Spring Security Core: Beginner to Guru

Explore fundamental security concepts and the value of Spring Security, introducing HTTP Basic Security, Java configuration, and memory authentication authentications before coding.

Gain a practical understanding of application security, risk analysis, and mitigations through real-world examples, including phishing and least-privilege design, encryption, and audits like PCI-DSS, HIPAA, and SOX.

Explore spring security as the core for application security, detailing authentication, authorization, and password encoding. See how it integrates with LDAP, JDBC, OpenID, and CAS.

Discover the OWASP top 10 web vulnerabilities, including injection, broken authentication, data exposure, XSS, broken access control, and insecure deserialization, and how Spring Security mitigates them.

Explore how cross-site scripting attacks exploit user input through JavaScript, and how Spring Security uses X-XSS-Protection and content security policy controls to mitigate XSS.

Explore cross-site request forgery attacks and how Spring Security mitigates them with synchronizer token pattern and CSRF tokens. Understand same-site cookie attributes and when to apply CSRF for browser-based apps.

Explore http basic security as a foundational concept in the http specification, and begin getting your feet wet with Spring Security while previewing Java configuration and in-memory authentication.

Explore how http basic authentication transmits credentials via url encoding or an authorization header with base64, and why https matters for security.

Review a spring mvc monolith brewery app to illustrate securing both web and rest endpoints with spring security, exploring branches, controllers, dto mapping, and basic dev tooling.

Learn how Spring Boot auto-configuration with the Spring Boot starter security yields a default login form and a startup password, and see basic auth via base64 in Postman.

Learn how to override Spring Boot's default login by setting spring.security.user.name and spring.security.user.password in application.properties or environment variables, enabling a custom username and password for secure deployment.

Explore unit testing spring security with JUnit 5 using Spring Boot Web MVC tests, mock beans, and the @WithMockUser annotation to access secured endpoints.

Compare testing http basic auth with a mock user versus using the http basic header through Spring MockMvc and the authentication manager; see base64-encoded credentials validated by authentication modules.

Explore how Spring Security uses a delegating filter proxy to form multiple filter chains that run before or after the Dispatcher Servlet, enabling flexible authentication schemes.

Explore how to customize Spring security configuration beyond Spring Boot's auto-configuration, starting with Java configuration for HTTP basic security and preparing for in-memory authentication and password management.

Extend web security configuration via WebSecurityConfigurerAdapter to permit all for the root path by overriding http security with antMatchers('/').permitAll, while preserving static resources and http basic and form login behavior.

Learn how to configure spring security to allow unauthenticated GET requests for listing beers and fetching beer by id via /api/v1/beer/**, using antMatchers and HttpMethod.GET.

Use Spring MVC path matchers to expose the beer by UPC endpoint with HTTP GET, switching from Ant matchers, and validate the change with test-driven development.

Explore Java configuration for Spring Security and expand in-memory authentication by configuring an in-memory datastore for users, covering password management and preparing for custom authentication filters.

Trace the Spring Security authentication flow from the filter through the authentication manager to the provider. Highlight the user details service, password encoder, and in-memory user details manager for testing.

Create a UserDetailsService and configure two in-memory users, spring guru admin and user password, for Spring Security via a bean. Override the default service with InMemoryUserDetailsManager and Spring Boot auto-configuration.

Explore in-memory authentication with the Spring Security fluent API, overriding the authentication manager to configure in-memory users and a no-op password encoder, highlighting common pitfalls.

Explore password security in Spring Security, moving from in-memory authentication to advanced techniques and custom authentication filters, including HTTP Basic, and set up a local database with Hibernate JPA.

Understand password encoding in Spring Security, why plain text and encryption are risky, how salts mitigate dictionary attacks, and how delegating encoders migrate to bcrypt, pbkdf2, or scrypt.

demonstrates hashing a password with an md5 digest and the effect of adding a salt on the resulting hash, highlighting its limitations for password security.

Learn how to implement the NoOp password encoder in Spring Security by creating a NoOpPasswordEncoder with getInstance, overriding the delegating encoder, and using plain text passwords for legacy systems.

Demonstrates using the LDAP SHA password encoder (SSHA with random salt) in Spring Security, encoding passwords, verifying with matches, and testing with unit tests for legacy systems.

Learn to set up the SHA-256 password encoder with Spring Security using the StandardPasswordEncoder, run tests, and configure Spring Security to use SHA-256, noting its salt-based variability and official recommendations.

Explore the bcrypt password encoder, the default Spring Security password encoder, and how to configure and test its strength, hash metadata, and performance implications.

Learn to implement a delegating password encoder in Spring Security 5 with PasswordEncoderFactories, enabling multiple encodings like BCrypt, sha-256, ldap, and NoOp encoders.

Learn how to build a custom delegating password encoder in spring security core by creating SfgPasswordEncoderFactories, tailoring it with SHA-256, removing unused algorithms, and ensuring tests pass.

