
Welcome to this course ! Let me explain what is the agenda of this course
Add the spring security starter, then configure static credentials in application properties to secure a spring boot web app; define spring.security.user.name and spring.security.user.password for login.
In this video, we will discuss on what is security and why it is important for any web application
This video will explain how Spring Security process a income request internally every time and the architecture associated to it
In this video, we will see how spring security framework works in the case of multiple requests after authentication where it will not ask for credentials again and again.
Examine the default spring security configuration and its http security filter chain. Learn to customize with a security filter chain bean, including form login, http basic, and oauth2 login.
Learn how to disable formLogin and httpBasic in a Spring Boot web app, switch to lambda-based configuration, and understand the role of BasicAuthenticationFilter and UsernamePasswordAuthenticationFilter when securing REST APIs.
Explore how Spring Security models end users with UserDetails and manages them via UserDetailsService and UserDetailsManager, including loadUserByUsername, createUser, updateUser, deleteUser, changePassword, and userExists, with InMemoryUserDetailsManager, JdbcUserDetailsManager, and LdapUserDetailsManager implementations.
Create a custom authentication table named customer with an auto-increment id, email as username, PWD for passwords, and a role, then update Spring Security to use it.
Learn how passwords are hashed with a bcrypt PasswordEncoder in Spring Security, using a delegating PasswordEncoder, and why plain text storage is dangerous.
Explore encoding, decoding, encryption, and hashing. Understand why encoding is unsuitable for password management while discussing data masking and privacy.
Explore hashing drawbacks for password management, including identical hashes for identical inputs and the speed of attacks. See how brute force, dictionary, and rainbow table attacks threaten security.
Leverage Spring Boot profiles to conditionally load security configurations and authentication rules across production and lower environments, including conditional login behavior for testers and developers.
Learn to configure environment-specific properties in Spring Boot with profiles and multiple property files, activate prod via spring.profiles.active or environment variables, and apply external overrides for logs and credentials.
Configure authentication entry points in Spring Security using httpBasic and global exceptionHandling with a CustomBasicAuthenticationEntryPoint; learn why formLogin bypasses global entry points and when to apply global configuration.
Implement a custom access denied handler in Spring Security 6 by creating CustomAccessDeniedHandler, overriding handle() to return 403 with an ezbank-denied-reason header, and configure it globally.
Control concurrent sessions in Spring Security by configuring maximumSessions and maximumSessionsPreventsLogin, demonstrating one or multiple sessions, session expiry, and optional expiredURL handling.
Master formLogin() customization in Spring Security to define a custom login page and post authentication flow, as demonstrated in the EazySchool MVC app.
Configure form login in spring security 6 mvc apps, including disabling csrf and permitting static assets. Route to a custom login page to secure the dashboard and avoid redirect loops.
Configure form login in MVC apps with defaultSuccessUrl and failureUrl, then implement custom authentication success and failure handlers to redirect to dashboard or show login errors.
Configure logout behavior in Spring Security with http.logout(), show 'you have been successfully logged out' via the logout success URL, and clear session, authentication, and delete J Session ID cookie.
Learn how to integrate Spring Security with Thymeleaf to conditionally render header navigation. Use the Thymeleaf security dialect to check isAuthenticated and isAnonymous, and retrieve authentication and principal details.
Learn how to load the current authenticated user in Spring Security using SecurityContextHolder or a method parameter, and access name and authorities in controllers or services.
Setting up the EazyBank UI project
Update backend to reflect the latest db schema with entity models and repositories, including findByCustomerId and jpql queries for notices, and implement cache control for responses.
Configure the backend to generate a CSRF token at login and expose it as a cookie read by CSRF filter via CsrfTokenRequestAttributeHandler. Validate requests with the X-XSRF-TOKEN header and jsessionId.
Explain how Spring Security stores authorities with GrantedAuthority and SimpleGrantedAuthority, and how UserDetails and Authentication carry these authorities through unmodifiable collections and UsernamePasswordAuthenticationToken.
'Spring Security Zero to Master' course will help in understanding the Spring Security Architecture, important packages, interfaces, classes inside it which handles authentication and authorization requests in the web applications. It also covers most common security related topics like CORs, CSRF, JWT, OAUTH2, password management, method level security, user, roles & authorities management inside web applications.
Below are the important topics that this course covers,
Spring Security framework details and it features
How to adapt security for a Java web application using Spring Security
Password Management in Spring Security with PasswordEncoders
Deep dive about encoding, encryption and hashing
What is CSRF, CORS and how to address them
What is Authentication and Authorization. How they are different from each other.
Filters in Spring Security and how to write own custom filters
Deep dive about JWT (JSON Web Tokens) and the role of them inside Authentication & Authorization
Deep dive about OAUTH2 and various grant type flows inside OAUTH2.
Deep dive about OpenID Connect & how it is related to OAUTH2
Applying authorization rules using roles, authorities inside a web application using Spring Security
Method level security in web/non-web applications
Social Login integrations into web applications
Set up of Authorization Server using KeyCloak, Spring Authorization Server
The pre-requisite for the course is basic knowledge of Java, Spring, SpringBoot and interest to learn.