Spring® Security

Delivery Options

  • Private Onsite Training
    • Price: $9995 for up to 3 students. (Additional students subject to a nominal fee)
    • Contact an account manager to schedule an onsite delivery and discuss customization options.
  • Public Training
    • Price: $2595 per student
    • There are currently no upcoming public deliveries scheduled. You can use our online contact form to add your name to our wait list.

Class Overview

This fast-paced course introduces the Java web developer to the Spring Security framework. The first half of the course gives an overview and quickly moves into practical exercises in basic usage: XML configuration for authentication and URL-based authorization. Students will then dig into Spring Security as a Java model, and develop advanced techniques including custom user realms, custom authorization constraints, method-based authorization, and instance-based authorization. By the end of the course students will be able to use Spring security to implement authentication and role-based authorization policies for their own Java web applications (whether or not those applications use Spring themselves), and customize the behavior of Spring Security to their requirements.

Audience: Java programmers wishing to learn Spring Security.

Prerequisites: Java Programming, basic knowledge of XML, and experience with the Spring framework.

Class Length: 2 days

Class Objectives

  • Configure Spring Security for HTTP BASIC authentication.
  • Implement form-based authentication.
  • Configure other authentication features including remember-me, anonymous users, and logout.
  • Apply authorization constraints to URLs and URL patterns.
  • Bind authorization roles to user accounts in relational databases.
  • Plug application-specific user realms into Spring Security by implementing UserDetailsService.
  • Implement application-specific authorization constraints as AccessDecisionVoters.
  • Fix authorization constraints over individual methods of service beans, in lieu of URL authorization or in tandem with it.

Class Outline

  1. The Spring Framework (Optional)
    • The Spring Security Project
    • The Spring Security Distribution
    • Required Libraries
    • Relationship to the Spring Framework
    • Relationship to Java EE Standards
    • Basic Configurations
    • The Spring Security Namespace
    • Authentication and Authorization
    • User Details
    • XML Tools
    • How It Works
    • Integration: LDAP, CAS, X.509, OpenID, etc.
    • Integration: JAAS
  2. Spring Security
    • The Spring Security Project
    • The Spring Security Distribution
    • Required Libraries
    • Relationship to the Spring Framework
    • Relationship to Java EE Standards
    • Basic Configurations
    • The Spring Security Namespace
    • Authentication and Authorization
    • User Details
    • XML Tools
    • How It Works
    • Integration: LDAP, CAS, X.509, OpenID, etc.
    • Integration: JAAS
  3. Authentication
    • The <http> Configuration
    • The <intercept-url> Constraint
    • The <form-login> Configuration
    • Login Form Design
    • "Remember Me"
    • Anonymous "Authentication"
    • Logout
    • Database Realms
    • The JDBC Authentication Provider
    • The Authentication/Authorization Schema
    • Using Hashed Passwords
    • Channel Security
    • Session Management
  4. URL Authorization
    • URL Authorization
    • The Healthcare Case Study
    • Programmatic Authorization: Servlets
    • Programmatic Authorization: Spring Security
    • When to Use Programmatic Authorization
    • Role-Based Presentation
    • The Spring Security Tag Library
  5. Under the Hood: Authentication
    • The Spring Security API
    • The Filter Chain
    • Authentication Manager and Provider(s)
    • SecurityContext and SecurityContextHolder
    • How AuthenticationProviders Work
    • Plug-In Points
    • Implementing UserDetailsService
    • Connecting User Details to the Domain Model
  6. Under the Hood: Authorization
    • Authorization
    • FilterSecurityInterceptor and Friends
    • URL Authorization
    • The AccessDecisionManager
    • Putting It to a Vote
    • The AccessDecision Voter
    • ConfigAttributes
    • Access-Decision Strategies
    • Putting It Together
    • Implementing AccessDecision Voter
    • Choosing an Approach
    • The Role Prefix
  7. Method and Instance Authorization
    • Method Authorization
    • Configuring Method Authorization
    • Using XML
    • Using Annotations
    • Domain-Object Authorization
    • The ACL Schema
    • Interface Model
    • ACL-Base Presentation