I am happy I took this course with Tia as the instructor. The materials were easy to use, but she made it easier...More Testimonials »

Spring Security Training

Delivery Options

Upcoming Live eLearning Classes

There are currently no upcoming Live eLearning classes. Please contact us if you would like us to schedule a class.

Class Description

Class Overview

This in-depth course introduces the Java web developer to the Spring Security framework. We start with an overview and practical exercises in basic usage: XML configuration for authentication and URL-based authorization. Then we start to dig into Spring Security as a Java model, and develop advanced techniques including custom user realms, custom authorization constraints, method-based authorization, and instance-based authorization.

We then explore two increasingly popular extensions to Spring Security. We consider the Security Assertions Markup Language, or SAML, and the wide range of identity and security features it offers -- but quickly focus on it's support for single sign-on (SSO), and learn how the Spring Security SAML Extension enables applications to interact with SAML identity providers to implement SSO and single logout. And we look at OAuth for Spring Security, which enables third-party authorization scenarios, and learn how to implement both the server and client sides of the OAuth 2.0 flow.

Class Goals

  • Configure Spring Security for HTTP BASIC authentication.
  • Implement form-based authentication.
  • Configure other authentication features including remember-me, anonymous users, and logout.
  • Apply authorization constraints to URLs and URL patterns.
  • Bind authorization roles to user accounts in relational databases.
  • Plug application-specific user realms into Spring Security by implementing UserDetailsService.
  • Implement application-specific authorization constraints as AccessDecisionVoters.
  • Fix authorization constraints over individual methods of service beans, in lieu of URL authorization or in tandem with it.
  • Express user identity in terms of SAML <Subject>s.
  • Implement SAML SSO from the service-provider side.
  • Implement OAuth 2.0 authorization-server and resource-server roles.
  • Implement an OAuth 2.0 client.

Class Outline

  1. Spring Security
    1. Acquiring and Integrating Spring Security
    2. Relationship to Spring
    3. Relationship to Java EE Standards
    4. Basic Configuration
    5. How It Works
    6. Integration: LDAP, CAS, X.509, OpenID, etc.
    7. Integration: JAAS
  2. Authentication
    1. The <http> Configuration
    2. The <intercept-url> Constraint
    3. The <form-login> Configuration
    4. Login Form Design
    5. "Remember Me"
    6. Anonymous "Authentication"
    7. Logout
    8. The JDBC Authentication Provider
    9. The Authentication/Authorization Schema
    10. Using Hashed Passwords
    11. Why Hashing Isn't Enough
    12. Using Salts
    13. PasswordEncoder and SaltSource
    14. Key Lengthening
    15. Channel Security
    16. Session Management
  3. URL Authorization
    1. URL Authorization
    2. Programmatic Authorization: Servlets
    3. Programmatic Authorization: Spring Security
    4. Role-Based Presentation
    5. The Spring Security Tag Library
  4. Under the Hood: Authentication
    1. The Spring Security API
    2. The Filter Chain
    3. Authentication Manager and Providers
    4. The Security Context
    5. Plug-In Points
    6. Implementing UserDetailsService
    7. Connecting User Details to the Domain Model
  5. Under the Hood: Authorization
    1. Authorization
    2. FilterSecurityInterceptor and Friends
    3. The AccessDecisionManager
    4. Voting
    5. Configuration Attributes
    6. Access-Decision Strategies
    7. Implementing AccessDecisionVoter
    8. The Role Prefix
  6. Method and Instance Authorization
    1. Method Authorization
    2. Using Spring AOP
    3. XML vs. Annotations
    4. @PreAuthorize and @PostAuthorize
    5. Spring EL for Authorization
    6. @PreFilter and @PostFilter
    7. Domain-Object Authorization
    8. The ACL Schema
    9. Interface Model
    10. ACL-Based Presentation
  7. Introduction to SAML
    1. History of SAML
    2. Assertions
    3. Protocol
    4. Bindings
    5. Profiles
    6. Using OpenSAML
  8. SAML Assertions and Protocol
    1. "Vouching for" a User
    2. Assertions and Subjects
    3. NameID Types
    4. Authentication Contexts
    5. Requests, Queries, and Responses
    6. Attribute Queries
    7. SAML and XML Signature
  9. SAML Bindings
    1. Speaking "Through" the Browser
    2. The SOAP Binding
    3. SAML Over HTTP
    4. The Redirect, POST, and Artifact Bindings
    5. The PAOS Binding
    6. The URI Binding
  10. Federated Identity and SSO
    1. SAML 2.0 Federations
    2. Single Sign-On
    3. Account Linking and Persistent Pseudonyms
    4. Transient Pseudonyms
    5. Name ID Mapping
    6. Single Logout
    7. Federation Termination
  11. The Spring Security SAML Extension
    1. The Spring Security SAML Extension
    2. The SAML Entry Point
    3. The SAML Filter Chain
    4. The SSO Processing Filters
    5. IdP Discovery
    6. Login and Logout Handlers
    7. Configuring OpenAM
    8. Configuring an SP
    9. Customization
    10. Combining SSO and Other Authentication Styles
    11. Authorization and Attributes
  12. OAuth for Spring Security
    1. Third-Party Authorization
    2. OAuth
    3. Roles and Initial Flow
    4. Grant Types
    5. Access Tokens
    6. The Google OAuth API
    7. OAuth for Spring Security
    8. Client-Details Services
    9. Token Services
    10. The AuthorizationEndpoint
    11. The TokenEndpoint
    12. The UserApprovalHandler
    13. The Resource-Server Filter
    14. The ScopeVoter
    15. The OAuth-Aware RestTemplate
    16. AccessTokenProviders
    17. The OAuth Redirecting Filter

Why Webucator?

  • Expert instructors.
  • Classes are never canceled for low enrollment.
  • 100% free re-take option.
  • We have taught more than 66,687 students at 14,790 different organizations.

Class Materials

Each student in our Live Online and our Onsite classes receives a comprehensive set of materials, including course notes and all the class examples.

Class Prerequisites

Experience in the following areas is required:

  • Java programming:
  • Experience with the Spring framework
  • Basic knowledge of XML:
  • Some servlets and/or JSP experience will be beneficial for purposes of understanding the impact of each security feature that we configure. There is no web-application coding involved in the course.

Technical Requirements

Our computer technical requirements and setup process is easy, with support just a click away.

  • Java ®, all Java-based marks, Hibernate ®, and all Hibernate-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. or its subsidiaries in the U.S. and other countries.
Client Success
  1. Compare Us
  2. Client List
  3. Testimonials
Join The Team
  1. Learn how you can become a Webucator Trainer
  2. Career Opportunities
© Webucator, Inc. All rights reserved. |Toll Free: 1-877-932-8228Toll Free: 1-877-932-8228 |Outside the USA: 315-849-2724|Fax: 315-849-2723