Title Page

Credits

About the Authors

About the Reviewers

www.Packtpub.com

Customer Feedback

Preface

1. Anatomy of an Unsafe Application FREE CHAPTER

• Security audit
• Application technology
• Authentication
• Authorization
• Summary

2. Getting Started with Spring Security

• Hello Spring Security
• A little bit of polish
• Summary

3. Custom Authentication

• JBCP calendar architecture
• Logging in new users using SecurityContextHolder
• Creating a custom UserDetailsService object
• Creating a custom AuthenticationProvider object
• Which authentication method to use?
• Summary

4. JDBC-Based Authentication

• Required dependencies
• Using the H2 database
• The default user schema of Spring Security
• The UserDetailsManager interface
• Support for a custom schema
• Configuring secure passwords
• The PasswordEncoder method
• Using salt in Spring Security
• Trying out the salted passwords
• Summary

5. Authentication with Spring Data

• Spring Data JPA
• Refactoring from SQL to ORM
• Application services
• The UserDetailsService object
• Document database implementation with MongoDB
• Summary

6. LDAP Directory Services

• Understanding LDAP
• Understanding how Spring LDAP authentication works
• Determining roles with Apache Directory Studio
• Configuring the UserDetailsContextMapper object
• Updating AccountController to use LdapUserDetailsService
• Explicit LDAP bean configuration
• Integrating with Microsoft Active Directory via LDAP
• Summary

7. Remember-Me Services

• What is remember-me?
• MD5
• Is remember-me secure?
• Configuring the persistent-based remember-me feature
• The remember-me architecture
• Custom cookie and HTTP parameter names
• Summary

8. Client Certificate Authentication with TLS

• How does client certificate authentication work?
• Configuring client certificate authentication using Spring beans
• Summary

9. Opening up to OAuth 2

• The promising world of OAuth 2
• Configuring OAuth 2 support in Spring Security
• Executing the OAuth 2 provider connection workflow
• Additional OAuth 2 providers
• Is OAuth 2 secure?

10. Single Sign-On with the Central Authentication Service

• Introducing the Central Authentication Service
• High-level CAS authentication flow
• Spring Security and CAS
• Configuring basic CAS integration
• Single logout
• Clustered environments
• Using proxy tickets
• Customizing the CAS server
• Getting the UserDetails object from a CAS assertion
• Additional CAS capabilities
• Summary

11. Fine-Grained Access Control

• Gradle dependencies
• Conditional rendering with the Thymeleaf Spring Security tag library
• Interface-based proxies
• JSR-250 compliant standardized rules
• Summary

12. Access Control Lists

• The conceptual module of ACL
• Access control lists in Spring Security
• Basic configuration of Spring Security ACL support
• Summary

13. Custom Authorization

• Authorizing the requests
• Dynamically defining access control to URLs
• Creating a custom expression
• Summary

14. Session Management

• Configuring session fixation protection
• Restricting the number of concurrent sessions per user
• Configuring expired session redirect
• Common problems with concurrency control
• Other benefits of concurrent session control
• Displaying active sessions for a user
• Summary

15. Additional Spring Security Features

• Security vulnerabilities
• Cross-Site Scripting 
• Cross-Site Request Forgery
• Security HTTP response headers
• Summary

16. Migration to Spring Security 4.2

• Introduction
• Sample migration
• Deprecations
• Summary

17. Microservice Security with OAuth 2 and JSON Web Tokens

• What are microservices?
• Service-oriented architectures
• Microservice security
• The OAuth 2 specification
• JSON Web Tokens 
• OAuth 2 support in Spring Security
• Microservices client
• Summary

18. Additional Reference Material

• Getting started with the JBCP calendar sample code