Laurentiu Spilca - Spring Security in Action MEAP V06

MEAP Edition

Manning Early Access Program

Spring Security in Action

Version 6

Manning Publications Co. We welcome reader comments about anything in the manuscript - other than typos and other simple mistakes.

These will be cleaned up during production of the book by copyeditors and proofreaders.

https://livebook.manning.com/book/spring-security-in-action/discussion

For more information on this and other Manning titles go to

www.manning.com

Thank you for purchasing the MEAP of Spring Security in Action. Youve already made a significant step forward by understanding the importance of security in software applications. I hope you will find plenty of things that will help you secure your Spring applications. Thanks to your help, the book will become a great learning resource for a lot of people when its finished.

Spring framework is the leading choice for developing enterprise applications. For applications developed with the Spring framework, Spring Security is the first choice for establishing application-level security. An increasing number of developers understand how important security is and what the repercussions could be when it hasnt been given the proper attention. Most people participating in the development of a software system today are aware of OWASP and at least OWASPs top ten vulnerabilities.

This book is about using Spring Security in Spring applications. To get the most out of this book, you should already know how to use the Spring framework and Spring Boot for application development.

By the end of the book, you will have covered the following topics:

How Spring Security works and its application in different scenarios, from using it with the standard servlet-based applications to reactive applications

Usability of Spring Security according to your applications architecture, from small applications to using OAuth2 and OpenID Connect in bigger systems

Various ways to apply, and best practices for applying, configurations in Spring Security

Writing unit tests for the functionality related to Spring Security

What to take into consideration when deploying your applications in an orchestrated environment

I have used Spring and Spring Security for some years already, with a variety of systems from the technical perspective to the business domain. However, as you might already be aware, this subject's complexity makes touching all the cases a challenging task. This is why your feedback is invaluable and will significantly help in the improvement of this book.

Thank you again for your interest and for purchasing the MEAP!

- Laurentiu Spilca

This chapter covers

What Spring Security is and what you can solve by using it

What security is for a software application

Why software security is essential and why you should care

Common vulnerabilities that youll encounter at the application level

Today more and more developers are becoming aware of security. Its not, unfortunately, a common practice to take responsibility for security from the beginning of the development of a software application. This attitude should change, and everyone involved in developing a software system should learn to consider it from the start.

Generally, as developers, we start by learning that the purpose of an application is to solve business cases. This purpose refers to something where data could be processed somehow, persisted, and eventually displayed to the user in a specific way as specified by some requirements. This overview of software development, which is somehow imposed from the early ages of development, has the unfortunate disadvantage of hiding practices that are also part of the process. While the application works correctly from the users perspective, and in the end, it does what the user expects in terms of functionalities, there are lots of aspects hidden in the final result.

Non-functional software qualities such as performance, scalability, availability, and (of course) security, as well as others, may have an impact over time, from short to long term. If not taken into consideration early on, these qualities can affect in terms of profitability the owners of the application dramatically. Moreover, they could trigger failures in other systems as well (for example, by the unwilling participation in a distributed denial of service (DDoS) attack). The hidden aspect of non-functional requirements (the fact that its much more challenging to see if theyre missing or incomplete) makes them, however, more dangerous.

Figure 1.1 A user mainly thinks about the functional requirements. Sometimes you might see them aware also of performance which is non-functional, but its quite unusual unfortunately that they care about security. Non-functional requirements tend to be more transparent than functional ones.

There are multiple non-functional aspects to consider when working on a software system. In practice, all of these are important, and they need to be treated responsibly in the process of software development. In this book, well focus on one of them: security. Youll learn how to protect your application step by step using Spring Security.

But before starting, Id like to make you aware of the following: depending on how much experience you have, you might or not find this chapter cumbersome. Dont worry too much if you dont understand absolutely all the aspects at the moment. For now, with this chapter, I want to show you a big picture of the security-related concepts. Throughout the book, well work on practical examples, and where appropriate, Ill refer back to the description I give in this chapter. Where applicable, Ill also provide you more details. Here and there, youll find references to other materials (books, articles, documentation) that are useful for you to read further on specific subjects.

In this section, well discuss the relationship between Spring Security and Spring. It is important, first of all, to understand the link between the two before starting to use them.

If wed go to the official website, https://spring.io/projects/spring-security, they describe Spring Security as a powerful and highly customizable framework for authentication and access control. I would simply say it is a framework that enormously simplifies baking security for Spring applications.

Spring Security is the primary choice for implementing application-level security in Spring applications. Generally, its purpose is to offer you a highly customizable way of implementing authentication, authorization, and protection against common attacks. Spring Security is open-source software released under the Apache 2.0 license. You can access the source code of the project on GitHub at https://github.com/spring-projects/spring-security/ , and I highly recommend that you contribute to the project as well.

Note You can use Spring Security for both standard web servlets as well as reactive applications. To use it, you need at least Java 8, although the examples in this book use Java 11, which is the latest long term supported version.

I can guess that if you opened this book, you work on Spring applications, and you are interested in securing them. Spring Security is most probably the best choice for your cases. It anyway became the de-facto choice in implementing the application-level security for Spring applications. Spring Security, however, doesnt automatically secure your application. Its not some kind of magic that guarantees a vulnerability-free app. Developers need to understand how to configure and customize Spring Security around the needs of the application. How to do this depends on many factors, from the functional requirements to the architecture.