Explore how Spring Security acts like a Swiss Army Knife for managing database passwords, and learn to write custom authentication filters while previewing Hibernate integration and user roles.

Learn to build a custom authentication filter by extending AbstractAuthenticationProcessingFilter, wire it into the Spring Security filter chain, and validate API key and secret in headers.

Demonstrates testing the deleteBeer RESTful endpoint with mockMvc by sending API Key header and API Secret header to simulate authentication, expecting a 401/403 before filtering is implemented.

Develop a custom authentication filter by extending AbstractAuthenticationProcessingFilter, reading Api-Key and Api-Secret headers, and creating a UsernamePasswordAuthenticationToken for the authentication manager.

Configure a rest header authorization filter with an authentication manager and an api path matcher, and insert it before the Spring Security UsernamePasswordAuthenticationFilter in the security filter chain.

Debug spring security by enabling debug logging, inspecting the filter chain, and diagnosing authentication failures, including CSRF handling and customizing authentication success behavior.

Develop a custom doFilter in Spring Security to use API keys or HTTP basic, override the authentication filter, and manage successful authentication within the security context.

Implement a custom Spring Security failure handler by overriding authentication failure, clearing the context, and returning unauthorized for REST APIs, while lowering bcrypt strength to 10 to speed tests.

Move from custom authentication filters to implementing authentication with Hibernate and Spring Data JPA, building a user data model, and defining roles and authorities for legacy environments.

Explore how to implement Spring Security database authentication using a custom user details service backed by Spring Data JPA, with entities, repositories, and a jdbc or NoSQL data source.

Configure JPA entities for a Spring Security user and authority, mapping a many-to-many relationship with the user_authority join table, cascade merge, and mappedBy, reflecting Spring Security user properties.

Configure project Lombok in IntelliJ, enabling annotation processing, to generate getters, setters, constructors, and a builder with defaults while avoiding equals and hashCode issues in many-to-many relationships.

Configure Spring Data JPA repositories for user and authority entities, including a user repository with findByUsername returning Optional, organized under a security package with integer ids.

Enable h2 console access in development by permitting /h2-console/** and adjusting frame options for sameOrigin while reviewing the uuid-based in-memory users and authorities.

Implement a JpaUserDetailsService that loads a user by username from the repository, throws UsernameNotFoundException when absent, and maps user roles to SimpleGrantedAuthority for Spring Security.

Configure spring security to use a JPA user details service instead of in memory, wire authentication manager and password encoder, and address lazy loading with transactional scope.

Switch from web MVC test to SpringBootTest to load the full context, enabling the H2 in memory database and JPA user detail service for passing tests, and remove rest filters.

Explore how to control who can do what through user roles in Spring Security, with a quick look at Hibernate, Spring Data JPA, and upcoming user authorities and multi-tenancy security.

Explore how Spring Security handles authorization, including default ROLE_ prefixes, authorities, hasRole/hasAuthority, the access decision manager with voters, security expressions, and method security via @Secured and @PreAuthorize.

Configure spring security roles by adding the ROLE_ prefix to admin, user, and customer, and define access rules for deleting beer, viewing breweries, listing customers, and registering customers with tests.

secure delete /api/v1/beer by enforcing admin role through a pre-request filter, and verify with four mock MVC tests showing admin success and forbidden for user and customer roles.

Configure Spring Security to allow multiple roles by using hasAnyRole for admin and customer on the breweries list, and update tests to expect a 200 response.

Refactor JUnit 5 tests by using SpringBootTest to load the H2 database, switch from mocks to real Spring Data JPA repositories, and organize destructive delete tests with nested tests.

Enable global method security and apply the Secured annotation to the customer list method, restricting access to ROLE_ADMIN and ROLE_CUSTOMER, with AOP interception and test-driven validation.

Enable spring security method security with prePostEnabled, apply PreAuthorize with spring expression language to restrict admin-only actions, and verify via test-driven development for proper redirects and http status.

Explore setting up user roles and user authorities to control access, then dive into granular Spring Security permissions, multi-tenancy security, and CSRF protection.

Refactor user authorities from three broad roles to a traditional roles and authorities model, enabling fine-grained access via many-to-many mappings between users, roles, authorities, and JPA/Hibernate in Spring Security.

Add a role (permission) entity and map a many-to-many between users and authorities via user_role. Compute authorities as transient from roles, with eager fetch and MERGE/PERSIST cascades.

Refactor the data loader to define beer authorities for create, read, update, and delete, then map these to admin, customer, and user roles during bootstrap.

Learn to reconfigure Spring Security for a REST API by replacing Java config with annotation-based PreAuthorize, using hasAuthority for the BeerRestController read, create, update, and delete permissions.

Create custom authorization annotations to replace duplicated hasAuthority checks across beer controllers, centralizing permissions like BeerReadPermission, BeerCreate, BeerUpdate, and BeerDelete for easier maintenance in Spring Security.