Java Spring Security Training

This fast-paced 2 day class introduces the Java web developer to the Spring Security framework. The first half of the course gives an overview and quickly moves into practical exercises in basic usage: XML configuration for authentication and URL-based authorization. Then we start to dig into Spring Security as a Java model, and develop advanced techniques including custom user realms, custom authorization constraints, method-based authorization, and instance-based authorization.

By the end of the course students will be able to use Spring security to implement authentication and role-based authorization policies for their own Java web applications (whether or not those applications use Spring themselves), and customize the behavior of Spring Security to their requirements.

Goals

  • Configure Spring Security for HTTP BASIC authentication.
  • Implement form-based authentication.
  • Configure other authentication features including remember-me, anonymous users, and logout.
  • Apply authorization constraints to URLs and URL patterns.
  • Bind authorization roles to user accounts in relational databases.
  • Plug application-specific user realms into Spring Security by implementing UserDetailsService.
  • Implement application-specific authorization constraints as AccessDecisionVoters.
  • Fix authorization constraints over individual methods of service beans, in lieu of URL authorization or in tandem with it.

Outline

  1. The Spring Framework
    1. Overview of Spring
    2. The Core Module
    3. Inversion of Control
    4. XML and Java Views of the Container
    5. Configuring JavaBeans
    6. Dependency Injection
    7. Web Application Contexts
  2. Spring Security
    1. Acquiring and Integrating Spring Security
    2. Relationship to Spring
    3. Relationship to Java EE Standards
    4. Basic Configuration
    5. How It Works
    6. Integration: LDAP, CAS, X.509, OpeID, etc.
    7. Integration: JAAS
  3. Authentication
    1. The <http> Configuration
    2. The <intercept-url> Constraint
    3. The <form-login> Configuration
    4. Login Form Design
    5. “Remember Me”
    6. Anonymous “Authentication”
    7. Logout
    8. The JDBC Authentication Provider
    9. The Authentication/Authorization Schema
    10. Using Hashed Passwords
    11. Channel Security
    12. Session Management
  4. URL Authorization
    1. URL Authorization
    2. Programmatic Authorization: Servlets
    3. Programmatic Authorization: Spring Security
    4. Role-Based Presentation
    5. The Spring Security Tag Library
  5. Under the Hood: Authentication
    1. The Spring Security API
    2. The Filter Chain
    3. Authentication Manager and Providers
    4. The Security Context
    5. Plug-In Points
    6. Implementing UserDetailsService
    7. Connecting User Details to the Domain Model
  6. Under the Hood: Authorization
    1. Authorization
    2. FilterSecurityInterceptor and Friends
    3. The AccessDecisionManager
    4. Voting
    5. Configuration Attributes
    6. Access-Decision Strategies
    7. Implementing AccessDecisionVoter
    8. The Role Prefix
  7. Method and Instance Authorization
    1. Method Authorization
    2. Using Spring AOP
    3. XML vs. Annotations
    4. Domain-Object Authorization
    5. The ACL Schema
    6. Interface Model
    7. ACL-Based Presentation

To Hire an AMS Java Spring Subject Matter Expert and Instructor who also teaches this class, call us today at 800-798-3901!

Leave a Reply