext interface
- The SpringSecurityUserContext interface
- Logging in new users using SecurityContextHolder
- Managing users in Spring Security
- Logging in a new user to an application
- Updating SignupController
- Creating a custom UserDetailsService object
- The CalendarUserDetailsService class
- Configuring UserDetailsService.
- Removing references to UserDetailsManager
- The CalendarUserDetails object
- The SpringSecurityUserContext simplifications
- Displaying custom user attributes
- Creating a custom AuthenticationProvider object
- CalendarUserAuthenticationProvider
- Configuring the CalendarUserAuthenticationProvider object
- Authenticating with different parameters
- The DomainUsernamePasswordAuthenticationToken class
- Updating CalendarUserAuthenticationProvider
- Adding domain to the login page
- The DomainUsernamePasswordAuthenticationFilter class
- Updating our configuration
- Which authentication method to use?
- Summary
- Chapter 4: JDBC-Based Authentication
- Required dependencies
- Using the H2 database
- Provided JDBC scripts
- Configuring the H2 embedded database
- Configuring a JDBC UserDetailsManager implementation
- The default user schema of Spring Security
- Defining users
- Defining user authorities
- The UserDetailsManager interface
- Group-based access control
- Configuring group-based access control
- Configuring JdbcUserDetailsManager to use groups
- Utilizing GBAC JDBC scripts
- The group-based schema
- Group authority mappings
- Support for a custom schema
- Determining the correct JDBC SQL queries
- Updating the SQL scripts that are loaded
- The CalendarUser authority SQL
- Inserting custom authorities
- Configuring JdbcUserDetailsManager to use custom SQL queries
- Configuring secure passwords
- The PasswordEncoder method
- Configuring password encoding
- Configuring the PasswordEncoder method
- Making Spring Security aware of the PasswordEncoder method
- Hashing the stored passwords
- Hashing the passwords of new users
- Not quite secure
- Using salt in Spring Security
- Updating the Spring Security configuration
- Migrating existing passwords
- Updating DefaultCalendarUserService.
- Trying out the salted passwords
- Summary
- Chapter 5: Authentication with Spring Data
- Spring Data JPA
- Updating our dependencies
- Updating the JBCP calendar to use Spring Data JPA
- Reconfiguring the database configuration
- Initializing the database
- Refactoring from SQL to ORM
- Mapping domain objects using JPA
- Spring Data repositories
- Data access objects
- Application services
- The UserDetailsService object
- Refactoring from an RDBMS to a document database
- Document database implementation with MongoDB
- Updating our dependencies
- Reconfiguring the database configuration in MongoDB
- Initializing the MongoDB database
- Mapping domain objects with MongoDB
- Spring Data repositories of MongoDB
- Data access objects in MongoDB
- Summary
- Chapter 6: LDAP Directory Services
- Understanding LDAP
- LDAP
- Common LDAP attribute names
- Updating our dependencies
- Configuring an LDAP server reference
- Enabling the LDAP AuthenticationProviderNext interface
- Troubleshooting embedded LDAP
- Understanding how Spring LDAP authentication works
- Authenticating user credentials
- Demonstrating authentication with Apache Directory Studio
- Binding anonymously to LDAP
- Searching for the user
- Binding as a user to LDAP
- Determining user role membership
- Determining roles with Apache Directory Studio
- Mapping additional attributes of UserDetails
- Advanced LDAP configuration
- Sample JBCP LDAP users
- Password comparison versus bind authentication
- Configuring basic password comparison
- LDAP password encoding and storage
- The drawbacks of a password comparison authenticator
- Configuring the UserDetailsContextMapper object
- Implicit configuration of UserDetailsContextMapper
- Viewing additional user details
- Using an alternate password attribute
- Using LDAP as UserDetailsService.
- Configuring LdapUserDetailsService
- Updating AccountController to use LdapUserDetailsService
- Integrating Spring Security with an external LDAP server
- Explicit LDAP bean configuration
- Configuring an external LDAP server reference
- Configuring the LdapAuthenticationProvider interface
- Delegating role discovery to UserDetailsService
- Integrating with Microsoft Active Directory via LDAP
- Built-in AD support in Spring Security 4.2
- Summary
- Chapter 7: Remember-Me Services
- What is remember-me?
- Dependencies
- The token-based remember-me feature
- Configuring the token-based remember-me feature
- How the token-based remember-me feature works
- MD5
- Remember-me signature
- Token-based remember-me configuration directives
- Is remember-me secure?
- Authorization rules for remember-me
- Persistent remember-me
- Using the persistent-based remember-me feature
- Adding SQL to create the remember-me schema
- Initializing the data source with the remember-me schema
- Configuring the persistent-based remember-me feature
- How does the persistent-based remember-me feature work?
- JPA-based PersistentTokenRepository
- Custom RememberMeServices
- Cleaning up the expired remember-me sessions
- The remember-me architecture
- Remember-me and the user life cycle
- Restricting the remember-me feature to an IP address
- Custom cookie and HTTP parameter names
- Summary
- Chapter 8: Client Certificate Authentication with TLS
- How does client certificate authentication work?
- Setting up the client certificate authentication infrastructure
- Understanding the purpose of a public key infrastructure
- Creating a client certificate key pair
- Configuring the Tomcat trust store
- Configuring Tomcat in Spring Boot
- Importing the certificate key pair into a browser
- Using Firefox
- Using Chrome
- Using Internet Explorer.
- Wrapping up testing
- Troubleshooting client certificate authentication
- Configuring client certificate authentication in Spring Security
- Configuring client certificate authentication using the security namespace
- How does Spring Security use certificate information?
- How Spring Security certificate authentication works
- Handling unauthenticated requests with AuthenticationEntryPoint
- Supporting dual-mode authentication
- Configuring client certificate authentication using Spring beans
- Additional capabilities of bean-based configuration
- Considerations when implementing client certificate authentication
- Summary
- Chapter 9: Opening up to OAuth 2
- The promising world of OAuth 2
- Signing up for an OAuth 2 application
- Enabling OAuth authentication with Spring Security
- Additional required dependencies
- Configuring OAuth 2 support in Spring Security
- Local UserConnectionRepository
- Creating local database entries for provider details
- The custom UserConnectionRepository interface
- The ConnectionSignup flow
- Executing the OAuth 2 provider connection workflow
- Adding OAuth 2 users
- OAuth 2 controller sign-in flow
- Automatic user authentication
- Additional OAuth 2 providers
- The OAuth 2 user registration problem
- Registering non-standard OAuth 2 providers
- Is OAuth 2 secure?
- Summary
- Chapter 10: Single Sign-On with the Central Authentication Service
- Introducing the Central Authentication Service
- High-level CAS authentication flow
- Spring Security and CAS
- Required dependencies
- Installing and configuring CAS
- Configuring basic CAS integration
- Creating the CAS ServiceProperties object
- Adding the CasAuthenticationEntryPoint object
- Enabling CAS ticket verification
- Proving authenticity with the CasAuthenticationProvider object
- Single logout
- Configuring single logout.
- Clustered environments.
